Last updated August 19, 2022
- Operations Technology (OT) is increasingly being targeted by cyber attacks.
- In recent years, high-profile cyber incidents at Stuxnet and Norsk Hydro caused tens of millions of dollars in damages and destroyed critical equipment.
- The Industrial Internet of Things (IIoT) has removed the “air-gap” that once existed between OT assets and broader IT networks—making OT more vulnerable to cyber threats.
- Cybersecurity threats faced by OT include direct internet connections, insecure passwords, misconfigured access points, outdated operating systems, and poor employee training.
- OT-heavy organizations should carefully audit third-parties who want access to their systems and take steps to combat cyber espionage (especially in the mining and energy sectors). Be wary of phishing attacks as well.
- Managed cybersecurity services can provide vital protection for an organization’s OT, especially when combined with best practices like network mapping, a zero-trust framework, and controls for identity and access management.
While once rare, cybersecurity incidents targeting Operations Technology (OT) assets have become increasingly common in the past few years. This unfortunate trend prompted Verizon (in their 2020 Data Breach Investigation Report) to examine, for the first time in its then 12 year publication history, the involvement of OT assets vs. IT assets in security incidents. This report also included a section specifically aimed at organizations in the Mining, Quarrying, and Oil & Gas Extraction business.
Norsk Hydro & Stuxnet: The Canaries in the Coal Mine
Verizon’s 2020 report was released in the wake of the devastating 2019 ransomware attack on Norsk Hydro, which forced the organization to resort to manual operations at 170 sites in 40 different countries and cost the company tens of millions of dollars in damages. While OT networks and assets weren’t the primary target in this attack, the spill-over from the IT-focused attack disrupted OT networks substantially and shone a light on how unprotected many OT systems and assets really are.
However, the Norsk Hydro attack was not the first widespread, OT-disrupting attack. In 2010, Stuxnet, a highly sophisticated computer worm that targeted computers involved in uranium enrichment, disrupted OT systems across Iran, India, and Indonesia. The program began by checking to see if an infected computer is connected to specific programmable logic controller (PLCs) models manufactured by Siemens (PLCs are devices that computers use to interact with and control complex industrial machines like uranium centrifuges).
Computers that weren’t connected were ignored (and typically left unharmed). However, computers connected to the PLCs then had their programming altered, causing the centrifuges to spin too quickly and for too long, extensively damaging and even destroying delicate and expensive equipment. While this was happening, Stuxnet directed the PLCs to report that all equipment was working normally, which, in the world of remote monitoring, made it incredibly difficult to detect and diagnose the problem before extensive damage had already been done.
OT assets bring with them unique security implications, and as an organization’s footprint expands, their security risk scales as well. This reality, partnered with broader market changes, is significantly influencing OT security environments. To keep your organization secure, businesses with significant OT assets need to take steps to secure their OT devices and improve their overall cybersecurity posture.
IT Security vs OT Security: A Brief Overview
While many organizations used to manage their IT and OT networks separately, IT and OT systems have a lot in common and rely on very similar tools. However, these tools are used in different ways: while IT tools are designed to interact with humans so they can complete their work tasks, OT tools are designed to interact with machines and ensure that the industrial control systems within your organization are operating correctly and available for the tasks your organization depends on them for.
One of the reasons OT and IT were kept apart for so long is that traditionally OT environments were “air-gapped”: kept isolated from the broader IT network and run in separate, siloed environments without internet access. However, the rise of IIoT (the industrial internet of things), which allows OT assets to be controlled and monitored remotely, has broken this isolation. While remote capabilities allow organizations to enjoy decreased costs and increased efficiency, the trade-off is that OT systems are no longer automatically protected from internet-based threats, such as cybersecurity attacks.
The Security Risks Associated with Operational Technology
IT security has been a priority for most organizations for decades, but unfortunately, OT security has not received the same amount of attention. According to the 2020 Global IoT/ICS Risk Report:
- 71% of IoT and Industrial Control Systems (ICS) networks are running on outdated operating systems that are no longer receiving security updates,
- 66% have not been updated with the latest antivirus software, and 64% of these networks rely on insecure passwords. These findings are alarming and highlight several pervasive problems.
Direct Internet Connections
Many OT reliant organizations depend on direct connections to the public internet; this is a serious problem, as even a single internet-connected device can provide a gateway for cyberattackers to introduce malware onto a network or infiltrate the network and gain access to sensitive or proprietary information.
While easy-to-remember passwords are great for providing convenient entry for authorized workers, it also makes it easy for attackers to brute-force their way onto your network. To improve password security, you should consider following the NIST password guidelines (please see section 126.96.36.199 Memorized Secret Authenticators) or investing in a secure password manager.
Misconfigured APs Are a Security Risk
A single misconfigured wireless access point (AP) can compromise the security of your entire network. To help prevent unauthorized network access, you should audit all APs regularly and ensure any new APs added to the network are correctly configured.
Outdated Operating Systems
While transitioning to a new operating system may pose a bit of a headache, outdated operating systems that no longer receive security updates are a prime target for security attacks. To help improve your security posture, you should inventory all machines and access points on your network to ensure they are able to take advantage of their manufacturers’ latest security patches and updates.
