I bet that your OT team does not realize just how truly vulnerable their systems are to cyberattacks.
How do I know?
From talking to OT engineers. Most don’t know that OT networks in critical infrastructure are a popular target for cybercriminals these days. Most OT engineers also don’t understand how ridiculously easy it is for a hacker to perform a complex attack or even a replay attack on the protocols. . .or collect info about systems by sniffing the network.
This could be why more and more CISOs are making OT security a top concern. The other reason is the digital transformation of OT networks.
Did you know? 34% of reported incidents in 2021 in manufacturing and process industries turned out to be cyber attacks with physical consequences. (ICSSTRIVE and Waterfall Security Solutions)
Has your OT network already been infiltrated but the engineers believe it’s a malfunction? I’ll explain how you can help them distinguish a cyber attack from a mechanical malfunction.
The Importance of OT teams
Let’s face it, a hacker sees your organization as a single entity. It doesn’t matter where a vulnerability is, so long as he or she can exploit it.
During 1H 2021, 637 ICS vulnerabilities were published, affecting products sold by 76 vendors. (Claroty Biannual ICS Risk & Vulnerability Report: 1H 2021)
As OT teams work with the equipment and interfaces that are prone to an attack, and thus likely to exhibit symptoms of a cyber attack, OT teams are now on the first line of defense.
If something is not working properly, we no longer have the convenience of simply attributing the issue to mechanical failure. It could be cyber-related, and as you are about to see, there are many ways for a hacker to penetrate OT networks, especially with the rise in digitization, automation, and connected devices.
Whose concern is the OT network?
Even if your IT builds a good defense and segregates the program from others making you feel secure, I’m sorry to say it’s a false sense of security because hackers can still reach the OT network via the supply chain. Plus, the vast majority of OT networks are old systems with documented vulnerabilities. You know this, but how are you addressing it with your OT team?
Things they should be aware of:
- Legacy software: Windows XP (released in 2001), Windows 8 (2012) are just for examples that have insufficient security and well-known vulnerabilities. A hacker with basic knowledge can exploit these.
- Network issues: ICS/SCADA systems might be hosted on a misconfigured network.
- Improper authentication mechanisms
- Unencrypted communications protocols: An infiltrator can pick up these messages and target ICS and HMIs and send false reports or shut down systems.
- Default configuration: “Factory settings” are low-hanging fruit for hackers.
These are just five examples of cyber vulnerabilities OT network engineers should be aware of.
Clues to suspect a cyber attack on OT systems
How can you identify if a problem with a machine or a sensor is a mechanical issue or a cyber attack? There is no one answer, but I can share four clues to alert you to a possible cyber attack.
- If a mechanical problem keeps recurring at random intervals, this could be a sign of a cyber attack.
- If a sensor continuously gives incorrect readings, this could be because of a cyber attack.
- If a machine has a well-known quirk that requires, for example, “pushing a button” to make it work again, this could actually be the sign of a cyber attack.
- If you inherited an operational fault, it could actually be because of an ongoing cyber attack.
My advice: Talk to your OT teams about taking the time to understand the cause of any problem. It could be that months ago an engineer fixed something and unintentionally created a bug in the system. Or maybe a hacker changed the logic in the PLC. If “pushing a button” temporarily fixes the problem, they should ask themselves, “Why does pushing the button fix it?”
Getting to the root of a problem will help you determine whether there is an explanation. Otherwise, it could be a cyber attack.
Why should OT and IT teams collaborate?
As OT becomes more connected with the adoption of smart devices and automation, cooperation and communication between the OT and IT teams is becoming ever-more critical.
63% of respondents in the Ponemon Institute survey said their OT and IT security were not coordinated, resulting in weaker cyber defense in the OT environment.
At CybergymIEC, we recognized that combined training is a natural place to start bringing OT and IT teams. Therefore, we do not train in “ranges” which are just simulated environments. We train in “arenas” that combine both OT and IT with hands-on training during an emulated cyber attack with the hacker in the room.
“Now I understand the vulnerabilities within the OT network. I did not understand them before this training.” - IT team member
A recurring mechanical problem might be the result of a cyber attack. OT teams should work to discover the root cause of the issue to rule out a machine malfunction. Moving forward, cooperation between IT and OT teams will produce a unified cyber defense that benefits everybody and keeps critical infrastructure safer.