Safety culture in OT needs to mature

The convergence of the physical and digital worlds in our routines is becoming increasingly evident, and industrial environments are no exception to this rule. In this scenario, we can see that IT (Information Technology) and OT (Operational Technology) systems work closely so that digital data can support operational actions and, in the opposite direction, data from OT infrastructures can be analyzed by IT systems, facilitating the generation of insights and decision-making.

However, OT and IT systems are so close that they can put one side at risk if the other is being threatened. In other words, if we follow daily news about cyber attacks on IT systems, it is not surprising to see a recent Kaspersky survey reveal that a third of industrial control systems (ICS) have also been targeted by cybercriminals in the first half of 2021.

Since the Stuxnet malware, deployed via a USB drive, attacked nuclear facilities in Iran in 2010, attacks on industrial environments have only grown in volume and severity.  Initially, industrial control systems and Supervisory Control and Data Acquisition (SCADA) platforms were largely isolated from IT infrastructures and out of reach of cybercriminals.  Today, factories are connected to computer networks and also to the outside world, seeking more productivity, more cost efficiency, more predictability, among other benefits. However, this greater integration between IT and OT has brought a consequence: having to deal with the same types of concepts and vulnerabilities.

“The larger attack surface resulting from IT/OT convergence imposes more complex challenges on factory floor machinery that is decades old and often does not address the security of factory operations. These devices use old protocols and have not even heard of authentication or encryption, concepts that are commonplace among IT systems,” comments David Montoya, vice president of business development at Paessler AG. Sensors, instruments, and other Internet-connected devices increasingly used in industrial applications – the so-called IIoT (Industrial Internet of Things) – are further widening the attack surfaces.

In Montoya’s view, isolated approaches are doomed to fail. IT and OT areas need to sit side by side to plan measures using common language and concepts, with mutual security as the primary goal. Fortunately, security tools are already advancing to encompass more devices, whether IT or OT, that can be managed under a single dashboard. “In addition, there are vendors who are playing an intermediary role of translation between the technologies used by the two areas,” highlights the executive.

The global industrial cybersecurity market is expected to reach US$22.8 billion by 2026, growing at a compound annual growth rate of 7.2% CAGR, according to KBV Research. Between 2019 and 2020, dozens of partnerships and mergers have been established and products have been launched with the aim of bringing together industry expertise and cybersecurity solutions and thus enhancing the ability to detect known and unknown threats to the industrial environment.

More than the well-known security tools, factories can rely on monitoring systems that care for the integrity of the systems, collecting historical data and generating reports that can reveal anomalies in the general health of the operating environments. Montoya points out that these monitoring solutions play a complementary role to traditional security systems. And cites a case in which he participated to exemplify this.

The executive tells that he followed a pilot project in a potential client that was already a user of security solutions. During the course of the work, the Paessler AG solution pointed out problems with a specific IP address. This surprised the network managers, as there were firewalls protecting the network. When checking what could be happening, it was diagnosed that the firewall, for some reason, was disabled. Point to the monitoring tool!

Just as has happened in the digital world, which over the years has gathered knowledge, solutions, and culture regarding cybersecurity, industrial systems and their physical reality are also evolving and maturing to protect their assets in a more systematic way, understanding the vulnerabilities and threats that have emerged with the advent of digitalization. “I would say that on a scale of 0 to 10, OT systems are at a maturity level of 4. They already know the theory, but they still need to evolve in the field of cybersecurity mindset and culture,” Montoya adds.

Recent attacks

The states’ water and wastewater sector is under ransomware attacks that are hitting facilities’ Information Technology (IT) and Operational Technology (OT) networks, systems, and devices, according to a joint alert from several government agencies (FBI, CISA, EPA, and NSA) issued in mid-October.

The alert reports that the still ongoing activities are attempting to compromise the integrity of the systems through unauthorized access, threatening the ability of the facilities to provide clean, potable water and manage wastewater.

The agencies cite three recent cases. In August 2021, a variant of the Ghost ransomware was used against a facility in California. The intrusion was discovered when three SCADA servers displayed a message announcing the attack. In July 2021, the ZuCaNo ransomware was introduced, via remote access, to a wastewater SCADA server at a facility in the US state of Maine. And in March 2021, an unknown ransomware variant attacked a Nevada facility, affecting the SCADA server and backup system.

The alert highlights that attacks on critical infrastructure are increasing across the board and that these most recent cases are not an indication that there is a predilection for the water and wastewater sector by cybercriminals.