Part one of our look at the SANS “The State of ICS/OT Cybersecurity in 2022 and Beyond” report focused on the top challenges in ICS/OT cybersecurity. Part two drills down into the type of attack vectors that cause those challenges and some recommendations for how to overcome the hurdles of OT cybersecurity. Click here to read the report in its entirety.
It likely comes as little surprise that some sectors are targeted more than others and the priority of security needs vary from company to company. In 2022, the top three most targeted industries that had a direct impact on safe and reliable operations were:
Business services
Healthcare and public health
Commercial facilities
While incident numbers may have been low in most cases, disruptions were impactful.
Over half of respondents to the SANS survey felt that engineering workstation or instrumentation laptops were most at risk. The second most at risk item was deemed to be operator assets, such as the human machine interface (HMI) or operator workstation. However, the full range of ICS components are at risk. The report points out the importance of including programmable logic controllers (PLCs), intelligent electronic devices (IEDs), and other embedded components in all go-forward security strategies.
A significant insight from the report is the recognition that malware is not necessarily needed to cause impactful damage. Instead, cybercriminals use stolen credentials to gain unauthorized access to an HMI before using legitimate HMI commands to modify the process. This scenario enabled the 2021 attack on a water treatment plant in Oldsmar, Florida. In this attack, the perpetrators used remote access to change the levels of sodium hydroxide used during water treatment. Sodium hydroxide is a corrosive substance that, if ingested in large enough quantities, can cause widespread health issues in the populace. This “living off the land” approach, where stolen credentials and unauthorized access are used to modify processes, is nothing new. The report mentions that this scenario goes back to at least 2014.
Being proactive and scanning for threats is vital to preventing a cyberattack. The SANS report finds that 60% of respondents rely on passive monitoring, most using a network sniffer, followed closely by continual active vulnerability scanning. However, the report points out that active vulnerability scanning can be risky. This is especially true for legacy devices that do not have the compute or memory resources to handle this traffic. In some cases, Vulnerability Management (VM) tools can disrupt operations, so many ICS environments do not allow them. For this reason, vendors are increasingly using active querying using native ICS protocols to obtain asset and vulnerability data.
Patching carries risks, such as production impacts, in OT environments. The report recommends managing patches during the factory acceptance testing (FAT) and site acceptance testing (SAT) phases before production. Pre-testing and having pre-defined schedules for patches is another essential way to manage the impact potential of patching. Previous breaches, including the Oldsmar attack, can offer essential lessons in vulnerability management.
The prioritization order of device patching is:
Devices directly connected to the internet first, then (in no order):
Edge network firewall and switches
Remote access solutions
Data historians
ICS internal core network infrastructure
Critical engineering assets such as the HMIs
Engineering workstations
The report focuses on the importance of understanding the environment for best-fit measures and highlights the need for combining asset inventory with ICS threat intelligence to understand the ICS risk surface. A recommendation is to use the Critical Infrastructure Vulnerability Assessments offered by CISA.
“You cannot protect what you don’t know you have” is a crucial phrase in managing risk. While most respondents have inventories, the report recommends expanding existing inventories or building new ones, where required. This is an area where accuracy is key.
Cybersecurity solution providers remain an essential resource when there is a suspected incident. Building a more collaborative relationship between internal resources and external incident response teams can be the key to a fast and effective response. The use of IT consultants has, however, seen a dramatic drop in usage from 40% in 2021 to 13% in 2022. Notably, the report emphasizes the need to check out the ICS skillset and prior incident response experience when choosing an external partner.
Compromise of IT is increasingly filtering into ICS/OT systems and is currently seen as the top threat vector. This area of compromise was noted by 40.8% of respondents, in contrast to only 4% of respondents who cited wireless as a compromise vector.
Removable media was the second most concerning compromise vector, even though most respondents admitted having formal policies to control the use of removable media.
The report suggests referring to the following:
ICS410 SCADA Reference Model17 on network architecture and ICS asset placement. This framework offers guidance on fortifying network architectures against external networks, such as IT networks and the internet.
MITRE ATT&CK ICS framework for guidance on securing removable media.
Financially motivated attacks like ransomware are a top threat concern. Even if ransomware more commonly infects the business IT environment, it can also affect ICS operations – as seen in the Colonial Pipeline attack. However, ransomware detection and removal in an ICS environment is complicated. The report recommends using ICS-specific endpoint detection and response (EDR) technologies on traditional operating systems in Purdue Level 3 and the ICS DMZ. Robust backup and recovery strategies are also a must.
Threat intelligence is getting smart as respondents turn to vendor-provided ICS-specific threat intelligence. Over half of respondents are using this type of specialist threat intelligence. This maturity is reflected in the use of the MITRE ATT&CK framework for ICS by 78% of respondents.
An area highlighted for improvement is the control of initial access. Better-controlled access points would prevent adversaries from gaining a foothold in the network. Currently, 20% of organizations have less than three-quarters of their network covered. Even more worryingly, only 4% have full coverage.
The report offers extensive insights into the unique cybersecurity challenges of ICS/OT. Some good news is that respondents are putting their money where their mouth is and spending budget in these top five areas:
Ensure improved visibility of assets and their configurations
Implement network-based anomaly and intrusion detection tools
Implement intrusion prevention tools on control system networks
Increased consulting services to secure control systems and control system networks
Invest in cybersecurity education and training for IT, OT, and hybrid IT/OT personnel
In response, the report stresses the importance of ensuring ICS network visibility and “living off the land” defense tactics to prevent unauthorized access and hijacking of ICS.
The report from SANS into the OT cybersecurity landscape highlights key areas that must be addressed to maintain high levels of security across critical infrastructures. While OT environments face distinct challenges, these can be surmounted by applying best fit measures and solutions. This condenses down to the following:
Recognize the difference: IT and OT are not the same, and many of the measures used in traditional IT could cause harm if applied to OT.
Know your assets: Visibility provides the foundation for developing appropriate, risk-relevant measures.
Use your intelligence: Use guidance from ICS specialists and frameworks.
Zero in on trust: Apply zero-trust principles to prevent intrusion and harden access points.
Educate and train: Develop a security-first mindset across the organization to bring IT and OT together.
Cyolo supports the security needs of ICS/OT environments by applying modern connectivity and security for legacy systems. Abiding by the zero-trust model, Cyolo will
Validate every user, every time
Limit their connection to only allowed resources
Monitor and record all activity
To learn more about how Cyolo can support your ICS/OT security initiatives, read this at a glance overview or sign up for a 1:1 demo with a Cyolo OT expert.
Author
Kevin Kumpf has more than 20 years of IT security and compliance experience, including over 10 years of cybersecurity, governance and critical infrastructure experience working in the energy, medical, manufacturing, transportation and FedRAMP realms. Kevin’s past roles include Director of OT Security (N.A.) for Iberdrola, where he oversaw the security, and regulatory compliance of multiple OpCo’s, and Principal Security and Regulatory Lead for interactions with the NY and NE ISO’s, NERC, ISAC’s as well as state and federal entities. He has also worked internally and as a vendor/consultant at multiple healthcare and manufacturing entities to mitigate the threats they were under in relation to ransomware, insider threats and malware infestation. Today Kevin works as the OT Technical Lead at Cyolo.