For a long time, the phrase “security through obscurity” has been a kind of comfort blanket, intended to reassure anyone whose job involves protecting critical systems from risk. But that mindset needs to change that much is clear from the presentations at the recent Secure-OT 23 conference, hosted by BT.
My first blog from the event gave an overview of the security challenges facing those working with operational technology. In this second of a four-part blog series, I’ll dive deeper into one of the key themes from the event.
As the conference heard, operational technology (OT) evolved separately from enterprise information technology systems. The various speakers made it clear that security is less well understood in OT. Systems to run manufacturing operations, or utilities like electricity and water, were put in place years and sometimes decades ago.
Richard Bainbridge, general manager for security at BT, described a spectrum of OT security maturity that many organisations are on today. Organisations at the start of this journey rely on obscurity to protect themselves.
A mistaken assumption
They originally put operational technology in place without giving much thought to security. The systems were usually deployed in a custom manner, so the people responsible for it assumed that it would be too difficult for outsiders to look for, or to try to access.
Aengus Gorey, security systems engineer with Analog Devices, said this approach persists today. “I would argue there’s still the mindset within the larger industrial customers, that their protocol is either so obscure or so walled off, that they’re not vulnerable. Security is either not something they’re considering or they’re considering it as part of a slow moving committee that takes years to come to a decision.”
Many plant managers believed that creating ‘air gaps’ would be enough to keep those systems secure. If they weren’t connected to any network, therefore outsiders couldn’t access them.
Greater connectivity means greater risk
So why is security through obscurity not effective? Firstly, because operational technology isn’t a standalone system any longer. Many now connect to IT networks as part of how they work. They need to exchange data with one another in order to be effective. For example, a car manufacturer might need to send orders from its IT systems to its manufacturing robots.
John Golden, regional director for Nozomi Networks, talked about a kind of cultural difference, between OT and IT. “OT, historically, has been a discretionary spend of sorts. There has been a view that an OT network is secure by the fact it’s air gapped. The reality is, we certainly find when we go into proof of concepts, that is not necessarily the case.”
This mistaken belief that OT systems are not connected to the internet is a theme I’ll return to later in this series.
Out of the public eye
Another reason why obscurity doesn’t work is because attacks on industrial systems have been going on for some time; we just haven’t been hearing about them. Guest speaker Trish McGill, a subject matter expert in OT and IT, gave some examples that date back a decade or more.
She pointed out that Stuxnet was launched back in 2010 and it was capable of disabling a nuclear reactor in Iran. Havex was a remote access Trojan that was targeting ICS systems ten years ago, in 2013. Black Energy was an unsophisticated attack that involved sending infected Excel spreadsheets to victims. Once they had accidentally clicked on the link, it could manipulate critical infrastructure systems on a large scale. In 2017, Triton appeared, capable of large attacks that could damage safety systems in industrial environments.
Years of existing threats
She quoted from a 2018 report by the US Department of Energy which found: “For many years malicious cyber actors have been targeting the industrial control systems that manage our critical infrastructures. Mose of these events are not reported to the public, and the threats and incidents to ICS are not as well known as enterprise cyber threats and incidents.”
An extra challenge is that in the IT world, the need for patching and updating systems is well understood – even if many organisations still find it a challenge. In OT, the same level of understanding doesn’t exist yet. Those systems were put in place long ago, with the aim of keeping working no matter what.
The challenge of upgrading critical systems
The problem is, if those OT systems are running essential services in a hospital, manufacturing plant, or a utility, they can't just be taken offline easily. “Many organisations continue to run core functions on outdated or legacy operating systems,” said Rohan Vermeulen, Automation Infrastructure Lead (OT/ICS) at Pfizer.
He quoted from a survey by Blackberry found that manufacturing IT decision makers are concerned about malicious attacks that escalate from IT to OT systems. “For example, more than a third of respondents in a Blackberry survey still were using Windows NT – an operating system that was released in 1993. This year, I migrated a Windows 2003 Server. So this is real.”
But because those systems are old, they’re more vulnerable to threats. “Existing malware that the attackers have written in the last 25 to 30 years works great on OT, they don't even need to do a lot of hard work to attack us,” Trish said.
As the conference heard, there can be a false sense of security around OT. Fortunately for OT managers and anyone in charge of industrial control systems, all is not lost. As John Golden noted: “Now, there is definitely an awareness at board level and management level, but also investor level as well that the risk posed by IoT security breach can be quite significant.”
There is a path towards improving OT security. In the next blog, I’ll start outlining this roadmap in more detail.
Paul McEvoy is a seasoned professional with an extensive understanding of the cybersecurity industry. With a comprehensive technical knowledge of security products, services, vendors, and processes, Paul helps customers to navigate the evolving threat landscape and avail of governance frameworks to manage their security more effectively. Currently serving as a Cyber Security Deal Architect at BT Ireland, Paul strategically drives BT’s Global Security Services through innovative marketing campaigns, industry events and workshops.