Operating systems that are no longer supported should be phased out as quickly as possible and replaced with more secure options. During the transition, your security team should monitor your currently outdated systems more closely than usual since they present a particularly tempting entry point to attackers.
Inadequate OT Employee Training
Without proper employee cybersecurity training, even the best policies, most secure systems, and the latest and greatest security products will fall short. All employees should undergo regular cybersecurity training, and you should include security training during your onboarding process.
Well-trained employees are an incredibly valuable security asset, giving you eyes and ears across your network. You should ensure employees can identify potentially suspicious activities (such as phishing scams) and know who to report potentially suspicious activities to.
You should also consider running tabletop cybersecurity exercises. Tabletop exercises are similar to fire drills: allowing your employees to put their cybersecurity skills and knowledge to the test in a no-stakes environment. Employees are presented with a hypothetical cybersecurity incident which they have to respond to. This not only allows employees to get comfortable using their cybersecurity knowledge and helps them familiarize themselves with your incident response plan but is also a great way to identify gaps in your security posture and response procedures so that they can be addressed before those deficiencies can be used against you.
As Your OT Footprint Expands, Industry Operators Need to Consider These Cyber Risks As Well
As your OT footprint expands, so do your cyber risks. However, by adopting a security-focused and proactive mindset, you can help ensure your cybersecurity posture remains robust.
Keep Third-Party Risk Management Top-of-Mind
Many OT-heavy organizations rely heavily on third parties. While oil and gas businesses looking to transition to renewable energy sources are looking to partner with third parties to ease this transition, many mining companies also rely on third parties to provide support services such as equipment assembly and maintenance. However, without proper planning and integration, partnering with a third party can increase risk and create security gaps in both parties’ systems.
To help keep your OT ecosystem remains secure, you should ensure that your new partners are able to smoothly integrate with your OT and IT networks. Linking two systems introduces risk to both, so it is important to ensure that this partnership won’t inadvertently introduce security gaps that could leave either party or both parties vulnerable. You should also carefully vet all partners to ensure they meet your rigorous cybersecurity standards and limit third-party access to only the systems they require to do their work. Should a third party require access to a critical or sensitive system, this access should be carefully monitored for suspicious activity in case your third-party partner’s network or organization becomes compromised.
Beware of Cyber Espionage
Cyber espionage, particularly in the mining industry, remains a serious threat. Common cyber espionage attackers include competitors looking for an economic advantage and state-sponsored attackers looking to disrupt or cripple a rival country’s economy (such as the suspected attacks by Russian hackers on power companies, government agencies, and banks in Ukraine starting in 2015).
Both state-sponsored attackers and corporate interest groups view mining companies as treasure troves of valuable data and may seek to use cyber espionage tactics to gain unauthorized access to geological exploration research (including details on the location and value of natural deposits), corporate strategy documents (containing pricing information), and sensitive information on proprietary extraction and processing technologies.
At the same time, insights into business strategies and mine values could be leveraged during merger and acquisition negotiations in an effort to outbid a competitor or lower the price of an acquisition target. Stolen trade secrets and IP can also be used to reduce R&D costs for the attacker, providing a long-term competitive advantage. A good example of cyber espionage in action within the mining industry came in 2011 when global mining company BHP Billiton was targeted by both state-sponsored attackers and competitors in an attack that sought to gain access to market pricing information for key commodities.
Energy Providers, Including Oil & Gas
Oil and gas companies, as well as other energy providers, are also vulnerable to cyber espionage attacks. In 2021, many large international oil and gas companies were targeted in an attack that leveraged malware called Agent Tesla and other RATs (remote access trojans) to steal sensitive data, banking information, and browser information by logging keyboard strokes. While the Agent Tesla cyber espionage campaign mainly targeted energy companies, the attackers also targeted a small number of organizations in the IT, manufacturing, and media industries.
By fortifying your current cybersecurity posture, keeping security top of mind, and investing in robust and comprehensive employee cybersecurity training, you can help ensure your OT assets and other critical systems are better able to fend off potential cyber attacks.
Phishing Attacks Target OT Assets As Well
Phishing attacks have begun to target OT assets and networks as well as IT networks. As such, all OT personnel should undergo cybersecurity training that includes how to identify potential phishing scams, what to do if they suspect they have been targeted by a phishing scam, and whom to report the potential scam to for further investigation.
Securing Your OT Devices: Steps for All Organizations
Take a Proactive Approach
As the old saying goes: the best offense is a good defense. A proactive approach to cybersecurity includes:
- Developing (and periodically reviewing) your organization’s incident response plan
- Investing in robust and comprehensive cybersecurity training for all employees
- Keeping an eye out for trouble with ongoing vulnerability scanning
- Leveraging managed cybersecurity tools effectively, including:
- Knowing when to ask for help from your trusted security partner
Learn What to Look For
When it comes to cybersecurity and suspicious activities, It’s critical that your entire team knows what sort of red flags to look for. While false flags can temporarily divert personnel away from other critical tasks, underreporting can allow threats to sneak through, so it is always best to err on the side of caution.
