“Critical infrastructure is the lifeline of any nation. It is highly attractive for malicious actors to cause serious economic, and human-life damage that come up with new threat vectors to attack critical infrastructure” says Krishna Chaitanya Tata, a senior Operational Technology cyber security architect with IBM. In this article, Chaitanya shares his valuable insights and expertise on how vulnerable critical infrastructure industries are to cyberattacks and what are the best practices to help secure their critical control networks.
Operational Technology (OT), a term often used to describe industrial automation for hardware and software that detects or causes a change, through the direct monitoring and control of physical devices, processes, and events. They form the backbone of critical infrastructure industries and consist of devices such as programmable logic controllers (PLCs), remote terminal units (RTUs), distributed control systems (DCS), or supervisory control and data acquisition systems (SCADA).
“In an era of connected devices (internet-of-things) and newer advanced threat vectors emanating from them, newer challenges in OT security are emerging. OT networks which were hitherto air-gapped and isolated, are increasingly getting connected to the outside world,” said Chaitanya.
Some of the common threat vectors that are becoming increasingly prevalent are:
- Malware entering outer network segments due to poor security controls and traversing to other more critical segments using the elevation of privileges and poor firewall rules
- Internet-of-things sensors within control networks communicating outside to aggregators
- Unsegmented or flat control networks being breached by denial-of-service attacks, providing access to entire network
- Legacy or end-of-life equipment such as PLCs, RTUs, DCS and SCADA systems from vendors which have unpatched vulnerabilities being exploited by malicious actors
- 5G infrastructure such as towers on facilities providing ingress into connected OT networks
“The threat or attack vectors are numerous, owing to the complexity of the critical infrastructure industries that rely on operational technology. Newer zero-day attacks and advanced persistent threats (APTs) are also becoming increasingly common” said Chaitanya. He further added that “organizations need to prepare holistically and look at operational technology security as a parallel function to safety and place the same importance on cybersecurity as they place on safety to ensure no injuries or loss of life occurs.”Comprehensive Security Strategy:
This is generally the hardest part of any organisation’s preparation for protecting their infrastructure. Strategy should start with a comprehensive security reference architecture. It should be a layered onion-peel model of defence-in-depth strategy where a range of security controls is used based on the reference architecture. Modern reference architectures cover all major security domains such as data security, network security, device security, internet-of-things, 5G and cloud services and associated communication protocols.
Optimal security solution stack
Several products have entered the operational technology security marketplace over the past decade. Industrial intrusion detection systems (IIDS) that rely on deep packet inspection of industrial and IoT protocols to detect anomalous behaviour and perform deep asset discovery. Secure remote access solutions (SRA) provide solutions to access OT endpoints using a landing portal enforcing role-based access control (RBAC) for operators. Deception technologies simulate real-life attack scenarios used for bolstering controls and training blue teams. OT firewalls come with rulesets specific to industrial control systems and their protocols to help regulate traffic between segments. Other products such as network packet brokers, signature-based detection tools, identity and access management solutions for OT are also growing in popularity.
Network segmentation and micro-segmentation
Network segmentation and micro-segmentation into smaller manageable ‘zones’ is key for critical infrastructure industries and their networks. Zones are assigned priorities and robust security controls are implemented based on the priority of each zone. For example, mission critical controllers are categorised into a zone that is heavily fortified, while telemetry devices such as SCADA systems could be in a different zone.
Threat modelling and attack simulations
Threat modelling and simulations are becoming increasingly important in this industry, given the growing connectivity and ‘smart’ devices. The threat vectors today are likely not the same as the ones from, say, a few years ago. Analysis of these vectors and simulations is critical, along with tabletop exercises and war rooms to simulate threats and their responses by cyber response teams. Aligning to the MITRE attack framework for threat simulations and modelling is highly recommended.
Upgrading legacy infrastructure
There are generally vast areas of networks within operational technology that are running end-of-life and legacy equipment such as controllers, RTUs and so on. These devices run proprietary firmware that has several inherent security vulnerabilities which have not been patched sometimes for decades. These are notoriously legacy and prone to a high degree of inherent security vulnerabilities which can be easily exploited. Upgrading legacy infrastructure and hardening them to the latest firmware is highly critical.
Vulnerability remediation
Vulnerabilities are discovered in devices running the latest firmware and software as well within operational technology. Vulnerability scanning tools within operational technology (OT) can passively scan networks by reading traffic passing through the wire. This also yields very valuable insights into the type of vulnerabilities, their CVSS scores and suggested remediation actions.
‘As the world gets increasingly interconnected with innovations such as smart and connected devices and sensors, 5G and real-time communications, security threats will only continue to rise and grow in critical infrastructure industries. How organisations proactively prepare to make security a top priority will help secure their operations in this highly volatile geopolitical scenario,’ concludes Chaitanya.
Disclaimer – The above content is non-editorial, and TIL hereby disclaims any and all warranties, expressed or implied, relating to it, and does not guarantee, vouch for or necessarily endorse any of the content.