For years, critical infrastructure attacks have been a way for state-backed attackers (APTs) to make a statement or to take steps that may affect a country on a grand level. We have recently seen a clash of superpowers, including Russia, China, and the US. The Russia/Ukraine conflict has prompted diplomatic sanctions from the West, rather than military actions from powerful forces such as NATO, the UK, US, and others. Consequently, we have seen an uptick in cyberattacks and ransomware against Western entities – especially in critical infrastructure.
Such state-backed attacks often involve ransomware and other sorts of advanced attacks, which can be devastating. According to our data, more than 85% of ransomware attacks infect backups, thus making it much harder to recover. Twenty-nine percent of organizations who paid ransom still could not recover their data or were compelled to take steps that resulted in significant damage. Let us not forget that paying ransom only encourages attackers to attack again – thus making this sort of venture so lucrative and attractive.
We have also seen examples of crippling cyberattacks against the power grid. In July 2021, Saudi Aramco confirmed that some company files were leaked after hackers reportedly demanded a $50 million ransom from the world’s most-valuable oil producer. That November, a quick response thwarted a ransomware attack on a major Queensland energy company. Moreover, two major European oil refineries, Oiltanking/Mabanaft in Germany and ARA in the Netherlands and Belgium, were victims of ransomware in January and February 2022, disrupting a total of 17 refinery terminals in these nations and preventing oil tankers from being loaded and unloaded. These incidents underscore why it is so crucial to not only be prepared for malicious actors, but also for state-backed attacks that exist as part of the larger geopolitical situation.
They also illustrate the considerable challenges of securing OT systems. The problem began when industries, over the last century, shifted towards computerized management of the different aspects of their production lines and expanded to digital devices connected to these systems (IIOT). Although these systems were designed for reliability and longevity, they also often sacrificed security to support these goals.
According to our experts, here are some of the most dangerous issues your OT environment could face over its lifecycle.
Deprecated components and protocols
Different components that are deployed throughout the network—whether software components like HMIs and Historian servers or hardware components like PLCs and various sensors—are deployed with a specific mindset: to last for as long as possible. This kind of thinking results in OT networks that include components installed decades ago when designing the network, when security was not even considered, let alone emphasized, and still hasn’t been implemented because of the complexity of such moves. In addition, the standard protocols which are still being used today by the majority of industrial systems such as the Modbus protocol lack even the most basic forms of protection, such as encryption or authentication.
Lack of network visibility
An additional point of interest, not unlike the deprecated components which could lead to direct exploitation of the hardware or protocols, is an overall lack of visibility in the OT network. Being able to monitor your OT network in a manner that would allow you to detect, block, and respond to an intrusion in a timely manner would not only allow you to minimize the damage a malicious entity could cause, but to mitigate it entirely.
Lack of separation between IT and OT networks
Today, many industries such as energy and utility companies embrace modernization procedures and processes which rely on remote management, site-to-site connections, and more widespread IoT. Therefore, it is imperative that proper segmentation and segregation between the networks follows suit. Implementing an internal DMZ (demilitarized zone) and proper firewall rules between the different zones would result in a reduced attack surface.
A classic example is in the energy sector, where electrical companies build and maintain substations that include servers and equipment connected to the same network as the primary plant. These stations are, in most cases, unmanned and contain minimal physical protection in the form of CCTV, motion sensors, and standard door locks—all of which could be disabled or bypassed by a sophisticated attacker. When such a facility is accessed without sufficient restrictions on the network or physical facilities, an attacker could use such access as a foothold to access and propagate through the network and potentially compromise critical infrastructure.
Insufficient awareness of existing security risks
One of the major issues in any security-oriented environment is, without a doubt, the human factor. Lack of knowledge and awareness could result in the successful compromise of even the most secure networks. All that it takes is for an employee to be compromised or mistakenly made to click on a suspicious attachment, connect an unknown USB, or even post a photo to social media with various credentials appearing in the background of the control room. All these situations can be avoided with sufficient guidance and awareness training for employees, making sure that they understand the risk and threats cybercriminals are posing and what they can do to minimize such exposure.
While there are many ways to approach the mitigation of these issues, it is important to consider the outdated nature of an OT network. Whereas patch management, security monitoring and other areas can be implemented on an IT network with relative ease, engineers typically do not want to make changes to the OT network because they are concerned about destroying it.
The reality, however, is that the consequences of cyberattacks on OT networks can be severe, including denial of service, release of hazardous materials, and even loss of life. For these reasons, it’s important to have continuous monitoring and security updates, proactive activity for checking network penetration, and management of cyber incidents in the context of OT networks.
Understanding the risks and creating a detailed workplan that includes threat modeling, risk assessments, and remediation plans is crucial for implementing a robust cybersecurity posture improvement strategy. Understanding the physical risk and insider risk are just as important to protect the organization from advanced state-level attacks.
Want to learn more about how to protect your organization with strategic IT and OT security? Watch our webinar.