How to Protect Operational Technology (OT) from Cyber Threats

By Jayakumar (Jay) Kurup, Global Sales Engineering Director at Morphisec

Securing operational technology (OT) creates unique challenges.

Zero tolerance of downtime in factories, ports, banks, treatment plants, and other OT environments means that standard security practices like patch management or deploying protective solutions onto endpoints can be almost impossible to uphold.

Sometimes this is due to cultural reasons (management’s fear of even the slightest chance of disruption); other times, it is technological. OT systems often come as closed systems with firmware and software installed by a supplier.

Despite these challenges, securing OT environments is still something that needs to happen. So, what do you do with an inherently vulnerable system that you don’t want to touch? You try to air-gap it. Great in theory. In practice, however, air-gapping an OT system or firewalling its protected network is only the beginning of hardening its overall security.

OT Attacks Are on the Rise

Whether for geopolitical purposes or to collect a ransom, disrupting or threatening the performance of OT systems can be a huge win for threat actors. This has always been the case, but with OT cyberattacks rising by 87% last year, the threat level to OT is higher than ever.

Since the kinetic conflict between Russia and Ukraine began, a cyber war has been fought in parallel. The result has been a global wave of OT attacks compromising companies like Rosent, Nordex, the UK postal service, and more.

Threat actors are also finding more ways to compromise OT environments.

Only a minority of infrastructural attack chains are the kind of “pure” OT compromises we famously saw in 2010 with Stuxnet, the 2018 Shamoon attacks on Saudi Aramco and more recently with 2020 EKANS ransomware attacks against Honda and Enel. Instead, attacks can come from various vectors, including insiders, the business networks that connect to protected networks and OT assets, and downstream supply chain compromise, i.e., “Chinese Spy Cranes.”

These different vectors are all a threat to OT systems because fully air-gapping an OT system is impossible.  Industrial control systems (ICS) need to connect to corporate TCP/IP networks periodically, and when they do, they can end up plugged into the wider network, exposing the system to potential vulnerabilities and risks.

Ransomware or malware that disrupts the flow of data into a system threatens connections between endpoints (as we saw in the Nordex attack), or infiltrates proprietary information, can shut down operations too.

The rise of remote access capabilities and business connectivity also means that OT networks are plugging into IT environments more than ever. Even in the most secure networks, blind spots and security gaps will emerge. OT users need point solutions to plug these gaps in a way that complements their legacy systems and security technology.

What OT Security Controls Need to Do

No single layer of security can be relied on to protect OT systems, and layering security (aka “defense in depth”) is critical. However, defense in depth isn’t possible without effective security controls. This is where many OT security programs struggle. Security solutions must overcome three serious challenges to stop threats in and around unconventional, resource-constrained, and reliability-focused OT systems.

First, anything deployed on an OT or OT adjacent system needs to avoid the problem of false positive alerts. In OT environments, processes cannot be shut down due to false positives.

Second, protection must happen efficiently when deployed on resource-constrained devices and within low bandwidth with complex network topologies. In OT environments, solutions reliant on downloading updates (which can inadvertently expose assets) create risks.

Third, and most importantly, any OT security solution needs to stop advanced threats from propagating from an IT (IT/business) network to the IT/OT DMZ and into the OT (operational) network. This is critical because these environments are targets for some of the world’s most well-resourced ATPs, who can and will use zero days, fileless worms, trojans, and customized ransomware and malware to attack valuable targets.

Outside of OT environments, scanning-based solutions such as endpoint detection and response (EDR) platforms are being used to protect IT endpoints. In OT environments, however, they are not suitable solutions and will often heavily underperform. This is important since EPPs and EDRs rely on continual telemetry for signature and behavioral pattern updates and threat feeds. As a result, EDRs cannot operate properly in an air-gapped situation.

As these solutions scan for malware hooks, they use up scarce computing resources. Most EDRs are also incompatible with the diverse range of legacy OS, hardware, and applications that exist in a typical OT environment and create many false positives. None of which bodes well for their longevity in any sensitive site.

Most importantly, the biggest issue with using EDRs to protect OT adjacent systems and networks is that they fail to detect fileless and evasive attacks reliably. Many threats don’t create the recognizable signatures EDR looks for. Advanced threats (such as Cobalt Strike) also operate in unscannable environments like device memory during run time.

The same applies to solutions that use similar technology in other parts of the IT environment, such as NDRs deployed to analyze network traffic.

Protecting OT Environments with AMTD

Automated Moving Target Defense (AMTD) is a super lightweight, preventative solution that can be deployed in and around OT systems to shut down attack pathways.

AMTD is fundamentally suitable for OT environments because it stops threats without needing to detect them. It also does not require an internet connection, updates to date telemetry, or modern OS versions.

Able to stop zero days, fileless, and evasive attacks, AMTD randomly morphs runtime memory environment to create an unpredictable attack surface and leaves decoy traps where targets were.

OT threats don’t follow standard playbooks. They are often unknown and dynamic, and, with OT systems firewalls dissolving, coming from more places. This is what a changing threat landscape looks like. As always, the best response is to double down on prevention. AMTD is a proven solution for preventing the worst threats OT security teams will ever experience.


No posts to display