The OT vulnerabilities you must watch out for this festive season | Beyond Security Blog
Beyond Security - December 25, 2019

The OT vulnerabilities you must watch out for this festive season

It’s the season – a time to take a step back, reflect on the year past and to enjoy a relaxing time with friends and family. However, as much as you look forward to your annual leave over the festive season you might want to consider that cyber criminals are looking forward to your absence too.

While most companies go to great lengths to protect against cybercrime all year round, staff absences and the festive mood can leave gaps in protection. Of course, there’s also the fact that threats are growing in size and prevalence.

In particular, operational technology (OT) such as industrial control systems – e.g. SCADA – are newly at risk. In this article we discuss why OT is so vulnerable, what vulnerabilities you should watch out for and what your company can do to protect against OT threats this festive season.

Why operational technology puts your enterprise at risk

Operational technology has typically been siloed systems – hardcoded tools that were never exposed to other networks, never mind the internet. As a result, many long-standing cyber risks that affect information technology (IT) systems never posed much of a threat to OT.

Unfortunately, the OT security landscape is changing rapidly.

A broad and deep increase in enterprise system interconnectivity (effectively a convergence of IT and OT) alongside a profusion of connected devices deployed across OT now means that highly critical, core industrial operations are increasingly exposed to the outside world.

It’s led to a range of prominent exploits where hackers were able to manipulate OT for malicious purposes. Examples include:

  • In December 2015, hackers attacked Ukraine’s power grid leaving 225,000 customers without an electricity supply. A post-mortem found a deeply co-ordinated attack that built up over six months – all starting with a malicious e-mail attachment.
  • August 2017 saw powerful malware called TRITON in action, this time at a petrochemical facility in Saudi Arabia where hackers were able to compromise critical safety devices in the plant. Thankfully, a flaw in TRITON code triggered an alarm before damage could be done.
  • Perhaps the most famous attack, in 2012 the Iranian nuclear program was compromised using Stuxnet, which wormed its way past Windows systems after a staff member inserted a USB drive. It allowed the attackers to modify systems so that a large number of expensive enriching centrifuges became inoperable.

Clear evidence that OT is now at risk, yet according to a 2019 Fortinet survey, only 9% of chief information security officers in large organisations actively oversee OT security. The same survey found that, for all intents and purposes, all ICS/SCADA vendors are affected.

Top OT vulnerabilities to watch

With the natural air gap around OT systems now gone companies must take the same security approach to OT as they take to IT: identify vulnerabilities and shore up protection to ensure that vulnerabilities cannot be exploited.

In the case of operational technology, we think that the following six vulnerabilities must be understood and guarded against:

  • Lack of visibility. Many OT technologies have been in place for decades. Without a concerted effort your company may not know which devices and software it depends on. Furthermore, the profusion of IoT-like devices across industrial applications can be very difficult to track. Establishing something akin to a catalogue is key.
  • Network complexity. Even with good visibility companies can still struggle to assess the entire OT threat landscape because OT networks have become incredibly complex, with hundreds or even thousands of devices communicating across multiple networks – both wired and wireless. It’s worth taking a birds-eye view of network risk.
  • Legacy systems. Your company’s OT can depend on legacy systems – think embedded Windows XP, or a vulnerable program logic controller. These systems may no longer be updated, enjoying no protection against new cyber threats. Action may be required to replace or at least ringfence such systems.
  • IT/OT convergence. Companies may have an invalid assessment of the OT threat landscape: the manner in which IT and OT has converged implies substantial changes in the cyber threats that industrial systems are exposed to. Organisations must adapt their OT security practices to keep up with the pace of change.
  • Human/machine interfaces (HMIs). HMIs are often the most vulnerable parts, arguably because the software that allows humans to control SCADA environments are code-heavy, providing myriad opportunities for malicious actors to inject code. As such, HMIs should be afforded particularly close scrutiny.
  • Physical security. The threat landscape has expanded, but companies cannot ignore classic threats. In terms of OT, this has always meant ensuring control systems are physically secure from malicious actors. Think guards, surveillance and physical barriers.

The above list is merely a top-level view of OT threats, the individual technical vulnerabilities of ICS and SCADA are simply too many to cover. It is clear, however, that action is needed.

Tips for guarding against OT threats

So, what can companies do to protect against the risks posed by critical industrial and control systems? At Beyond Security we’ve helped countless organisation guard against OT risks. In the broad, we think essential steps would include:

  • Obtain and maintain visibility. A company cannot protect what it doesn’t know exists, so a comprehensive inventory and frequent updates of this inventory is essential. OT asset management allows companies to ensure software and firmware updates are made frequently, while zero-day vulnerabilities can be more easily guarded against.
  • Segregate and ringfence. Yes, OT needs connectivity to the outside world but companies can take measures to limit just how exposed OT is, and exactly how far OT integrates with IT. Put restrictions in place, and minimise the degree of communications wherever possible.
  • OT vulnerability scanning. Even with comprehensive visibility some gaps may be left. Tools including fuzzing can help your company discover security loopholes and vulnerabilities that have slipped through the cracks; OT scanning is therefore an essential activity.
  • Find a partner vendor. Cybersecurity risks are broad and deep and simply put comprehensive prevention and protection requires a security partner. Look for a vendor that understands OT and industrial security risks as these are very different from typical IT cybersecurity risks.

Companies should also keep an eye on at-risk suppliers who are frequently associated with successful attacks, log and monitor carefully to catch intruders and ensure that sufficient, qualified security staff are available to counter OT risks.

Inaction is the biggest risk

To wrap up, while the cybersecurity risks affecting operational technology has been widely known for some time, appearances are that organisations have been relatively slow to respond. We’ve outlined some of the top areas in which OT poses a cybersecurity threat, but arguably the biggest threat lies in a lack of response.

Of course, mounting a response is a challenge. If your company is unsure about how to respond to OT cybersecurity risks, consider getting in touch with Beyond Security. We will gladly help you find the OT security solution for your needs and advise on best approaches that will ensure ongoing, persistent defences against even the toughest of OT risks.


Written by Beyond Security

We had an impossible mission: transform the hackers brain into a machine. Mission accomplished. Using automated software, Beyond Security is dedicated to finding common vulnerabilities and zero-day exploits at a fraction of the cost of human-based penetration testing. Businesses around the world have been relying on Beyond Security's vulnerability and compliance solutions since 1999. Whether you need to accurately assess and manage security weaknesses in your networks, applications, industrial systems or networked software, we're here for you - one step ahead of the hackers.