Secure OT that cannot be patched

As industrial organizations digitize their environments, this exposes critical operational technology (OT) to security vulnerabilities, while providing new opportunities for cybercriminals.

Since last year, there has been an 88% increase in OT vulnerabilities, which are used to attack critical infrastructure and expose vital systems to potentially devastating flaws.[i] With OT systems supporting energy, water, transportation, environmental control systems and other essential industrial equipment, attacks on these vital assets can inflict severe economic damage and even endanger health. and public safety.

Industrial network cybersecurity is a priority in response to the threat, but one of the biggest challenges is that not all OT assets can be easily remediated. Industrial control systems in OT environments often use legacy or outdated equipment and software that no longer receives security updates. Scanning systems can pose risks to operations, and patching requires taking those systems offline for maintenance, which is not only costly, but disrupts critical operations.

So what is the solution? How can industrial organizations secure OT and protect critical systems from security risks, even when patches cannot be easily applied?

Industrial OT challenges

Traditionally, security was not such a critical consideration because an organization’s OT network was designed to be isolated, running lesser-known industry protocols and custom software. These systems had limited exposure, whereas today OT environments have converged and are no longer isolated from IT networks, which means that the lack of security measures poses a critical risk.

Unfortunately, this connectivity has not gone unnoticed by threat actors. Malware specific to ICS and OT systems such as Industroyer, Triton, and Incontroller testify to the increasingly sophisticated capabilities that attackers have begun to deploy to attack ICS and OT installations, leading to numerous serious incidents.

Additionally, recent research uncovered 56 new vulnerabilities in products from 10 operational technology (OT) vendors that demonstrate significant “insecure by design” practices. [ii]

Most OT devices are not secure by design, with vulnerabilities stemming from unauthenticated protocols, insecure firmware updates, and insecure native features. For example, 38% of discovered vulnerabilities allowed credentials to be compromised and 21% gave attackers a way to introduce poisoned firmware into the environment. In addition, 14% of flaws originated from native features, such as logical downloads, firmware updates, and memory read/write operations, which allowed attackers to execute malicious code remotely on systems. TO.

In fact, one of the biggest problems facing OT security is not so much the presence of unintended vulnerabilities, but the continued absence of basic security controls. These devices often lack the critical controls needed to authenticate users and actions, encrypt data, and verify that firmware updates and software are signed and verified. When these mechanisms are present, they are often weak and easily hacked or seriously undermined by other issues, such as the presence of hard-coded, plain-text credentials on the device.

The research also revealed that many devices that are not secure by design have security certifications, which often leads to a false sense of security and can lead to significantly complicated risk management efforts. The testing requirements of these certifications are sometimes limited to functional verification of functionality rather than stress testing of defensive capability; Thus, as long as the feature is present, it is assumed to be secure.

Another issue is the general lack of Common Vulnerabilities and Exposures (CVE) reporting for industrial control systems. Problems considered to be the result of insecurity by design have not always been assigned to CVEs, so they often remain less visible and actionable than they should be. Vulnerabilities in supply chain components have also not been reported by affected manufacturers.

While in many cases these particular feature abuse issues cannot be remedied, there are practices to address weaknesses such as asset visibility and management, segmentation, and specific network traffic monitoring.

Lay the foundations of security

Asset visibility and management is the foundation of network security. You can’t protect what you can’t see, which is why industrial organizations need to ensure they have visibility into all connected devices on their networks. To improve efficiency, network visibility solutions must be able to span across computing, OT and IoT devices, enabling the discovery of vulnerable devices in the network so that appropriate control and mitigation measures can be applied. . In addition, this solution must also continuously monitor the network for new devices, automatically detecting new connections, so that there are no visibility gaps that could put the organization at risk.

Vulnerable devices will always exist in OT environments because many of them are too old or too fragile to be patched. When a device falls into this category, the focus should be on granting minimal privileges to the connected device. This means that if an attacker gains access to it, they will have limited ability in what they can do, how they can spread across the network, and what they can access. It is also important to segment it from critical systems as this will prevent lateral movement attacks.

Segmentation is a fundamental control that enforces good network hygiene to mitigate risk from vulnerable devices. Segmentation restricts external communication paths and isolates vulnerable devices to zones as a mitigating control if they cannot be patched or until they can be patched.

While device manufacturers address fundamental issues with insecure firmware and protocols by design, asset owners can monitor rolling fixes released by affected device vendors and apply them in their own networks. To further mitigate risk, industrial organizations should monitor networks for malicious packets that exploit features that are insecure by design, isolate OT/ICS networks from corporate networks and the Internet, limit network connections, and focus on reducing the consequences, where possible.

Preparation and collaboration go hand in hand

The best way to overcome challenges comes down to preparation. Perform site assessments to understand the inventory and type of assets connected to networks, their risks, and required connectivity. In many cases, the number of known Internet-connected devices in an industrial setting is only a fraction of the network reality.

Collaboration between IT, security, and OT site teams is crucial to the continued success of secure industrial operations. Digitization offers the opportunity to standardize security policies and implement automated asset and network monitoring. This in turn allows for a better understanding of these systems so that organizations are constantly aware of their operational and security risks. This then enables the implementation of risk-based segmentation and least-privilege access, so that if a cyber incident occurs, the impact will be minimal.

While OT security is gradually improving, there are still security vulnerabilities in many organizations. The rapid expansion in the number of connected devices exponentially increases the risk position of industrial organizations. By connecting OT to IoT and computing devices, vulnerabilities that were once considered insignificant due to their lack of connectivity are now prime targets for malicious actors. As reliance on OT and IoT grows across industries, the need to address cybersecurity risks, including for every connected device, is imperative.

[i] https://venturebeat.com/2022/04/20/report-88-increase-in-ot-vulnerabilities-last-year/

[ii] https://www.forescout.com/blog/ot-icefall-56-vulnerabilities-caused-by-insecure-by-design-practices-in-ot/

By Daniel dos Santos, Head of Security Research, Forescout

Comments are closed.