You are Home   »   News   »   View Article

Claroty - how the OT threat landscape is changing

Monday, January 6, 2020

As OT looks more and more like IT, and is increasingly connected to the internet, the cyber risk levels go up. And compared to IT, the problems can be harder to fix, says Claroty.

Cyber threats in operations technology, such as control systems, has become much more critical over the past few years, largely because operational technology is looking much more like information technology. But OT can be much harder to keep secure, says New York cybersecurity company Claroty.

There's been a lot more attention paid to IT security over the past few years. But operations technology security has in some ways become more critical, largely because of the increased 'convergence' between IT and OT systems, says Dave Weinstein, chief security officer with Claroty.

Mr Weinstein is a former chief technology officer for the State of New Jersey, and also previously served at U.S. Cyber Command.

Claroty has been in business for four years and is active in 15 different 'vertical' industry sectors in 25 countries, focusing in operational technology in each sector.

OT systems have traditionally not been connected to the internet. Now they are, and they are being subjected to remote threats, he says.

And these systems were never designed to be secure. 'There's no basic security feature like you see on the IT side [such as] encryption, authentication, monitoring.'

Changing threats

The 'barriers to entry' to be a hacker are decreasing. 'It is getting easier and easier for less sophisticated, less resourced non state actors to actually play in this space.'

There are many examples of so-called 'script kiddies' - people just messing around with code to see what happens - who have been able to gain access to a critical infrastructure network, although not necessarily disrupt it.

The 'script kiddies' can be employees, but not always. But 'insider threats are something organizations tend not to care enough about,' he says. 'Almost a taboo subject - they don't want to admit that there's people in their organization that would go to those extremes. But it does happen.'

'Employees tend to have the greatest access, the best intelligence about the network, knowledge how to evade detection. It is a serious risk for organisations.'

'But it is hard to say what percentage of the threats are insider vs external.'

At the same time, the attack 'surface' - the number of operational devices it is possible to try to attack - is 'expanding rapidly', he said.

That is largely to the explosion of 'internet of things' devices, which have IP addresses and internet connections - including sensors, surveillance cameras, badge readers and mobile tablets

'From the attacker's perspective they are new opportunities to gain and maintain persistent access,' he says.

On the positive side, Mr Weinstein sees fewer operational technology attacks coming from state actors.

Consider that China, Russia, Iran, North Korea, are largely thought to have the capability to make attacks which can create downtime or potential damage to operations technology. But to date - none of those countries have 'attacked' the US, 'depending on how we define that word,' he says.

Nation states 'are clearly holding back. They have more capability than they have brought to bear.'

The worst state supported OT attacks ever seen could be the Russian attacks against the Ukrainian electric grid in 2016-17. But the impact was limited to a combined total of 6-7 hours electric outages for around 250,000 people, hardly a nightmare scenario.

Another big state supported operational technology attack, called TRITON, was made on a chemical plant in Saudi Arabia. It is thought to have triggered a safety system leading to an emergency shutdown.

Mr. Weinstein describes it as a 'failed attack really.'

'It is unclear if it was intended to be an attack - or more of a test operation, or some bug in the code prevented it from fully executing,' he says.

Mitigating the threat

The first step to mitigating the threat of an operations technology attack is to get a better understanding of what is on your network. You can't protect or secure what you can't see, he says.

Typically, companies which operate networks don't have any understanding about them at all, and don't have any means of understanding it.

It is important to know what devices you have, including the software versions and serial numbers. You have to know how they are all communication with each other.

'The initial piece of just gaining visibility can be done relatively quickly without much investment,' he says.

Then you can monitor if any communications go outside the norm. Operational technology communications are nearly all machine to machine communications, which means they should be predictable and repeatable.

'If you can profile those communications, you can gain visibility into deviations from those communications, then you can really increase your chances of detecting anomalies or malicious behavior on the network,' he says.

'It doesn't mean every potential threat is going to be discovered, but you can increase your chance of detecting anything malicious.'

Once you have done that, you can move to the more sophisticated cybersecurity measures, including vulnerability and patch management.

'Vulnerability management is hard enough on the IT side, it is really hard on the OT side,' he says. 'You've got a lot of vulnerabilities, many of these devices are extremely old, and the risk to the operation of patching is usually high. You may need to shut a plant down to install a patch, which has big costs.

Claroty's offering

Claroty produces a product which can continuously monitor all OT communications, to try to detect anything bad happening. It has a device which can be connected to the network via a switch, and passively monitor all communications through the system.

Its software is trained in the different communications protocols used by different OT equipment, and so it is able to 'parse' the data traffic to understand which system generated each piece of data, and what it is for.

'You need to do all the hard work of reverse engineering the protocols so you can fully understand the communications,' he says. Ultimately you can get 'a very granular understanding of everything that goes across the wire.'

This can still be difficult - a command, for example, to open a valve, can look the same whether it comes from the intended source or a hacker.

But you can then look for where the command is coming from, what time of day it is occurring, and other indicators. You can establish a 'baseline' of how the command normally looks like, then detect changes from the norm. 'If it comes from a box that never issues that command, that would be an indicate that someone is on the network,' he said.

The next question is what to do if anything is detected. In operations technology, it would be dangerous for a cyber security system to automatically shut something down. 'We haven't met a customer yet who wants us making decisions about their network, and frankly I don't blame them,' he said.

But you can give alerts to a plant engineer or security operations centre suggesting that someone looks in more detail at something and decide what to do. The system can follow rules to block certain communications in certain circumstances.

Mr Weinstein believes that in a few years, systems like this will be as commonplace as virus scanning on PCs today. In a few years, 'we'll look back and laugh when we think about the fact that nobody was monitoring their OT networks,' he said.

'The overall maturity level in our industrial ecosystem is going to increase drastically over the next couple of years.'

Associated Companies
» Digital Energy Journal
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition May-June 2021
May 2021

Download latest and back issues


Learn more about supporting Digital Energy Journal