Three OT security lessons learned from 2021’s biggest cyber incidents
What do an oil pipeline, a water treatment plant, and a railway system have in common? They each rely on operational technology (OT) environments, and they were all victims of cyber attacks that generated headlines around the world.
The Colonial Pipeline, Oldsmar water treatment plant, and Iranian Railways incidents are etched into our memories because of their real-world impact, but the headlines only tell part of the story. In each instance, there are key OT security lessons to be learned, so that other organizations can avoid repeating history.
Colonial Pipeline: A lesson in network segmentation
The Colonial Pipeline ransomware attack was one of the most significant attacks in 2021 because it caused a gasoline shortage crisis. When Colonial Pipeline CEO Joseph Blount testified before the US Congress, it was revealed that the attack was completely avoidable; Blount admitted that the hackers, the Darkside ransomware group, gained access through a VPN that did not require multifactor authentication.
Although Darkside took control of Colonial Pipeline’s IT systems, network segmentation limited the impact of the attack on Colonial Pipeline’s operations. Once Colonial Pipeline knew its IT operations were affected, it chose to proactively take its OT systems offline to prevent the attack from spreading.
As IT and OT networks continue to converge, organizations need to understand how these networks are connected and take the appropriate steps to protect high-risk assets. For example, there is no reason why field devices should be able to communicate with IP security cameras. With a better understanding of how IT and OT networks are connected and are communicating, security teams can respond to threats more quickly. For example, the communication of programmable logic controllers (PLCs) can be analyzed at the packet level to detect anomalies or signatures of known attacks. When an incident is detected on the IT network, compromised devices should be quarantined and all communication between IT and OT should be blocked.
This sort of approach requires network monitoring and enforcement tools to identify current network communications, to detect threats and violations and to enforce segmentation rules. Detected threats can be forwarded to SIEM/SOAR systems for investigation or to trigger automated response actions.
The water treatment plant in Oldsmar, Florida: A lesson in visibility
In February, water treatment plant employees noticed that sodium hydroxide levels were rapidly rising on their computer screens. Someone remotely accessed the system, but employees thwarted the hacker from moving laterally into other IT infrastructure. The attack vector used in this incident was reportedly a remote connectivity tool called TeamViewer.
The use of remote access has increased since the pandemic, so organizations need to ensure that only approved remote access connections are allowed by continuously monitoring communications such as VNC, SSH, RDP, and others.
Fortunately, the Oldsmar water treatment plant was able to prevent more damage from the attack because of their alert employees, but many other OT systems in similar treatment plants may lack the visibility security teams need to identify these attacks.
As OT environments undergo digital transformation, it is imperative to maintain visibility into these networked devices. Visibility solutions can help organizations identify their assets, where they are deployed on the network, if they are connected to the internet, and how they can be controlled. Visibility solutions can even help identify vulnerabilities, and how a malicious actor could use these vulnerabilities to disrupt operations.
Iranian Railways: A lesson in supply chain vulnerability management
In July, Iran Railways had to shut down its train system due to a hacking group named Indra infiltrating an IT system and spreading malware known as MeteorExpress. Iran has not been forthcoming about the details of this attacks, leading security researchers to form their own hypotheses.
Train systems rely on a variety of critical OT systems that integrate with IT systems. This includes everything from signaling solutions to sensors and brake unit devices. All are connected to the network, and many include software that enables those systems and devices to collect data and communicate it back to operations centers. To enable this communication, connected devices rely on a piece of software called a TCP/IP stack.
Forescout research has revealed nearly 100 vulnerabilities across more than a dozen TCP/IP stack implementations. These vulnerabilities – if exploited – would allow hackers to take systems and devices offline, including a specific vulnerability in a train monitoring system. This all goes to show that the Iranian Railways incident could just as likely have occurred in the United States or all over the world.
When it comes to the shared responsibility of securing third-party software, organizations need to be more proactive in their vendor security assessments. Ideally, the industry should be rewarding vendors that have secure software design lifecycles and exploit mitigation, but organizations should never assume this is enough. Zero trust policies for least-privileged access of devices can mitigate vulnerable devices, as visibility solutions can help identify these risks.
Get proactive before you are forced to react
Operators of critical infrastructure need to be more proactive when it comes to IT/OT convergence, zero trust security, and vendor security assessments. With the increase in attacks on critical infrastructure, along comes increased government scrutiny and regulation.
Organizations that act now will have less to worry about when new regulations are introduced. And organizations that have learned the lessons of network segmentation, visibility and third-party risk assessment will be better prepared to minimize the impact and likelihood of similar incidents happening to them in the future.