[ This article was originally published here ]
By , CSSLP, Head of International Sales at INFODAS GmbH. Fulvio is a CDR of the Italian Navy (reserve). He has an Master Degree in communication engineering and a PhD in Information engineering. During his active service in the Navy he’s been working mainly in the areas of Secure Tactical Communication and Command and Control systems, acting often also as security officer and risk manager. Since 2020 in the private sector, he joined Infodas at first as solution architect to later become head of international sales.
Cyberattacks to operational technology (OT) are on the rise and the providers of critical services have to cope on one side with the requirement for high availability, preventing them from having long downtimes and on the other side with the need to secure their OT infrastructure while keeping it connected with IT. This post shows why OT is so appealing for cybercriminals today and how the risk of catastrophic consequences from cyberattacks to OT can be effectively mitigated with Cross Domain Solutions.
When reading cyber threat analysis and reports, it is easy to detect how in the last months the number of attacks to critical infrastructures has dramatically increased, . In the last weeks, the attacks to the critical infrastructures have become more and more aggressive, even physical and kinetic with the intentional damage and disruption of pipelines and cutting/damaging of cabling infrastructures including underwater and in railway systems.
It is worth analyzing the causes of this rise in the attacks directed to OT and understand the mitigation strategies which may be adopted in short term with high effectiveness, at least for the attacks operated in the cyberspace.
When analyzing the activity of an attacker it is a good practice to impersonate them and assess the following:
- What is the motivation behind the attack? (demonstration, extorsion…)
- What are the skills and technical capabilities required to perform the attack?
- What is the window of opportunity to perform the attack?
These three perspectives of the problem resembling the typical crime novel investigation analysis but nevertheless are useful and effective to understand the mindset of the attackers.
The Motivation
Attacks to OT systems, especially to critical infrastructures are aimed mainly at two motivations: revenues or demonstration. In the case of revenues, the attack, conducted most of the time through ransomware, is aimed to receive a significant compensation for the attacker to restore the functionality of the system. When motivated by an economical interest, the attacker targeting OT will leverage on the fact that OT systems have one of their cornerstones in availability, meaning that very low downtimes can be tolerated for them and that these downtimes can result in high compensation to be paid by the organizations in charge of operating these systems. For these reasons, the organizations operating OT systems often have dedicated cybersecurity insurance protecting them from the effect of an attack. This situation gives the attacker a reasonable certainty that the victim of the attack will be most likely willing to pay the requested ransom.
When acting to achieve a demonstrative effect, the attacker will seek visibility or leverage on the ‘scare factor’: they demonstrate that the system/infrastructure can be attacked, depriving the community of an essential service (e.g. electricity, water, transports). In this case, the OT infrastructures are what in military jargon is referred to as an High Value Target (HVT): even if the probability of success of the attacker may be limited, or if the attack would require a significant effort, the attacker’s activity still pays off because the effect of an even partial successful attack would be dramatically visible to the affected community and would give the attacker or his group immediate visibility. This was the case of many of the attacks conducted so far in the context of the Ukraine conflict, where ‘fans hacking group’ have been acting in support of the fighting parties.
The Skills
When it comes to the skills required to conduct OT attacks, it becomes really surprising how these kind of attacks may often been simpler than those targeting IT systems. To understand the reason behind this, it is worth making some retrospective about the digitalization of critical infrastructures. Industrial Automation has an important history and the introduction of systems like Programmable Logic Controllers, software like SCADA and specific industrial interoperability standard like OPC (Open Platform Communication) have contribute to boost the productivity and safety of industry and critical infrastructure. Since the beginning, OT systems have been designed to ensure high reliability, that is to say availability, in applications of the lower levels of the Purdue’s models, close to the real production tasks. The logic of the controllers and the communication protocols have been therefore designed to be simple and fast, privileging redundance and safety over speed and performance. With time, the automation of OT systems has grown and the upper layers of Purdue’s model have been added to the equation, turning the initial simple architecture of controller/controlled to a multi-tiered architecture with more refined logics. At this point, OT architectures were still designed to control systems locally over an ad hoc network. In this evolution phase, IT moved the first steps into the OT world and some of the messages and controls which used to be operated through a direct physical link, transporting mainly serial information, were converted to IP datagram and transported through departments by Local Area Networks (LAN). This pioneering age of LAN implementation saw the realization of the first IT networks in OT environments still as a process of ‘errors and trials’ as the concerns for cybersecurity were still far away in the mind of the integrators.
The evolution of IT and OT systems has been moving at different speeds. As the Wide Area Networks made the access to online information and the distributed collaboration easier, the IT world became soon conscious of the risks related to the security of distributed and networked systems and the IT evolution has been since then the eternal struggle between blue teams and read teams, between vulnerabilities and patches, attacks and countermeasures. This led to the rapid evolution of cybersecurity concepts and practices in the IT world. OT, on the other side, remained mainly isolated and untouched by this phenomenon. In most recent years, with the elaboration of concepts like ‘industry 4.0’, ‘remote maintenance’ and so on, the wide area connectivity became a requirement for OT infrastructures and this is where the problem started. OT systems were interconnected, through to remote IT systems, often without conducting a thorough assessment of the security implications. In many cases, OT systems (and the corresponding local IT) were never patched since the updates often require downtime which cannot simply be tolerated. The result was to make the connection stable, ports and services for unpatched and unsecure networks were opened while the remote IT system was designed and evolved to withstand possible attacks on the OT system.
