How the IT-OT convergence helps organizations slash cyber attacks

• The convergence of IT and operations technology (OT) has seen a definite acceleration in the past year due to COVID-19
• IT and OT convergence has also exposed a security gap that needs to be addressed

The convergence of IT and OT security is essential today. As connected machines, automation, and the usage of Industrial IoT devices continue to grow in manufacturing plants, most of these devices are often not built with any security capabilities. Cybercriminals are aware of this, which is why there have been increasing ransomware attacks that originate from operation technology.

Last year, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) required immediate actions to be taken to reduce exposure across operation technologies and control systems as well. The agencies released several recommendations for organizations to consider especially with legacy OT assets not designed to defend against malicious cyber activities.

In 2021 alone, there have been several major ransomware attacks that were linked to unsecured industrial control systems (ICS) and OT networks. For example, the Colonial Pipeline ransomware was caused by a breach of the company’s computer network via a virtual private network account that employees used for remote access.

Weaponizing OT

What makes it even more worrying is that by 2025, Gartner predicts that cybercriminals will be able to weaponize OT environments to successfully harm or even kill people.

“In operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner. “Inquiries with Gartner clients reveal that organizations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”

A recent example was the hack on a water treatment plant in Florida. Investigations revealed that the hacker was able to remotely gain access to the controllers of the plant and change the chemical levels in the water supply. While the worst possibilities from the hack were avoided, further investigations showed that the hacker was able to gain access to the controls as the company was using an outdated Windows 7 operation system.

The COVID-19 pandemic has also contributed to an increased demand for remote supervision and control of machinery, which are also vulnerable to cyberattacks. As the high degree of connectivity means systems are now more prone to intrusion, securing ICS and OT networks is increasingly becoming a prerogative for organizations.

Converging IT and OT

In the past, OT and IT networks were managed differently. However, as attack vectors can come from any attack surface today, IT and OT teams need to work together for more effective and efficient security governance, to strengthen the security posture across all connected sites.

According to the third Biannual ICS Risk & Vulnerability Report by Claroty, ICS vulnerability disclosures are drastically increasing as high-profile cyberattacks target critical infrastructure. The report shows a 41% increase in ICS vulnerabilities disclosed in the first half of 2021 compared to the previous six months — which is particularly significant given that in all of 2020, vulnerabilities increased by 25% from 2019 and 33% from 2018.

“As more enterprises are modernizing their industrial processes by connecting them to the cloud, they are also giving threat actors more ways to compromise industrial operations through ransomware and extortion attacks,” said Amir Preminger, VP of research at Claroty.

“The recent cyberattacks on Colonial Pipeline, JBS Foods, and the Oldsmar, Florida water treatment facility have not only shown the fragility of critical infrastructure and manufacturing environments that are exposed to the internet but have also inspired more security researchers to focus their efforts on ICS specifically,” added Amir.

Weaknesses in the system

Some of the key findings in the report showed that 90% of vulnerabilities have low attack complexity. This means cybercriminals can be successful in repeat attacks as their systems do not require special conditions.

At the same time, 74% of vulnerabilities also do not require privileges for access, allowing cybercriminals to have access to any setting or files while another 61% are remotely exploitable, clearly highlighting the importance of securing remote conditions as well as both IoT and IIoT devices.

With more ICT devices being connected and converged with OT and IT, visibility into network assets is crucial — as is information about software and firmware vulnerabilities that could be exploited by cybercriminals. In most cases, flaws in engineering workstations running on Windows-based machines, for example, may allow cybercriminals to compromise crossover points between IT and OT networks, modifying processes, or even installing ransomware.

IT and OT security need to focus on how they can secure remote access, especially on the vulnerabilities that are common in VPNs and other network-based attack vectors. With more than 60% of vulnerabilities remotely exploitable through a network attack vector, protecting remote access connections and internet-facing ICS devices can cut off cybercriminals before they’re able to move laterally across networks and domains to steal data and drop malware.

To ensure IT and OT security is not compromised, organizations can consider the following recommendations:

• Network Segmentation – with more devices connected to the internet and managed via the cloud, network administrators should look to segment networks virtually and configure them in a way that they can be managed remotely. They should also have zone-specific policies at hand and inspect traffic as well OT-specific protocols to detect any anomalies or suspicious activities.

• Remote Access Connection Protection – Within OT environments and critical infrastructure, connection protection is critically important as operators and engineers will require secure remote access to industrial assets to maintain process availability and safety. Security practitioners are encouraged to verify VPN versions are patched up to current versions and to monitor remote connections, particularly those to OT networks and ICS devices, as well as enforce granular user-access permissions and administrative controls. They should also look to enforce multi-factor authentication.

• Ransomware, phishing, and spam protection – Most employees would have been remote working for over a year by now. Yet, ransomware through phishing scams still often finds a way through. Companies need to educate their employees to be vigilant when opening emails, especially those with attachments and with suspicious or offbeat subject matter. They should also never share passwords and protect devices with anti-spam and anti-spyware software.

• Protecting operations management as well as basic and supervisory control – With most vulnerabilities that affect operations management, basic controls, and supervisory controls being software- and firmware-based, updating security patches are critical. Businesses should also look to invest in segmentation, remote access protection, and implement granular role and policy-based administrative access.

When businesses and manufacturers are looking to implement more technologies across their operations in the future, the convergence of IT and OT security is something they simply cannot afford to take lightly. Doing so will only lead to serious and potentially disastrous consequences should bad actors ever infiltrate them.