One of the key findings from Skybox Security’s Vulnerability and threat trends mid-year report is that vulnerabilities in OT were up 46%. These vulnerabilities pose a growing threat to critical infrastructure and other vital systems — a fact made manifest in recent high-profile attacks on facilities, such as oil pipelines, water supplies, and food processing facilities. Moreover, threat actors take advantage of these OT weaknesses in ways that imperil individual companies and threaten public health, safety, and the economy. Let’s look at the evidence:
- In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.
- In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility.
- In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer.
- In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility.
Are these attacks harbingers of evil things to come? Unfortunately, the answer is yes.
I’m surprised we haven’t seen more reports on incidents in these smaller municipal ICS/OT environments. The fact of the matter is that local government SCADA environments do not have the expertise or budget available to handle risks at the same level as corporate or federal government facilities. In one sense, there’s less interest in these smaller systems as the money for ransom is probably not as readily available as in larger environments. On the other hand, these smaller systems are far more vulnerable and less secure than larger enterprises. Because OT weaknesses transcend industries, I advise all companies with OT systems — not just utilities — to keep the “4 A’s” front of mind to ensure they are protected.
The 4 A’s for OT Security are:
1) Access
Understand your attack surface is not limited to The Internet or “External” zones in the environment but includes partner access and even internal access. Use a tool like Skybox to understand your network model. Put eyes on where there is a lack of compensating controls. Understand where you do not have segmentation set up correctly. For OT customers, I’ve seen some very successful access regiments set up around the Purdue model. Use a tool like Skybox to ensure there is genuinely no access from the higher to the lower levels. Use tools to ensure that the intended access is always in place and that admins do not accidentally change access rules to allow unintended access over time. The exercise of determining access should not be a conversation to have after a breach or during an incident response. Companies must understand the potential risk associated with unintended access before something happens. Understanding access is probably the most crucial step to ensuring good cyber security hygiene.
2) Authentication
Ensure there is a centralized authentication system for all devices in the environment. All devices in the environment must use the centralized authentication system to be a network member. Authentication of users should include using multifactor authentication to validate the user’s identity trying to access organizational resources. Put in place regular password rotations and complexity requirements to ensure stale passwords and easy to guess threat actors do not discover passwords.
3) Authorization
Only allow the required access for the user and the user’s job function. Ensure that regular users do not have too many permissions (such as admin access) and ensure that admin accounts do not have access to standard user functions. Enforce least privilege access control to ensure that authenticated users can only access the applications as required by their job function.
4) Accounting
Ensure you have systems in place to log information on system access, traffic analysis, firewall policy usage, etc. For example, tools like SIEM can gather this data to determine network anomalies. Analysts can detect and act upon any unusual behavior with accounting tools in place. I’ve seen many companies successfully outsource this function to 3rd party providers. Most of these providers are very familiar with SIEM tools and already have tools/scripts to help companies detect abnormal behavior and react to it promptly.
Follow the 4 A’s to receive an A+ for OT security posture excellence
Skybox helps address the 4 A’s by providing the necessary intelligence, context, and visibility across the entire IT/OT network. Our extensive integrations provide the ability to visualize and analyze hybrid, multi-cloud, and OT networks, providing a full understanding of the attack surface and insights needed to reduce exposure to cyber-attacks.
The Skybox Security Posture Platform consumes a large breadth of data from integrations with OT systems, major vulnerability scanners, configuration databases, asset management systems, network infrastructure, and cloud technologies. These rich data sets enable continuous compliance, accurate risk scoring, exposure-based vulnerability prioritization, and vulnerability remediation (beyond patching).
A cyberattack on the nation’s utility infrastructure can cause disaster, especially as a part of a fire sale attack that intends to disable or render unusable the nation’s transportation, utilities, telecommunications, and financial infrastructure. Follow the 4 A’s to proactively shore up your OT security and prevent breaches before they happen.
