Zero-Trust and the Rise of ICS, OT Security Threats

Cyberattacks on U.S. industrial control systems (ICS), targeting critical infrastructure and especially utilities, were already growing, but have accelerated with the Covid-19 pandemic.

The proportion of attacks on operational technology (OT) systems nearly doubled between 2019 and 2020, from 16% to 28%, according to the recent Honeywell Industrial Cybersecurity USB Threat Report 2020. Critical threats (those potentially causing major disruptions) more than doubled, from 26% to 59%.

In addition to these gloomy statistics, threat actors who gain access to ICS networks without disrupting them right away are much more common than publicly reports imply, as they’re learning about ICS for future attacks. “Threats are growing at a rate three times faster than they are going dormant,” according to cybersecurity leader Dragos’ 2020 ICS Cybersecurity Year In Review report. “This is likely due to the increased investment made by adversaries in targeting ICS over the last five to 10 years, [which] will continue to accelerate the ICS threat environment.”

Click on the image for a larger view. (Source: Verve Industrial Protection.)

Those adversaries are aided by the growth of product vulnerabilities, coupled with employees remotely accessing ICS and OT systems from home. Some say the answer is implementing zero-trust principles.

Product vulnerabilities on the rise

Product vulnerabilities aren’t just security holes in Internet of things and industrial IoT devices, but in ICS and OT network products, such as PLCs or embedded industrial controllers. These vulnerabilities, and their severity, are increasing quickly.

Among vulnerabilities disclosed during the second half of last year, industrial sectors most impacted were critical infrastructure: manufacturing, energy, water and wastewater, and commercial facilities. That’s according to Claroty’s 2H 2020 Biannual ICS Risk & Vulnerability Report. Vulnerabilities affecting ICS products increased 33% over those in 1H 2020. Totaling 449, they came from 59 different vendors, emphasizing the need for network-based detection and secure remote access.

In just the past two years, vulnerabilities disclosed in critical manufacturing and water/wastewater increased by about two-thirds, and in energy by three-quarters. Of the total, 70% were assigned high or critical Common Vulnerability Scoring System (CVSS) scores, and 76% can be exploited without authentication.

A driving reason for these increases is the adoption of web technologies, Ron Brash, director of cyber security insights for Verve Industrial Protection, told EE Times. “That’s because adding a web server is adding a ton more code, more dependencies, and testing them is much harder,” he said. “As we move to higher-level, more abstract, and more flexible things, we get more problems.” The largest number of vulnerabilities by far are software and logic errors, according to Verve’s ICS vulnerabilities report.

Although security scanning OT-level networks increased in 2020 from 2019, most industrial organizations remain inadequately prepared for an OT cybersecurity attack. The problem is acute enough that last summer the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency issued a joint alert recommending immediate actions to reduce the exposure of ICS and OT systems.

Remote access threats growing

Ron Brash

Threats to ICS and OT systems from remotely exploitable vulnerabilities are also increasing, many due to the larger attack surface created by the jump in employees’ remote access, both pre- and post-pandemic.

Almost two-thirds of ICS vulnerabilities are remotely exploitable with very little skill, according to the Verve report. In 2020, remotely exploitable/low skill vulnerabilities increased by 66% over 2019. “This should raise the hair on the back of the necks of OT operators everywhere, especially in a world of greater remote connectivity to critical infrastructure during COVID and in the future,” said the report. “These are not just small, minor risks, either.”

“One reason for the increase in remotely exploitable vulnerabilities is an increase in internetworking activity, such as what we do during Zoom calls: much of our communication is now taking place between remote workers offsite, and then by communicating to OT assets remotely from their homes,” said Brash.

Attack avenues and methods just keep growing. Not only can industrial systems be remotely hacked via VPN vulnerabilities, but also via industrial barcode scanners and insecure security cameras.

Even scarier, in January researchers discovered a new type of network-address translation (NAT) slipstreaming attack. Using this exploit, remote hackers can access multiple, previously-unreachable devices inside a network, even when the devices don’t have internet access. Instead of merely launching an attacker-controlled website when a connected victim clicks on a link, this exploit convinces the NAT to open paths to any device on the internal network. That can include unmanaged devices such as printers or PLCs.

Attacks on remote-access tools themselves are also increasing. Last year, Kaspersky reported brute-force attacks on the Remote Deskop Protocol (RDP), used by many home workers accessing enterprise networks, had increased from the low hundreds of thousands per country, per day in early March to nearly one million per country, per day by the end of that month. Last June, cybersecurity firm ESET reported brute-force attacks on remote access applications, including RDP, had increased about 300% since January.

Is zero-trust the answer?

Everyone I talk to in cybersecurity says the zero-trust principle, becoming more common in IT networks, is also the best security strategy for OT networks. It’s a simple concept: instead of the old assumption that anyone on an OT network has the right to be there — “trust and don’t bother to verify;” or even the updated version: “trust but verify” — zero-trust takes an X-Files-like opposite stance: “never trust, always verify.”

In the wake of the massive SolarWinds hack, even the federal government is starting to get on board. The NSA recently issued guidance on implementing zero-trust principles in critical networks within national security systems.

But zero-trust is still in early days. While some cybersecurity providers are doing it at the network level, that’s almost entirely in IT, Duncan Greatwood, CEO of cybersecurity provider Xage, told EE Times. “For zero-trust to work, it has to be application-aware, and user-aware,” he said. “That’s why it comes under the access control heading: access control issues and user authorization issues are principally application-layer not network-layer issues.”

Duncan Greatwood

Xage recently launched a cloud-delivered zero-trust security solution for remotely accessing OT environments.

Greatwood described three major historical barriers to zero-trust in OT: situational, technical and cultural. “Situationally, until recently the pressure on OT departments to deal with cybersecurity wasn’t that strong,” he said. “It’s only in the last three or four years, especially in the U.S., that everyone in OT has become at risk: utilities, logistics, factories, distribution warehouses.”

Cultural barriers include the OT world’s traditional slow pace of change. Technically, the OT environment relies predominantly on perimeter protection, a strategy that sort of blew up when everyone began working from home last year.

“There’s typically no separation between the layers of the OT model, although OT departments may have a DMZ between IT and OT, and the very largest operations may subdivide the lower three OT levels,” said Greatwood. “Now, OT is suddenly in a world with massive remote access and data constantly flowing in and out because they’re running more sophisticated systems. The perimeter model is quickly breaking down.”

Not trusting anyone, à la Mulder and Scully, looks like the way to go. But it’s going to be a long haul.

Source link