Cyber security is the broad term given to technologies and processes designed to protect networked equipment, software and data from unauthorized access, attack or damage.
As the world becomes more interconnected, networked equipment, software and data are increasingly susceptible to security breaches. In the past, the protection of such equipment, software and data was the sole responsibility of information technology (IT) teams. However, as more devices are introduced and more operational technology (OT) takes advantage of IT networks, the attack surface becomes more difficult to control and monitor. The attack surface is a point of vulnerability such as a port, device or software interface where an unauthorized user could attempt to enter or extract data from a network. Now, IT and OT teams must work together to assess areas of risk that have not been considered in the past.
What Is Operational Technology?
Operational technology can be hardware or software that controls physical devices or processes in specific environments, such as buildings, factories and utilities. In the past, OT systems operated in closed networks creating an “air gap” where they were segregated from the corporate IT network and the external Internet. Today, OT systems are becoming increasingly interconnected and integrated with other IT systems.
One example of OT is a building’s video surveillance subsystem. What was once a closed-circuit television (CCTV) system that did not interact with any other devices or networks now uses the IT infrastructure for data transmission, storage and monitoring.
The attack surface within video surveillance systems has changed virtually overnight. This rapid shift to the IT network has allowed technology advancements in endpoints — such as network cameras — to outpace the network security policies and procedures required to protect them and an organization from being targets in cyberattacks. According to IHS Markit, more than 66 million network cameras were shipped globally in 2016. Many of these units are installed using a mix of wired and wireless networks without network security measures in place to protect them. As cyberattacks on IT networks increase and more integrations of OT systems occur, vulnerabilities are multiplying, drastically increasing the attack surface of OT networks.
While there are similar strategies for securing IT and OT systems on a network, there are also major differences between the two and confusion about who is responsible for securing what. Collaboration on a consistent security strategy across both IT and OT is imperative with the continued rapid growth of connected endpoints.
One major example is the availability requirements of OT systems. Downtime for software upgrades, patches or firmware updates are generally accepted in the IT environment, but can be very disruptive and costly in some OT systems. For example, within physical security subsystems, a simple firmware upgrade can break system integrations, rendering the system inoperative. However, a worst-case scenario is running an outdated software or firmware version with known security vulnerabilities, which can lead to increased risk of attack by a potential adversary. Considerations need to be taken to properly maintain OT systems to minimize downtime; otherwise, lack of routine maintenance will increase the potential for a cyberattack.
As more and more operational functions take advantage of the capabilities that IT networks offer, the attack surface — or number of devices that are no longer in the controlled IT environment — expands. The manufacturers of these devices must provide users with the ability to protect not only from tampering of the device, but also the software used and the data collected by the device.
The Internet of Things (IoT) provides us many examples of challenging devices to protect. For example, utilities want to use IT networks to transmit process control data from substations and monitoring points. These areas are not easily physically protected and the question of component manipulation, along with the data that is being collected, becomes susceptible to inaccuracies. This attack surface provides unpredictable results unless protective measures are instituted.
|Information Technology (IT)||Operational Technology (OT)|
|Equipment||This includes switches, routers, cable, servers, storage and other general-use equipment for networking.||This includes the edge devices, such as network cameras, sensors, meters or smart objects that collect specific information.|
|Software||This can sometimes be characterized as firmware or the software needed to help the devices perform their function.||Includes the specific processing software to meet the application requirement. Video management software, process control systems, analytic software, etc.|
|Data||This is the information that is maintained by the operating system to identify events that may impact the operational data. Data logs give information used in analysis of performance of the overall system.||Includes the raw information collected and in what format: open or closed.|
What are Some of the Types of Attacks?
This is a programming code that reproduces itself and can be transmitted via email, download, or other transfer method. It can be benign or malicious, depending upon the programmer’s intent.
Malware is short for malicious software. This encompasses many cyber security threats, but is specifically code that is intended to harm other code or data. On October 21, 2016, Mirai, an open-source malware strain that scans the Internet for IoT devices protected only by the factory-default passwords, hacked 150,000 devices to power a massive 1 TBps Distributed Denial of Service (DDoS) attack that brought down popular sites, including Twitter, Netflix and Amazon.
This is the result of a hacker gaining control of multiple unprotected devices across the Internet. The hackers use this botnet army of devices to attack victims, with the intent of harming the victims’ systems.
Denial of Service (DoS)
The network components become overloaded with processing requests such that they cannot perform their designed function and shut themselves off. A DDoS attack is when the processing requests come from innumerable remote devices to cause the shutdown. These are often caused by botnets.
The individual components or sensors and the corresponding software and data are physically removed from their intended environment.
The individuals with approved access to sensitive information are manipulated by deceit to divulge the target data.
Software is left with an entry point that is not realized by legitimate users and the attacker gains access to data.
Direct Access Attack
By having physical access to a portion of the system, attackers can use mobile storage devices, such as USB drives, to insert malicious software or copy data files.
The monitoring of unencrypted conversations between devices, with the intention of gaining sensitive information.
How Can You Protect These Systems?
Follow manufacturer recommendations.
The first and most important thing you can do is look at any component that will be connected to a network and determine how to implement the manufacturer’s cyber security.
What is in the hardening guides for devices?
- Delete default user IDs and passwords and set passwords that are difficult to guess. In 63 percent of confirmed data breaches, a weak, default or stolen password is at fault.
- Keep firmware up to date so that any known deficiencies are addressed.
- Monitor which users have rights to perform specific tasks (user permissions). Among all insider breaches, 55 percent are caused by misuse of privileged accounts.
- Review/reconfigure basic network settings. Know where your vulnerabilities are so that you can monitor them closely.
- Disable any unused feature in the device so you can identify if it is tampered with in the future.
- Enable encryption/SSL certificates; encrypt the data output.
- Monitor accounts — keep track of who has access and why.
- Disable IT functions — don’t give management rights to users who do not need them.
- Set up control filters for IP or MAC addresses.
- Configure SNMP — configure any messaging required in your system.
- IT organizations have numerous options and tools to use, including but not limited to:
- intrusion detection;
- log monitoring;
- network behavior monitoring;
- network inspections;
- whitelisting; and
Hire a company to test your cyber security and offer advice to you on known and unknown vulnerabilities. Implement changes based upon penetration tests.