Thursday Dec 12, 2024
Wednesday, 1 November 2017 00:00 - - {{hitsCtrl.values.hits}}
Boston: CyberX, the industrial cybersecurity company safeguarding ICS infrastructures worldwide, today announced findings from its ‘Global ICS & IIoT Risk Report,’ a comprehensive review of the current state of Operational Technology (OT) security. Operational Technology networks are used with specialised Industrial Control Systems (ICS) to monitor and control physical processes such as assembly lines, mixing tanks, and blast furnaces.
The data clearly shows that OT networks are ripe targets for adversaries, whose motives range from criminal intent to operational disruption and even threats to human and environmental safety. Many are exposed to the public internet and easy to traverse using simple vulnerabilities like plain-text passwords. Lack of even basic protections like anti-virus can enable attackers to quietly perform reconnaissance before sabotaging physical processes.
As a result, once attackers get into an OT network — either via the internet or by using stolen credentials to pivot from corporate IT systems to OT networks — it’s relatively easy for them to move around and compromise industrial devices. According to a new US CERT advisory citing analysis by the DHS and FBI, threat actors are currently engaged in APT attacks using spear phishing to obtain stolen credentials from ICS personnel.
Although industry experts have been warning us for years that our OT networks are vulnerable — missing many of the built-in controls found in IT networks like automated updates and strong authentication — this is the first time we’ve had real-world data to objectively evaluate the risk.
“The risk to OT networks is real — and it’s dangerous and perhaps even negligent for business leaders to ignore it,” said Michael Assante, ICS/SCADA Lead for the SANS Institute. To obtain this data, CyberX analysed production traffic from 375 representative OT networks worldwide across all sectors — including energy and utilities, manufacturing, pharmaceuticals, chemicals, and oil and gas — using its proprietary Network Traffic Analysis (NTA) algorithms. Similar to the methodology used for the Verizon Data Breach Investigations Report (DBIR), the analysis was performed on an anonymised and aggregated set of metadata with all identifying information removed. Rigorous attention was paid to preserving the confidentiality of sensitive customer information.
“We don’t want to be cyber Cassandras — and this isn’t about creating FUD — but we think business leaders should have a realistic, data-driven view of the current risk and what can be done about it,” said Omer Schneider, CEO and co-founder of CyberX.
Added Nir Giller, CTO and co-founder of CyberX: “It was important for us to produce reliable, aggregated risk data and we’re hoping these results will serve as a wake-up call to the entire industry. The data is certainly consistent with what we’ve seen anecdotally in OT networks worldwide.”
What can be done? It’s unrealistic to expect asset owners to perform massive upgrades to their OT infrastructures in the short-term, which would cost their industries billions of dollars. Nevertheless, there are a number of practical steps organisations can take today to mitigate OT risk, including:
Providing security awareness training for plant personnel and enforcing strong corporate policies to eliminate risky behaviours like clicking links in emails, using USBs and laptops to transfer files to OT systems, and dual-homing devices between IT and OT networks.
Top-down organisational initiatives to break down barriers between IT and OT teams, such as temporarily assigning IT security personnel to OT organisations and vice-versa to understand the differences between IT and OT.
Using compensating controls and multi-layered defences — such as continuous monitoring with behavioural anomaly detection — to provide early warnings of attackers inside your OT network, and to mitigate critical vulnerabilities that might take years to fully remediate.Proactively addressing the most critical vulnerabilities via automated threat modelling. SANS refers to this multi-layered approach as “Active Cyber Defence” — using security operations to continuously identify and counter threats. According to SANS, the Active Cyber Defence Cycle consists of four phases that continuously feed each other: asset identification and network security monitoring; incident response; threat and environment manipulation (e.g., addressing vulnerabilities); and threat intelligence consumption.
The increased visibility, intelligence, and proactive actions defined by this approach enable organisations to significantly reduce risk to their vulnerable OT networks and move beyond the limitations of perimeter security, which is no longer sufficient to protect against new threats such as targeted attacks, sophisticated malware, and insider threats.