Operational Technologies: The Latest Attacker Hideout

IBM

By Abby Ross, Associate Partner, X-Force Red

Fragile, outdated, valuable – three adjectives that when combined, can create a precarious security situation. Those words can describe operational technologies (OT). Whereas information technology (IT) refers to applications and websites that store intellectual property, customer data and other sensitive information, OT refers to network-connected machinery, building and physical equipment that oftentimes keep the business operations running. Those critical devices may have been installed decades ago. Hence, they are fragile, outdated and valuable. Finding and fixing high risk security vulnerabilities can be a challenge, although not impossible.

According to IBM X-Force, attacks targeting the operational technology (OT) infrastructure increased by more than 2000 percent in 2019 compared to 2018. Fifty six percent of organizations reported at least one attack of private information loss or an outage in an OT environment in the past 12 months. The stakes are high to protect OT devices. Just one compromise could bring down an entire business operation or worse, put citizens' lives at risk.

Nearly every industry is using some kind of operational technology. And based on what our X-Force Red hackers find when scanning and testing OT environments, the security challenges are usually similar across the board. Here are some of the most common ones:

1. Lack of asset inventory: If you don't know what you have in your environment, how can you protect it? Many organizations do not maintain an up-to-date asset inventory. They may not realize where certain systems or devices live or if they exist at all.
2. Siloes: Inside large organizations, the OT environment is oftentimes siloed from the IT and security environment. Since another team is responsible for managing the OT infrastructure, security can be overlooked, especially if it's in the IT wheelhouse.
3. End of life technologies: Because many operational technologies were deployed long ago, their operating systems may no longer receive regular updates from the manufacturer. That means vulnerabilities are not being patched, which can significantly elevate the risk of an OT compromise.
4. Takedown fears: Since operational technologies are so important to the business, organizations cannot risk those devices "being brought down." Patching can elevate the risk of a system crash, which may create the mindset of, "if it isn't broken don't mess with it." Without a patch or a remediation countermeasure in place the risk of a compromise is elevated.
5. Lack of OT-specific expertise: Many organizations lack OT-specific expertise. Considering these systems require a specific set of security tools and processes that align with their fragility, they also require OT-specific expertise.

To overcome these challenges, organizations need OT-specific resources, processes and tooling. For starters, just because a patch cannot be applied does not mean these devices should remain vulnerable to an attack. Countermeasures can be implemented to reduce the risk of a compromise, even without a patch. Special tooling also exists to uncover vulnerabilities without running the risk of systems being brought down.

X-Force Red and Tenable have joined forces to tackle the OT security conundrum. Tenable.ot is a product designed specifically for the OT environment. The product can create an asset inventory and perform active query and passive monitoring to safely assess OT devices and uncover vulnerabilities. X-Force Red has specific OT expertise, and can deploy, configure and manage the Tenable.ot product. X-Force Red can build an asset inventory and manage the scanning process to uncover OT vulnerabilities. The team can then use its hacker-built Red Portal to enrich and prioritize the vulnerabilities that elevate risk the most, and manage the remediation process. Because of its OT-specific expertise, X-Force Red understands countermeasures that can be applied in cases where patches cannot be applied. The team can also work with device manufacturers to retrieve patching data, if it exists.

X-Force Red's OT and other offensive security offerings will be showcased at Black Hat EU 2020. Please stop by our virtual booth. Our hackers are happy to chat about OT security and any other security topic: LINK here