OT: Insecure-by-design?

The CISA release of a cluster of 56 Industrial Controls Systems Advisories focuses on the prevalence of vulnerabilities caused by insecure-by-design practices in operational technology. The fact that 10 vendors of devices often found on critical infrastructures verticals (Energy & Power generation and distribution, building & manufacturing, critical facilities,..) are affected is a sobering reminder of the current state of OT cybersecurity.

The impact of this set of vulnerabilities can be classified as:

· Attacks against Confidentiality: 44% (credentials compromise, authentication bypass)

· Attacks against Integrity: 44% (firmware, logic, configuration & file manipulation)

· Attacks against Availability: 8% (DoS)

· Against all CIA dimensions: 14% (Remote Code Execution)

We all know about the history of incidents such as Industroyer 1&2, Triton, the new breed of destructive wipers that pose as ransomware; and certainly the threat landscape has gotten worse with the need of a fast paced digital transformation because of the pandemic, and the geopolitical situation derived from the invasion of Ukraine. All of that would be bad enough on an IT environment, but the nature of Operational Technology makes it more difficult to maintain an adequate basic cybersecurity hygiene. State Actors or Cybercriminals can develop offensive capabilities focused on OT malware easily. Once you have reverse-engineered a proprietary protocol, you can retool it easily for a variety of attacks.

Cybersecurity Issues regarding OT

OT systems are usually built on proprietary technology and dependencies between them are usually opaque, mainly because they are designed to work between them inside their own ecosystem. They are not very well suited for an integration with IT technologies by design. And that makes them insecure by design:

· They usually use engineering protocols that were designed with predictability and repeatibilty in mind, security was not a concern.

· Cryptography is non-existent (plain text protocols), weak or at least not state-of-the-art. That also means that authentication between devices is not in place.

· Firmware updates are not secure. Most of them are delivered via Ethernet nowadays but many of them don’t support authentication for the delivery. USB and SD card delivery gives you isolation (relative) but makes patch deployment burdensome.

· Security certifications for OT devices are usually focused on functional testing, recertification efforts are difficult and expensive for most vendor technologies, and the security goals to be achieved are not really up to an integrated IT&OT environment. In contrast, IT Common Criteria, (which is not perfect) at least has well defined Security Targets, allowing vendors to effectively test conformance with clear Security Functional Requirements.

· If your OT devices have native machine code compiled logic, that’s a door for low-level functionality tampering, usually difficult to spot until it’s too late.

To manage risk you need actionable intelligence, otherwise you don’t know whether to go patching, segmenting, decommissioning or which security controls are up to the task of mitigating your risk. In this regard, the lack of CVEs, make vulnerabilities by design much more difficult to understand and treat accordingly. You need to know in which detailed ways your devices are vulnerable to the different attack vectors. The opaqueness and complexity of OT usually manifests itself in the fact that supply chain components inherit vulnerabilities that are not easily permeated thru the supply chain as a whole. You may have a CVE declared on a protocol or PLC firmware, but most of the time is not evident if your PLCs are using that vulnerable piece of software, thus you end having some sort of Shadow OT of Things.

How can we fight back

You have to implement basic security controls and apply common cybersecurity hygiene as a platform to achieve a proper cybersecurity posture. OT needs to integrate cybersecurity trends that are commonplace in IT.

· Visibility, discovery and proper inventory of your vulnerable devices: you cannot protect what you don’t know.

· Don’t have internet facing devices that you don’t need, protect your different network trust zones by segmentation and isolate your OT from IT. Isolation should be the norm, and your OT intranet should go towards a Zero Trust paradigm. Monitor your network traffic closely. Remote access should be tighly controlled, PAM solutions are a must.

· Leverage your native hardening capabilities. It’s a very cost-effective approach.

· Implement a thorough but sensible patch/update program.

· Be proactive and check Third Party Threat Intelligence sources. Know thy enemy.

· Seek and procure secure-by-design products. Choose wisely your vendors.

· Risk is mitigated by decreasing probability and impact. In critical infrastructures you usually cannot afford impacts so you will need a Risk Management Framework oriented to impact reduction. Consequence-driven Cyber-informed Engineering (CCE) is a good example of this.

In the end, it will take a joint effort from the security community, vendors and manufacturers and obviously, you, the asset owner.