Three ways to modernize your OT security programs
Research reveals OT vulnerabilities increased by 46%, necessitating a new approach to OT security
By Terry Oleas, Skybox Security SEPT 28, 2021
Exponential growth in OT vulnerabilities. Increased cyber-attacks on OT systems. Fruitless technology investments. Siloed technologies and teams.
Research findings in Skybox’s Vulnerability and Threat Trends Mid-Year Report 2021 unearths a dire need for organizations to modernize their OT security programs. An exponential growth in OT vulnerabilities has predictably led to an increase in cyber-attacks on OT systems. Additionally, Skybox Research Lab discovered the frequency and scope of malicious activity are increasing apace and companies with siloed technologies and disjointed teams are helpless to stop them. Exploits in the wild are on the upswing, as this report details, and 2021 has seen some of the most audacious and potentially devastating cyberattacks in history. The most disturbing thing is that many of today’s emerging attacks are designed not to just hurt businesses financially but injure people too.
One area that saw a particularly sharp increase in vulnerabilities in H1 2021 is operational technology (OT), with 519 CVEs (critical vulnerabilities and exposures) reported by CISA, compared to 356 CVEs in H1 2020. That’s a leap of 46%. CISA advisories on OT vulnerabilities grew similarly, by 45%.
OT is the control system and backbone of energy providers and other basic utilities, communication systems, building automation, physical security systems, vehicle controls, and more. They’re a prized target for bad actors. Frighteningly enough, many OT attacks are not always financially motivated — sometimes it’s the thrill of creating devastation and mayhem.
For example, the recent Florida water plant hack was not ransomware — it was the desire to create chaos. Simply put, this was the evil work of a Joker disciple, who got jollies from seeing the world burn. The bad news is that OT breaches are not comic book fantasies and sadly security measures are often weak. And unfortunately, there’s no superhero to save the day; in fact, there aren’t even enough OT skilled resources.
According to Gartner, organizations continue to face growing shortages of hands-on technicians with the skills to attend to OT devices.
OT security teams are flying blind in the dark
While OT vulnerabilities have become a favorite target of threat actors, those same flaws are often invisible to security teams. That’s because many OT systems are hard or impossible to scan. At best, companies scan them infrequently (once or twice a year) because they can’t afford to take these mission-critical systems offline or degrade service. Likewise, patching many OT systems is technically impossible, or too cumbersome and costly to address all vulnerabilities.
As a result, reliance on traditional scan-and-patch methods is a non-starter when it comes to OT security. Security teams can’t find most OT vulnerabilities by scanning alone, and even if they could, they couldn’t remediate those flaws with patching. A new approach is needed, one that not only improves detection and eliminates the blind spots, but also facilitates targeted, effective remediation by identifying actual exposures and implementing effective security controls such as network segmentation and IPS systems to prevent unauthorized access.
If the findings in this report make one thing clear, it’s that traditional approaches to vulnerability management are falling further and further behind. Too many assets are difficult or impossible to scan. Vulnerabilities are too numerous, threats too varied, and infrastructure too complicated (fragmented, siloed, and heterogeneous) to secure using conventional, largely manual processes. Finding and patching all vulnerabilities is simply out of the question, and the criteria typically used to prioritize remediation efforts is often misleading.
Throwing money at OT security doesn’t work
As a result, IT and security teams are caught in a vicious cycle, spending more money and resources on increasingly ineffective measures, while failing to keep pace with the rapidly evolving threat landscape.
Managing OT security is a responsibility that should be shared among every role across the security organization. Unfortunately, the use of siloed firewalls and disparate security tools has made it impossible for any single person on the team to have the visibility and insights needed to secure these OT systems. Even worse, these disjointed security tools have also made it impossible for teams to collectively view insights that help prioritize patching critical vulnerabilities and even prevent breaches.
Security teams are beginning to rethink their approach to OT security. Band-Aids don’t work. A foundational overhaul is needed that supports visibility across IT networks and OT systems.
Siloed systems challenge every security team member
There’s no way around it: teams need a platform that connects, aggregates and normalizes the data across these disparate tools to provide teams with holistic visibility to analyze where to focus remediation efforts. Without that visibility, everyone ends up flying blind in the dark, struggling to fulfill their responsibilities.
- IT Directors already don’t have the resources to manage disparate technologies, nor do they have the intelligence and insights to assess, correct, and mitigate risks when adding new technology. They struggle with operational complexities because managing separate environments with separate sets of tools results in blind
- CISOs are concerned about breaches due to the increasing attacks on connected physical systems, but they can’t see their OT infrastructure or patch vulnerabilities.
- Security Architects can’t rely on endpoint security and struggle to reconcile numerous IoT device types that are incorporated into an environment. This makes network segmentation difficult because they can’t efficiently visualize and analyze multiple systems.
- Plant Managers are concerned about maintaining uptime and availability when implementing security remediation solutions. They’re also terrified about public safety if one of their systems unexpectedly goes down during an attack.
- Security Operations don’t have the resources to manage all these security alerts. They don’t have the insights to know which vulnerabilities to prioritize, which is complicated by their struggle to manage across multiple vendors and tools.
Three keys to a modern OT security program
Enterprises require solutions that provide comprehensive visibility across their entire network, that precisely identify the most salient threats and that facilitate timely, cost-effective remediations. Specifically, organizations need:
1) Vulnerability detection: Beyond active scanning
Vulnerability discovery should leverage data sets not only from scans but also from direct integrations with assets that can’t be actively scanned, as well as configuration databases—across security, cloud, networking, and endpoint technologies. This form of detection, sometimes referred to as “passive scanning,” can be combined with active scanning to provide a unified view of the entire attack surface.
2) Exposure analysis: Beyond limited risk scoring
Today, even a low- or medium-severity vulnerability can pose a serious risk if it’s readily accessible to threat actors. Increasingly, attackers use such seemingly innocuous vulnerabilities as the first step in sophisticated multistage campaigns. That’s why exposure analysis is the essential component of threat-centric risk assessment. Exposure analysis consists of complete path analysis (analyzing all the paths to and from IT and OT assets) and attack simulation to show all the potential ways threat actors can get to an asset.
3) Optimal remediation: Beyond patching
Once exposure analysis has been used to identify and prioritize the most pressing security threats, organizations need practical ways to remediate problems and protect their networks. And since patching isn’t always feasible or practical, that means taking other measures: adjusting configurations, enforcing appropriate policies, applying IPS signatures, implementing network segmentation, and more. In so doing, security teams can ensure that assets—even those with unpatched vulnerabilities—are fully protected and not exposed.
Combining these three elements enables enterprises to maintain real-time threat awareness across their entire infrastructure—even the most complex hybrid and multi-cloud environments. In short, they can fortify their organizations and every member of the security team with the most powerful and cost-effective solution possible.