Forescout | Securing OT that can’t be patched - Security On Screen by The Security Industry Group

Forescout | Securing OT that can’t be patched

In this article, Daniel dos Santos, Head of Security Research, Forescout looks at the current OT challenges that industrial organisations are facing and what steps can be taken to mitigate against threats.

As industrial organisations digitise their environments, this is exposing critical operational technology (OT) to security vulnerabilities, while presenting new windows of opportunity for cybercriminals.

Since last year, there has been an 88% increase in OT vulnerabilities, which are used to attack critical infrastructure and expose vital systems to potentially devastating breaches.[i] With OT systems supporting energy, water, transportation, environmental control systems and other essential industrial equipment, attacks on these vital assets can inflict severe economic damage and even endanger public health and safety.

Cybersecurity of industrial networks is being prioritised in response to the threat, but one of the biggest challenges is that not all OT assets can be easily patched. Industrial control systems in OT environments often use legacy or out-dated equipment and software that no longer receives security updates. Scanning the systems can cause risks to operations and applying patches requires taking these systems offline for maintenance, which is not only expensive, but disruptive to critical operations.

So, what is the solution? How can industrial organisations secure OT and protect mission-critical systems against security risks, even when patches cannot be easily applied?

Industrial OT challenges

Traditionally, security was not as critical a consideration because an organisation’s OT network was designed to be isolated, running less-known industrial protocols and custom software. Those systems had limited exposure, whereas, today, OT environments have converged and are no longer air-gapped from IT networks, meaning that the lack of security measures poses a critical risk.

Unfortunately, this connectivity has not gone unnoticed by threat actors. ICS and OT specific malware such as Industroyer, Triton and Incontroller is evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking ICS and OT facilities, resulting in many serious incidents.

Furthermore, recent research has revealed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products that demonstrate significant “insecure-by-design” practices. [ii]

Most OT devices are insecure by design where vulnerabilities stem from unauthenticated protocols, insecure firmware updates and unsafe native functionality. For instance, 38% of the vulnerabilities discovered allowed for credential compromise, and 21% gave attackers a way to introduce poisoned firmware into the environment. In addition, 14% percent of the flaws stemmed from native functionality — such as logic downloads, firmware updates, and memory read/write operations — that gave attackers a way to execute malicious code remotely on OT systems.

In fact, one of the biggest issues facing OT security is not so much the presence of unintentional vulnerabilities, but the persistent absence of basic security controls. These devices often lack critical controls needed to authenticate users and actions, encrypt data, and verify whether firmware updates and software are signed and verified. When these mechanisms are present, they are often weak and easily hacked or seriously undermined by other issues, like the presence of hard-coded and plaintext credentials on the device.

The research also found that many insecure by design devices have security certifications, which often results in a false sense of security, and can lead to significantly complicated risk management efforts. The testing requirements of these certifications are sometimes limited to functional verification of features rather than stress testing of defensive capability; so as long as the feature is present, it is assumed that it is secure.

Another issue is a general lack of common vulnerabilities and exposure (CVE) reporting for industrial control systems. Issues considered the result of insecurity by design have not always been assigned CVEs, so they often remain less visible and actionable than they ought to be. Vulnerabilities in supply chain components also do not have a great track record of being reported by affected manufacturers.

While in many cases these particular feature-abuse issues cannot be patched out, there are practices to address the weaknesses such as visibility and asset management, segmentation, and specific monitoring of network traffic.

Laying the security foundations

Visibility and asset management lay the foundation for network security. You can’t protect what you can’t see so industrial organisations must ensure they have visibility to all connected devices on their networks. To improve efficiency, network visibility solutions should be able to span across IT, OT and IoT devices, enabling the discovery of vulnerable devices in the network so that proper control and mitigation actions can be applied. In addition, this solution should also continuously monitor the network for new devices, automatically detecting new connections, so there are no visibility gaps that could put the organisation at risk.

Vulnerable devices will always exist in OT environments because many of them are too old or fragile to be patched. When a device falls into this category, the focus must be on giving the connected device the minimum amount of privilege. This means if an attacker does gain access to it, they will have a limited ability in what they can do, how they can spread across the network and what they can gain access to. It is also important to segment it from mission critical systems as this will prevent lateral movement attacks.

Segmentation is a fundamental control that enforces proper network hygiene to mitigate the risk from vulnerable devices. Segmentation restricts external communication paths and isolates vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.

While device manufacturers address fundamental issues with insecure-by-design firmware and protocols, asset owners can monitor for progressive patches released by affected device vendors and apply these in their own networks. To further mitigate against risk, industrial organisations should monitor networks for malicious packets that exploit insecure by design functionality, isolate OT/ICS networks from corporate networks and the internet, limit network connections and focus on consequence reduction, where possible.

Preparation and collaboration go hand in hand

The best way to overcome challenges all comes down to preparation. Carry out site assessments to understand inventory and what kind of assets are connected to the networks, their risks and required connectivity. In many cases, the number of known internet-connected devices inside an industrial framework is only a fraction of the network reality.

Collaboration between IT, security and OT site teams is crucial for the ongoing success of secure industrial operations. Digitalisation provides a chance to standardise security policies and put in place automated asset and network monitoring. This in turn provides better insights into these systems so that organisations are constantly aware of their security and operational risks. This then enables the implementation of risk-based segmentation and least privilege access, so that if any cyber incident occurs the impact will be minimal.

While OT security is gradually improving, there are still security gaps that exist in many organisations. The rapid expansion in the number of connected devices exponentially increases the risk posture for industrial organisations. By connecting OT to IoT and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors. As dependence on OT and IoT grows across industries, the need to tackle cybersecurity risk, including every connected device, is imperative.