To help identify and investigate suspicious activities, many organizations turn to managed SIEM solutions. SIEM experts have extensive experience with cybersecurity and stay up to date on the continually evolving threat landscape, which allows them to quickly assess potentially suspicious activities and attacks that could impact your OT ecosystem.
You should also seriously consider investing in a managed firewall solution. Unlike passive firewall programs, managed firewall solutions include access to a team of security experts, who will monitor and fine-tune your firewall as well as ensure all necessary security patches are downloaded and implemented as soon as they become available.
Invest in Network Mapping & Connectivity Analysis
It’s really easy to get lost without a map. Network mapping allows you to understand the physical and digital locations of all devices on your network, pinpoint issues, and isolate potentially compromised equipment quickly and effectively. This way, should an incident such as a malware or ransomware attack occur, your security team can quickly isolate infected machinery from the rest of the network, limiting or even preventing damage and disruption.
Implement a Zero-Trust Framework
Zero-trust frameworks are built on the security philosophy of “never trust, always verify”. Zero-trust systems assume that every person, device, application, and network is presumed to be a threat until they have been properly vetted and verified. As such, each entity must prove its legitimacy (essentially show its digital ID badge) before it is allowed to connect to the OT network.
Many Zero-trust systems rely on dual-factor or multi-factor authentication (MFA) tools, which require users to provide more than one form of identification. Typically, this may require a user to provide a username and password, as well as an additional piece of identification, such as a short-lived code sent to their mobile device or a fingerprint scan, or provide the correct answer to a security question. By adding an extra layer of verification, organizations can make it more difficult for an attacker to gain access to your OT systems.
Control Identity & Access Management
Not every worker needs to be able to access every part of your network, and overly-permissive access can pose a serious security risk. Controlling who is able to access what parts of your system is a critical piece of your overall cybersecurity posture, especially since every set of access credentials issued presents another potential entry vector for attackers.
If an employee falls for a phishing scam or leaves their credentials unsecured or exposed, it could allow attackers to access critical systems or gain access to sensitive information. As such, all organizations should:
- Educate employees about the importance of safeguarding their access credentials
- Teach employees about the dangers of credential sharing
- Adopt a least-privilege policy, and ensure it is maintained across your organization. This will limit access rights to those users who absolutely need them.
- Revoke access privileges of former employees as soon as possible. Attackers will often look to leverage dormant accounts, and since the person the account is intended for is no longer using it, the use of these credentials is often not discovered right away.
- Revoke temporarily-granted access for visitors, guests, and other third parties as soon as it is no longer required.
Create an OT Systems Management Program
An OT systems management program is a great way to ensure you are covering all of your security bases. Most programs typically include:
- Asset inventory management
- Lifecycle management, including:
- Defining system requirements to ensure desired physical system outcomes
- Establishing specifications to ensure security and reliability
- Control and supply chain management over these systems
- A schedule for replacing outdated components
- Configuration management
- Patch and vulnerability management
- Network and system design
- User and account management
- Log and performance monitoring (critical for both reliability and security)
- Incident and trouble response
- Backup and restore functionality
A good OT systems management program offers a wide range of benefits, including:
- Providing valuable insights into all hardware and software on your OT network, allowing your security team to identify vulnerabilities swiftly
- Properly updating and configuring systems, which reduces attack surface areas
- Providing a way for your team to update automation systems for key operational tasks in an operationally efficient manner
- Providing a mechanism that handles reporting and monitoring across your OT and IT systems in a consistent manner, thereby simplifying the reporting process.
- More advanced and effective security controls by offering both proper visibility and access to underlying endpoints and other network infrastructure
Segment Your Network
Network segmentation is a great way to safeguard your most valuable OT assets and systems. Segmenting your network is a physical security measure that sections off vulnerable or sensitive systems and networks from the wider network. In IT, this may take the form of segmenting the accounting department’s network (which contains both private financial information and sensitive employee information) from less-critical or sensitive areas of the network, such as the guest wifi.
Network segmentation is becoming increasingly common in organizations that deal with critical infrastructure, including oil and gas companies, power companies, utility companies, and manufacturing companies, and is a great way to improve your security posture by better isolating and safeguarding critical and sensitive systems and assets.
Consider Partnering with a Trusted MSSP
Securing your OT assets and networks against cyber attackers can be a daunting prospect, particularly for organizations without their own in-house cybersecurity teams. Fortunately, experts like VirtualArmour are here to help. Our team has extensive experience working with companies in a variety of OT-heavy industries, including the energy sector, mining, and manufacturing.
We offer a variety of security services, including:
- Managed SIEM
- Managed endpoint detection and response
- Managed infrastructure and firewall services
We also offer tailored services à la carte, allowing you to select the services your organization requires so you can create a personalized premium or essential services package designed to meet your organization’s unique needs. We are also pleased to offer personalized, one-time expert consults.
With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring and assistance, as well as industry-leading response times. Whether you are looking to assess your current OT cybersecurity posture, update or create your incident response plan, or coordinate employee training via our VirtualArmour Academy, the experts at VirtualArmour are here to help. For more information or to get your free, no-obligation quote or free cyber risk report, please contact our team today.