Cybersecurity for OT networks: navigating the digital landscape

The integration of IT and OT systems, although beneficial for operational efficiency, has exposed OT networks to new and highly dangerous cybersecurity risks. Cyberattackers exploit this convergence to target critical industrial processes, causing disruptions in operations. This threat landscape is intensified by geopolitical tensions and a surge in criminal activities targeting industrial control systems (ICS) and OT systems​​.

It’s clear that the proliferation of IoT (Internet of Things) and IIoT (Industrial Internet of Things) devices has expanded the current and future attack surface. These devices, often more vulnerable than traditional IT systems, provide easy access points for cybercriminals. The challenge is further compounded by the widespread use of potentially insecure open-source software libraries in these devices​​.

Ransomware, session hijacking, and advanced persistent threats (APTs) in OT networks

In 2024, the cybersecurity landscape for industrial environments, particularly OT networks, will be seeing significant developments and shifts in threat patterns. Ransomware attacks, session hijacking, and APTs are among the critical concerns.

Ransomware in industrial environments

Ransomware remains a persistent threat to industrial organisations. Despite a slight decrease in incidents compared to previous quarters, the impacts are severe and widespread. For instance, incidents like the Lockbit attack on the Port of Nagoya and attacks on various companies across different sectors demonstrate the crippling effects ransomware can have on industrial operations and supply chains. These attacks exploit zero-day and known unpatched vulnerabilities, with groups like Cl0p and Lockbit 3.0 being particularly active.

Manufacturing is the most impacted industry, accounting for a significant portion of ransomware incidents. This includes various sub-sectors like food and beverage, consumer goods, automotive, and pharmaceuticals. While the number of incidents may have decreased, the overall impact on affected organisations remains high. The future trend indicates that ransomware will continue to target industrial organisations opportunistically, with the impact on OT networks depending on network architecture and segmentation.

Session hijacking in OT networks

Session hijacking is emerging as a significant threat in OT networks. Attackers exploit remote session protocols like RDP, ICA, and SSH to access sensitive data and systems. These attacks can have far-reaching implications, including operational disruptions and safety risks. Session hijacking does not exploit a specific vulnerability but abuses the legitimate functionality of remote session protocols, making it challenging to detect and mitigate. The only effective countermeasure is strong isolation through physical or virtual separation.

Advanced persistent threats (APTs)

APTs present a sophisticated challenge to OT networks. The air gap that once isolated legacy OT systems is almost completely gone, as data needs to be pushed to IT and cloud environments for analysis. This interconnectivity exposes OT networks to new vulnerabilities and attack vectors. The increasing complexity and convergence of IT and OT systems, along with the scarcity of cybersecurity professionals with OT-specific skills, are forcing many organisations to turn to Managed Security Service Providers (MSSPs) for support.

The explosion in the number of vulnerabilities in these systems, many of which are decades old, further exacerbates the risk. Almost 9,000 vulnerabilities were published in Q1 of 2022 alone, which is a 25% increase from the previous year. This trend underlines the need for continuous and comprehensive vulnerability management.

Around the world, governments and private IT security firms alike are now fully committed to reducing these risks. This includes developing countermeasures against APTs, which have been known to develop custom tools to compromise and control ICS/SCADA devices.

The power of staying proactive

The cybersecurity landscape for OT networks in 2024 will demand a multi-faceted and proactive approach. The convergence of IT and OT systems, the rise in sophisticated cyber threats like ransomware, session hijacking, and APTs, and the growing number of vulnerabilities in legacy systems, all pose significant challenges. Organisations must adopt comprehensive security measures, including continuous monitoring, strong isolation strategies, and a proactive approach to vulnerability management, to mitigate these risks effectively.

Monitoring in cybersecurity: Understanding active and passive approaches

In the ever-evolving cybersecurity landscape, especially in OT networks, a distinction between active and passive monitoring is crucial. „Passive monitoring“ involves external applications performing checks, mainly handling and managing signals or "traps" generated by network devices like routers and switches. This asynchronous form of monitoring relies on the equipment to send messages indicating changes or issues, making it valuable for troubleshooting performance problems after they occur.

Conversely, „active monitoring“ uses regularly scheduled checks initiated by the monitoring solution to probe the operational status of network devices and services. This different approach helps in obtaining timely information about the state of these systems, possibly offering early warnings of potential performance degradation.

The emphasis of most current OT monitoring tools

In the context of OT cybersecurity, there is a strong focus on passive monitoring approaches. This approach aligns with the nature of OT environments, where the primary objective is to maintain system integrity and reliability without intrusively probing the network. Passive monitoring in this scenario would typically involve tracking the health and condition of OT components, observing network performance, and ensuring the smooth functioning of control systems like SCADA.

Nevertheless, it's important to recognize that both active and passive monitoring have their places in a comprehensive cybersecurity strategy. Active monitoring provides insights into service level performance and helps in anticipating issues, enhancing operational proactivity. Passive monitoring, meanwhile, is key for after-the-fact analysis and understanding the nuances of any issues that arise.

There’s no one-size-fits-all

For an effective cybersecurity posture in OT networks, a blend of both monitoring types is recommended. This ensures a well-rounded approach where potential issues can be detected before they manifest in near real-time, thus enabling a deeper understanding of root causes and facilitating prompt response. While most monitoring solutions predominantly employ passive monitoring in line with their non-intrusive monitoring philosophy, recognizing the value of both monitoring types is crucial in crafting a resilient and responsive cybersecurity framework for OT networks.

A checklist with ideas to consider

When considering implementing an OT monitoring solution in the context of cybersecurity for OT networks, it's essential to evaluate various aspects to ensure that the solution meets your specific needs. Here are five key points to consider:

1. Monitoring removable media usage: Removable media, like USB flash drives, are a common risk factor in cyberattacks against industrial control systems. Capable OT cybersecurity concepts should monitor the use of removable media to defend against such threats.
2. Monitoring critical files on endpoints: In OT systems, the integrity of file exchanges, especially those involving Distributed Control Systems (DCSs) and Programmable Logic Controllers (PLCs), is crucial. Monitoring these critical files helps in identifying and mitigating various cybersecurity risks.
3. Determining OS version and patch status: Outdated or unsupported operating systems (OS) pose significant security risks. Identifying the exact OS version and installed patches is essential for understanding vulnerabilities and planning appropriate mitigations.
4. Endpoint monitoring methods: Evaluate if the solution can monitor endpoints using both active and passive methods, considering the trade-offs between them. Active monitoring provides more robust network visibility, while passive monitoring is less likely to interfere with important network functions.
5. User authentication detection on endpoints: Proper user authentication, including Multi-factor Authentication (MFA), will always be vital in OT environments. A suitable cybersecurity solution should be capable of detecting authentication mechanisms on endpoints, filling gaps in protocols like Modbus that typically lack device authentication.

These brief points will hopefully guide you in selecting an OT cybersecurity solution that aligns with your organisation's requirements and security posture.

Conclusion

In 2024, the cybersecurity landscape for Operational Technology (OT) networks is more complex and challenging than ever. The convergence of IT and OT systems has brought numerous advantages, but also significant security risks. The current (and future) cybersecurity landscape demands heightened vigilance and a proactive approach. The integration of robust monitoring solutions, along with strategic cybersecurity measures, is essential to protect these critical systems from the evolving threats they face.