Tips for Navigating the OT Threat Landscape
Attacks against operational technology (OT) continue to be prevalent, spurred by the convergence of IT and OT networks and the accessibility of attack kits available on the dark web with the evolution of Cybercrime-as-a-Service. Over the last few years, the range of targets that represent operational technology and critical infrastructure has grown. Some attacks have even been able to target OT systems by gaining access via compromised home networks and devices of remote workers as work from anywhere has continued.
FortiGuard Labs' Derek Manky and Fortinet’s operational technology CISO Willi Nelson, offer their perspectives on current cyber attack trends and how OT organizations can defend against them.
What should we expect to see in the months to come?
Willi: There's a sense of urgency that didn't exist before especially when you consider the electric grid, oil, and gas, water, wastewater, or chemical manufacturing. These are the industries that are timely targets for cyber adversaries right now.
Whether it's organized crime or sponsored nation-states, these bad actors aren't bashful when it comes to targeting OT and causing disruption. And one thing that's common across all the subsectors of operational technology, is the dependence on legacy hardware and software that can be decades old. So, when you're considering the risks associated with these threats, it is important to remember that context.
Derek: If we look at the state of cybersecurity, the attack surface is expanding, and malware is being created to take advantage of these new digital opportunities. We're also seeing a shift to advanced persistent cybercrime because cybercriminals are becoming more skillful and resourceful. This means that the world of Cybercrime-as-a-Service is enabling cybercriminals to leverage more sophisticated APT techniques. And then there's also the connectivity problem.
If we look at the actual malware and platforms, a lot of OT devices are running on Linux or flavors of Linux, on different customized versions or kernels. These platforms provide a lot of attack opportunities, and we're seeing them start to develop a payload. So, we're seeing malware that goes beyond traditional Windows-based botnets.
And it is true that a lot of older platforms and systems are still in place. They are still a concern, which is why we talk about keeping patches for these systems up to date if they are available. But the fact is, sometimes the systems are so old or they're at their end of life and patches simply don't exist.
Platforms like Linux are in the crosshairs, but now we also have modern OT sensors and other technology out there as well. For example, IT systems running on Microsoft Windows and other platforms are now connected to OT, and that poses a big threat. We saw this in the ransomware attacks that happened this year. Attackers weren't targeting OT environments directly, but targeting IT, and therefore leapfrogging or doing lateral movement into OT environments.
Looking ahead, you absolutely have to think about how technology is converging.
What should OT leaders be thinking about as we move forward?
Willi: Cybercrime is definitely a growing industry, and most organizations realize that they're a target and the need for a proportional response. But I think we need to have a way to translate all this work into something that's measurable to convince executive leaders that even if they're not seeing events occurring right now, they are a target and at risk. Arguably it is better if we can be proactive and neutralize attacks instead of continually responding and reacting to events.
Derek: I agree that being proactive is key. Every time we've investigated the costs of security readiness, the upfront cost of investment and security and proactive incident response planning is much less than the damage that occurs. In enterprise environments, the average cost of a data breach is more than $4 million, but in OT, that number can get much higher because we start talking about manufacturing and supply chain concerns.
You need to ask "what if" questions such as, how much is it going to cost if a production line goes down for eight hours versus two days? It puts risks into perspective and makes you realize that investing in security upfront is almost always much, much lower.
What is the value of behavioral analysis as a countermeasure?
Derek: With advanced persistent threats, cybercriminals are focused on trying to evade security, detection, intelligence, and controls using extremely clever malware that includes a lot of heavy obfuscation. These types of sophisticated ransomware and payloads are targeting and affecting OT environments.
The only way that you can possibly start to prevent that proactively is through behavioral-based detection with up-to-date, real-time threat intelligence. Cybercriminals are spending their time on reconnaissance, finding ways to weaponize new technologies and evade controls. So, you need behavioral-based counteraction that includes artificial intelligence and machine learning.
The reality is that criminals have full-blown business models and supply chains of their own. We track what they're doing on the dark web, for example, and we see the alpha or beta versions of new technology they're working on before it's actually released. It's like a game of chess. We need to understand what's in their toolkit and the actions they can take. Then with that information, we can have the relevant technologies and strategy in place before they make their move.
Willi: Advanced cybersecurity strategies and solutions are important but to be fair to many OT organizations, safety, reliability and uptime often are at the top of the pyramid in terms of importance. This does not mean OT is not secure, but it does mean that mitigating cyber risk for OT organizations is more complicated than it may seem. In addition, integrating platforms and devices is not always easy despite the shifts we are seeing via technology convergence.