This short story gives an idea of the reason why the OT networks are today one of the preferred targets for attackers: it’s not difficult to find very old operating systems, applications, services which offer plenty of vulnerabilities to be exploited. If we couple this concept with the ones already analyzed in the part on motivation, it is easy to understand how an attack on an OT infrastructure can have a higher probability of success than the corresponding attack to an IT system.
In many of the systems defined as ‘auxiliaries’ of IT systems it is not uncommon to find data centers which features the latest level of protection on their servers but, at the same time, have a totally unprotected or exposed cooling or power distribution system. And it makes sense to remind that even the most sophisticated computer does not work without cooling or power!
The Window of Opportunity
An attacker typically has a limited time to conduct activities, which is called the ‘window of opportunity’. In OT systems running 24/7 with services exposed to the outer world (think of the train timetables, or the traffic cameras, or the ticketing terminal at the train stations) the window of opportunity is virtually infinite. This contributes to give the attacker ample time to study the system, profile it for vulnerabilities and exploit them.
The Victim’s Point of View
We’ve seen that the OT systems, especially since when they are connected to remote IT, have become a great target for attackers and some of the reasons for this are found in the nature and logics behind the systems. If we look at the same situation from the victim’s point of view, we can easily understand some of the rationale behind these situations:
- The owner/operator of the system pushes for achieving a fast transformation allowing the system to be remotely monitored, often by a third party to which the monitoring and IT security have been subcontracted.
- The regular application of patches and updates is difficult as this requires down time of the systems or sometimes even a partial re-design, because services and protocols may have been deprecated.
- The initial design of the network, on which the current system is still based, does not allow an easy expansion/scalability without a complete redesign.
The dilemma of the OT system administrator is finding a solution which allows the interconnection to the remote IT and the avoidance of exposing several vulnerabilities to the external world. The first attempt to resolve this need has been the use of firewalls at the boundary of the OT/IT connection. This mitigation measure proved in many cases to not be effective or sufficient because firewalls also need to be updated and reconfigured as new vulnerabilities appear.
From the victim point of view, the following options would be available to solve the OT/IT dilemma:
- Disconnect the OT from the IT and use air gaps when data transfer is needed. This goes against the trend of digital transformation but can significantly increase the level of security. It is well-known that removable media are the pillar of air gapped data transfer, and one of the primary vectors for the injection of malicious code in secure systems.
- Redesign the network applying the best practices of IT security and update all the systems and applications in the OT architecture. From the technical point of view, this would probably be the most desirable solution. However, realistically it is nearly unviable on running systems because of the huge costs involved with the redesign and the lengthy downtime required.
- Use Cross Domain Solutions (CDS) to secure the boundary between OT and IT.
CDS are gateways which allow the unidirectional or bidirectional connection of domains with different security requirements. CDS are widely used in military systems to separate domains processing data with different classification but are becoming more and more popular also in OT systems. The most well-known type of CDS are probably the so called ‘data diodes’ which allow connections on one direction, while preventing traffic in the other direction.
Data diodes are being used in several OT systems to allow the traffic to flow for the OT to the monitoring OT, while preventing any incoming traffic to OT. Many of these diodes are based on optical separation, interrupting data flows by means of a photodiode/photoreceptor. Optical diodes are a good solution when only unidirectional protocols are to be supported, but they show their weakness when bidirectional traffic is needed.
To reply to this need, CDS have evolved into ‘software-based CDS’ which allow for more flexibility and performance. Software-based CDS allow full support to bidirectional protocols, also in data diodes, and fully bidirectional security gateways where the traffic flowing in each direction (IT to OT and vice versa) is subject to release control performed through protocol separation, content inspection and filtering by ruleset enforcing the organization’s security policies.
The most common use cases of CDS in the OT/IT environment are:
- Remote monitoring of OT systems by IT (achievable with data diodes or gateways).
- Remote control/remote maintenance of OT systems (achievable with gateways).
- Application of patches and updates to OT systems (achievable with diodes or gateways).
The main benefits of CDS in this context are:
- They can be easily integrated in existing architectures without requiring a redesign of the network to be protected.
- They have limited SWAP (Size, Weight and Power) constraints.
- They have a high Return on Investment (ROI).
- They implement mechanisms such as separation of duties, fail safe, high availability and full accountability, which improve defense in depth in the protected system.
- Once deployed, they can operate practically unattended and they don’t require constant monitoring or update, unlike a firewall.
- They are tested and evaluated to the highest standard of security, such as common criteria and they are approved to the toughest military standards for the protection of classified information.
Did you know about the existence of CDS before?
I assume that, in many cases, the answer would be ‘no’. In fact, while CDS offer a ready to use solution for many security problems involving the exchange of information across a security domain, they are known only to a small circle of security practitioners. While appliances like firewalls are largely covered in the syllabus of many cybersecurity certifications, CDS are rarely mentioned, so their knowledge is spread only among professionals of this niche sector. As an (ISC)² member, security practitioner and former military, it is my hope that this small article may contribute to raise the awareness about the potential of CDS for many security applications and that this topic may be discussed in future (ISC)² events.
Ad