The convergence of operational technology with digital transformation has neglected cybersecurity as priority even now, as a recent incident shows

Recently, 56 vulnerabilities affecting 10 major operational technology (OT) device manufacturers were discovered in four categories: insecure engineering protocols; weak cryptography or broken authentication; insecure firmware updates; and remote code execution.

The majority of these vulnerabilities could lead to the compromise of credentials allowing threat actors to take control of a device, inject and execute code on it, intercept network traffic for reconnaissance or intelligence gathering, or launch a Denial of Service attack on the system. found out more from the person heading the team that discovered the vulnerabilities: Daniel dos Santos, Head of Research, Vedere Labs, Forescout Technologies

CybersecAsia: What measures need to be taken by equipment manufacturers to avoid such critical vulnerabilities? 

Daniel dos Santos (DS): Many manufacturers have already started designing secure alternatives to existing insecure protocols and equipment by adding functions such as authentication, encryption and software integrity verification.

The main problem is that because of the long lifecycles of OT equipment deployed at asset owner networks (which can be up to 20 years), this new equipment will take a long time to replace existing technology.

In the meantime, some functionality can be fixed via patches (for instance, integrity verification) but others are more difficult (for instance, adding encryption to communications) because it would require changing an entire system (comprising numerous devices interoperating in complex ways) to operate using a new protocol.

Also, equipment manufacturers can run a coordinated ‘vulnerability disclosure program’ where researchers and customers investigate and resolve cybersecurity vulnerabilities efficiently. It is important that manufacturers are transparent about the risks and share information with their customers and the larger security community, as these insights are crucial to managing the risks of industrial environments.

Any remediation steps, such as disabling extra services a vulnerable device; or applying security patches, should be quickly communicated so affected organizations can plan their response actions.

CybersecAsia: What had led to the vulnerabilities in devices that your team discovered?

DS: The usual cause of OT vulnerabilities is lack of basic security controls (in legacy systems), encryption and proper authentication. In many cases, operational technology (OT) devices and protocols are designed and testing under the assumption that anyone dealing with the equipment is not an attacker.

There are two main types of OT vulnerabilities:

  1. Those that occur by mistake in software development (such as buffer overflows and logic flaws)
  2. Those that occur by a lack of design considerations, such as missing encryption and authentication enforcement. These are much rarer in IT or IoT devices nowadays, but are still very common in OT.

To address such issues, vulnerability management is used to identify, classify, prioritize, remediate, and mitigate software vulnerabilities.

However, vulnerability management in operational technology is complicated by a few factors, such as the long lifecycles of equipment, difficulty in patching when devices have to be taken offline, and safety considerations from potential cyberattacks.

CybersecAsia: What does your team foresee in the OT threat landscape, given the ongoing global rush to embrace digital transformation in the wake of the pandemic?

DS: With the rapid pace at which computing and communication tech is evolving and the increasing reliance we have on IT infrastructure to enable remote collaboration, we are seeing an increase in attacks. 

With the rise in connected devices in organizations, a new attack method path, known as ‘Ransomware for IoT’ (or R4IoT) has emerged. Next-generation ransomware uses IoT devices as a means of initial entry and lateral movement to IT and OT systems with the intention of physically interrupting business operations.

As OT systems are more connected and play an increasingly important role in our society (e.g., in smart power grids and smart buildings) we will see an increase in OT and IoT device security scrutiny, leading to more vulnerabilities being discovered.

Mitigation strategies for asset owners need to include:

  • Continual discovery and inventory of vulnerable devices: Network visibility solutions can help defenders to discover vulnerable devices in the network and apply proper control and mitigation actions.
  • Enforcement of segmentation controls and proper network hygiene: This can mitigate the risk of vulnerable devices. If they cannot be patched, or until they can be patched, restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control.
  • Monitoring of progressive patches released by affected device vendors: Devise a remediation plan for vulnerable asset inventory, balancing business risk and business continuity requirements.
  • Monitoring all network traffic for malicious packets: These are the entry points to exploiting insecure-by-design functionality. Block anomalous traffic, or at least alert its presence to network operators.

CybersecAsia thanks Daniel for sharing his OT vulnerability insights.