The Old Ways Aren’t Working: Let’s Rethink OT Security
Information about The Old Ways Aren’t Working: Let’s Rethink OT Security
Colonial Pipeline. JBS. Agricultural cooperatives in Iowa and Minnesota. While attacks against critical infrastructure are nothing new, it is only recently that concerns have spilled into the public view. When Colonial Pipeline was hit by ransomware, for example, there were long lines of cars and panic-buying at gas stations. Some even ran out of supply.
“America needs gasoline. Aircraft need jet fuel, and it just quite literally wasn’t there anymore,” says Dave Masson, director of enterprise security at Darktrace. “And that’s pretty much what’s woken up public consciousness to this issue.”
One of the reasons it had been so hard to focus people’s attention on threats to critical infrastructure before is the term itself is broad, encompassing many things.
“Critical infrastructure is pretty much what makes modern life livable,” says Masson. “It’s all those things we actually need to live on – how the power turns up, how the water turns on. How the traffic moves, how our communications happen, and how food that we buy ends up on the shelves. How the systems that we use to pay for it, particularly now that we’re not handling cash.”
The IT/OT Convergence
Another reason that critical infrastructure has not been at the forefront of security awareness is because most of the systems that underpin it fall under operational technology (OT), as opposed to the computers and servers that are more common in enterprise IT.
“OT are computers that cause some kind of physical change. Something opens, something shuts, something moves, something doesn’t move,” Masson says. “Most of the OT networks were never designed with cybersecurity in mind – in fact, not designed with any security in mind at all. They were designed for safety – to not break down and cause damage or harm to human beings, and to always be there and always be available.”
Traditionally, OT systems were not connected to the Internet, but that has been changing in recent years as organizations have focused on making OT more efficient, safer, and cost-effective.
“One of the ways to do that is to start using IT and connect OT to the Internet,” Masson says.
The world of IT has the Internet of Things (IoT). The equivalent in the world of critical infrastructure – the sensors used in manufacturing facilities and out in the field – is the industrial Internet of Things (IIoT).
While IT/OT convergence has significant benefits, such as the ability to monitor and manage OT remotely and collect information from sensors located in remote locations, it also introduced threats from the IT world that had never existed before in OT networks, Masson says.
Growing Threat to Critical Infrastructure
Originally, many of the attacks on critical infrastructure were the work of nation-states, Masson says, noting that their budgets, resources, and people were needed to carry out these kinds of attacks. “To carry out an attack on industrial IoT, you really had to do your research,” Masson says.
That is no longer the case. Cybercriminal gangs have figured out that they can make money out of targeting critical infrastructure. While some criminal gangs may be possibly acting on the behalf of nation-states, many are also flowing some of the ransom money “back into their own R&D,” Masson says. The convergence of IT and OT has made it possible for these criminal gangs to adapt their IT-based attacks to target critical infrastructure providers.
“You’ve just got to land in IT, work your way through [the network], pivot over to OT, and away you go,” Masson says. “It’s not that much effort to do it.”
What’s increasingly clear is that attackers don’t even need to compromise OT systems in order to collect ransom or extort payment out of the organization. The fear of an attack alone can be just as effective. That is exactly what happened with the Colonial Pipeline attack, which never got anywhere near OT. The administrators shut down the systems out of worry that the malware could cause damage to the extent they would not be able to shut down the network – or the malware would shut them all down on its own.
“The absolute fear of a ransomware attack spreading from IT to OT leads manufacturers to shut down OT out of fear and abundance of caution,” Masson says.
If an organization shuts down operations because of its IT networks being compromised, it causes some disruptions, but the impact is fairly focused. Hospitals may need to route patients to other area facilities. Municipalities would have to delay some of its services.
“If the decision is made to shut down a plant, you’re shutting down quite possibly part of the nation’s critical infrastructure,” Masson says.
What Ransomware on OT Looks Like
It is important to note that ransomware attacks on OT are not theoretical: Numerous attacks where the data on the machines was locked up and made unavailable have already occurred. These attacks could bring a facility to a standstill.
Ransomware attacks are very rarely smash-and-grab operations nowadays, Masson says. The threat actors are willing to spend a lot of time on the target network, after gaining initial access through a phishing link or a remote desktop.
Once the malware is in place, adversaries will spend some time on the network, moving laterally and working out where everything is.
“They investigate what systems they can access and then detonate the encryption on the bits that really matter,” Masson says. The attackers look for things to encrypt that the organization will be willing to pay for.
Adversaries tend to be flexible. They are nimble enough to change tactics, add new capabilities, or even completely revamp their tools and infrastructure if it makes sense to do so.
“With ransomware, people realized that if they had backups, it didn’t matter if the bad guys encrypted the network. ‘I’ll just start again from backups. It’s a pain and might take a long time, but I can do it,’ they say,” notes Masson. “But attackers very quickly decided that they are going to steal the data and encrypt what’s left behind. And if the ransom doesn’t get paid, expose it.”
If someone comes up with a defense that works, the attackers aren’t giving up and going away. The willingness to adapt is why it often seems that attackers have the advantage, “but it is possible to put the advantage back in the hands of the defenders,” Masson says.
The attackers must go through multiple stages before “they press fire to actually do the encryption,” he says. That means there are multiple opportunities to detect and stop the attack.
Using AI to Protect Critical Infrastructure
Artificial intelligence (AI) plays a significant role here as the technology can understand the patterns associated with the entire digital infrastructure – IT and OT – and notice deviations in device activity long before a human analyst would, Masson says.
In the case of ransomware, something like a login on a server with an unusual credential would trigger an alert by the AI. More than that, the AI then enforces the “normal” behavior of the device, which could mean blocking internal downloads from the compromised server, for example. When this “autonomous response” AI capability kicks in, none of its actions would interfere with the organization’s normal activities, so there is no disruption to business operations.
“A lot of people will be having a heart attack at the thought of actually taking action on devices in OT, but the idea is to stop the attack before it reaches OT [before any encryption can even take place],” Masson says.
AI can play a significant role in securing OT as it can provide the visibility needed to understand what every single piece of equipment is supposed to do and is doing at all times. AI helps identify what is in place, assess what kind of threats are targeting the systems, and figure out what actions are needed to protect them.
“This isn’t about AI replacing human beings. Skynet isn’t going to happen, so forget about that,” Masson says. “This is about AI supporting human beings by doing the heavy lifting in terms of configuration and investigation. Good, quality cyber professionals don’t grow on trees. The AI frees up the human analysts to actually devote quality human thinking time to issues that are going on.”
It is inevitable that the attackers will get in. “But it is not inevitable that damage will be the result,” Masson says. AI makes it possible to see the very early stages of an attack and either stop the attacks entirely or respond quickly to prevent the attack from spreading.