Closing the gap in OT security

No organisation is immune to cyberattacks, and attacks have spread from popular targets such as financial institutions to other sectors such as government, healthcare, energy, manufacturing, and transportation, says John Lee, the Managing Director of GRF Asia Pacific and OT-ISAC.

There are many cybersecurity incidents out there, according to Lee, and “a lot more” go unreported. Crucially, many of these attacks could be traced to OT systems deployed within IT networks.

OT is the new paradigm

Around the world, OT systems are increasingly networked for ease of maintenance, collaboration, or to support advanced capabilities such as predictive analytics. In hospitals, for instance, X-ray and MRI machines are typically hooked up to IT networks.

“Various Internet of Medical Things (IoMT) devices and medical systems such as medical imaging machines are now connected to the network. When networks are breached, the entire operation stops. There are a lot of risks out there in organisations that use unsecured OT systems because of the greater interconnection today,” said Lee.

It doesn’t help that the concept of OT security is relatively new and not understood: “Equipment makers or the system integrator that installs these systems for asset owners and operators often don't have the concept of OT security as it was not needed in the past.”

Specifically, OT systems makers may lack the technical know-how to adequately secure them from cyberattacks. Part of the challenge could be attributed to the widespread use of commercial-off-the-shelf (COTS) components, says Lee.

“They are using Windows to control OT systems and are connected via Ethernet for data exchange. With this introduction of COTS software by the equipment manufacturer, there is an increased risk from the connectivity.”

According to him, there are two distinct groups of attackers: Nation-state hackers and cyber-criminals. The former does it for espionage or sabotage, while the latter does it for profit: “From ransomware gangs to black hats providing hacking-as-service, cybercrime has become very lucrative.” 

Indeed, the payback amounts to trillions of dollars globally and is forecasted to reach more than 20 trillion dollars in 2027 according to Statista. This is comparable to the GDP of the top two countries in trillion of dollars. The motivation for cybercrime is hence extremely high.  

Protecting OT systems

The view that hackers will only target IT systems for better financial payback is outdated, cautioned Lee. Though the number of critical infrastructures such as hospitals impacted by hacking is low compared to other sectors, the percentage of the former paying up is much higher. 

Confronted with a data recovery process which may take days or weeks during which patients might not get the medication or attention they need, many hospitals succumb and pay the ransom.

“In 2021, about 61% of hospitals pay the ransomware demands according to the Sophos State of Ransomware in 2022 report. A possible reason may be that the hospitals are privately funded and must keep operations running. They pay the money to restore the encrypted data and avoid lengthy data recovery from backups,” says Lee.

Elsewhere, Lee pointed to air gapping as a strategy that doesn’t necessarily work in practice. “A research institution I spoke to relied on USB flash drives to transfer information between departments as an air gap. But users were taking the flash drive home, where it got contaminated with malware that infected the work network.”

Apart from direct attacks on OT systems, hackers are also known to target safety systems within industrial control systems. These are engineering controls designed to serve as advanced circuit breakers to keep machinery or equipment from exceeding safety limits. They operate independently to either sound the alarm to a human operator or to automatically cut off power when safety thresholds are exceeded.

Lee outlined a sophisticated attack on a petrochemical plant in the Middle East where hackers modified the executable files of a safety system. The malicious binary essentially disabled key components of the system, setting the stage for a potentially deadly accident. Fortunately, the weaponised behaviour was detected and flagged by alert employees.

Closing the gap

How can we improve the security of OT systems? There is a lot of work to be done, says Lee. For a start, organisations must identify the assets in their infrastructure and how they are interconnected. A threat modelling should then be performed. 

“You need to identify all the assets and then you do a threat modelling to uncover threats and potential issues that can impact the OT networks. Then you go one level down to check if there are controls in place and if it is effective,” said Lee.

“A secure resilient infrastructure design is important, such as the design of your systems, such as how the assets are used or deployed. You also look at remediation or treatment that needs to be performed to implement security across a set of systems to improve the security posture.”

A robust incident response plan is not optional either. “You need to build a robust incident response plan based on the infrastructure, prioritising the assets or systems with the highest impact on the organization if breached.”

Humans are typically the weakest link, noted Lee. Automation can help but should be backed by regular checks to ensure they are running as expected. Finally, pointing to the surreptitious swap of legitimate software on a safety system, he called for controls such as a software bill of material (BOM) to ensure that executables are not replaced or corrupted.

Getting started

As an industry, OT security needs to catch up. For now, Lee recommends that cybersecurity stakeholders seek buy-in to implement proper OT security within their organisations. This is the only way to ensure the necessary time, effort, and resources are allocated to improve cybersecurity, Lee says.

“I've seen a lot of organisations where various OT security practices are not implemented. Not because they were not aware of it, but due to a lack of support,” he concluded.