Defending OT Requires Agility, Proactive Controls

COMMENTARY

Hackers affiliated with the Chinese government have reportedly maintained access to US critical infrastructure for years, several agencies warned in February. The revelation is, at least on the surface, a heel-turn for Chinese cyber behavior — moving from espionage to the potential compromise or destruction of infrastructure via operational technology (OT). This includes the programmable systems and devices connected to physical environments.

Last December, a supply chain-focused attack against ShipManager software from maritime advisory company DNV reportedly disrupted operations for dozens of its clients — affecting as many as 1,000 vessels. In November, the Cybersecurity and Infrastructure Security Agency warned of Iranian actors actively exploiting Unitronics equipment used in water and wastewater systems, prompting a later warning from the Environmental Protection Agency (EPA) and the White House. The EPA also warned in May that a whopping 70% of US water systems fail its cybersecurity standards.

Similar OT systems have been connected to the Internet to enable remote monitoring and control, but that convenience has opened up avenues for attackers. These systems were often built for reliability before widespread connectivity. They are often implemented with niche solutions and can be difficult to audit and protect.

OT attacks, along with IT attacks on infrastructure supporting these operational environments, can take down customers' supply chains, damage equipment, and result in costly production disruptions: According to a study by ITC, four in 10 enterprise organizations said one hour of downtime can cost from $1 million to over $5 million.

Keeping the lights on in these increasingly complex environments is no easy feat. OT needs even higher levels of protection than that afforded to IT, since a single OT breach can cascade across multiple systems. Here, I'll outline three key steps for defending these environments, which begins with understanding OT's cyber-physical impacts and complexities.

1. Eliminate Gaps Across Environments

Convergence of security between IT and OT is accelerating, but the two cannot be completely independent workstreams. Managing OT security is not a "set it and forget it" or reactive process, and vulnerability management cannot be lax. An effective strategy meant to reduce OT risk and protect operational uptime requires full asset visibility, and oftentimes there is crossover with IT.

With greater visibility, defenders can gather accurate and continuous telemetry data. Acquiring it, however, will entail ongoing communication and collaboration with the IT teams who have traditionally overseen Internet-facing devices.

IT and OT defenders can establish cross-functional teams and carry out joint risk assessment exercises. This open line will generate a better understanding about how assets communicate with each other, which apps are running (and where), and how user privileges are configured. The visibility gives teams greater control over their organizational infrastructure and can inform critical decision-making processes.

2. Develop Comprehensive OT Playbooks

Once assets are mapped and better understood, the next step is a standardization of security practices. Defenders should create or evolve OT security playbooks and consider a range of scenarios.

Plans should draw from the organization's existing knowledge base, outline step-by-step incident response protocols, and define reactive steps among all business units and executives — for instance, documenting which teams or partners must respond in the event of a sector-specific worst-case scenario, such as a critical pipeline being held for ransom.

OT defenders should also regularly monitor guidance disseminated by the National Institute of Standards and Technology (including the new governance pillar of the NIST CSF framework) and intelligence agencies, along with industry groups and vendors.

3. Implement Robust Controls

With more systems coming online, the general widening of the OT attack surface necessitates powerful exposure management technology. In fact, this is a point my colleagues and I continue to raise in different forums, as threat actors, like China-backed entities, continue to shift their tactics.

Sophisticated advanced persistent threats (APTs), like China's Volt Typhoon, increasingly rely on living-off-the-land techniques — using legitimate, embedded services to carry out their crimes. This can cloak their network activity and make traditional indicators of compromise highly difficult to detect. This ultimately dilutes the impact of more traditional security technologies.

Defenders simply cannot overlook this threat. They must be able to contextualize data and resolve issues before they can be exploited, performing functions like high-speed asset discovery and malware detection.

Moving Away From Reactive Policies

Given the rise of ransomware attacks in OT environments — more than half of polled industrial firms confirming they've suffered a related incident — there is new urgency tied to this domain. In fact, these events have created space for security teams to advocate internally for more robust controls.

Luckily, as part of this effort, organizations are steadily moving away from the reactive policies that once guided OT and instead are looking more holistically at the intricate web of networks and devices across their operations.

By using these tips, security teams can effectively reduce risk levels without compromising operational agility. OT infrastructure demands time and attention, but greater security will help protect physical environments from the advances of prominent APTs.