We have all heard that safety is king when it comes to OT environments, but there is more to that than meets the eye. Safety goes well beyond taking precautions to avoid the common hazards, such as slipping or tripping hazards, or ensuring workers don’t get injured on the job. Instead, it’s a holistic protection of the workers, communities at large, and the business.
As we move further into the digital world, including Cyber-Physical Systems (CPS), cybersecurity needs to be part of these safety conversations that are so prevalent in the OT culture.
Unlike IT environments, downtime or unexpected or unplanned changes in critical infrastructure operations can have very serious ramifications in the physical world. This can be caused by common malware that we sometimes see on the business network that bleeds over into the OT side where there can be resulting negative impacts due to a lack of segmentation between the two environments. There is also more targeted, advanced malware that needs to be dealt with as well.
It’s a consideration that many executives and boards of directors are beginning to discuss. According to the World Economic Forum’s Global Risk Report 2020, more than 76% of respondents now agree that attacks against critical infrastructure will increase in 2020, putting cybersecurity as a top issue in line with major concerns like the effects of climate change and global economies.
At risk of being cliché here, Stuxnet is a perfect example of that advanced malware where safety and cyber intersect. Stuxnet targeted the programmable logic controllers (PLCs) that controlled and manipulated centrifuges to the point that they were physically damaged and unusable thus causing substantial damage and delay to Iran’s nuclear program.
The Triton malware, also known as Trisis and HatMan, was first observed in 2017 to target industrial control systems, specifically the Schneider Electric Triconex safety instrumented system (SIS) controllers, with characteristics designed to disable plant safety and failsafe mechanisms. Although the impact of the attack was “just” a shutdown of a critical infrastructure facility in the Middle East, it is widely thought that the intended result was a catastrophic incident. Regardless of the intent, there is high probability that another iteration of this malware could easily have catastrophic physical consequences.
More recently, the widely publicized Norsk Hydro ransomware cyberattack in March of 2019 illustrated the use of the LockerGoga ransomware in the industrial space. It’s not the first ransomware to infect OT, but it does have some variations to it that make it a little different from the others. It wasn’t the only attack of this kind in recent months, with the Cybersecurity and Infrastructure Security Agency (CISA), warning OT operators to protect themselves after a ransomware attack on a natural gas compression facility halted operations for two days due to a partial Loss of View.
While these are just a few examples, the reality is that most OT cyberattacks are not publicly reported and thus we do not have an entirely accurate view of the real breadth of attacks.
The differences between IT and OT are many, including the need for availability of the systems, the types of devices used, the environments they reside in, the protocols used, and the longer life expectancy of the systems. The consequences of something going wrong are also drastically different, including loss of life.
There are various frameworks and knowledgebases available to help organizations further protect their OT environments and help to ensure a safe operating environment. One example is the MITRE ATT&CK Framework, which was expanded in January with the release of ATT&CK for ICS to include threats to human life and the physical environment. That update included a new Impact category, recognizing that the goal of an OT attacker is generally to disrupt or destroy. The Inhibit Response Function has also been added to address deception tactics that attackers may use in order to hinder safeguards that are in place. While these are not the only differences, the knowledgebase allows for a better understanding of the behavior of an adversary, as well as recognizing the impact compromised defenses may have in an OT environment.
Many of us have been in the habit for years doing a job safety analysis (JSA) procedure to identify and address potential physical hazards. It might be even more common to begin meetings with a safety message to reinforce the importance of practicing safety. Safety in OT is paramount and is not going away, but as we continue shifting into the digital revolution, we must expand the boundaries of safety and consider the “new” ways that it can be impacted. As OT is the lifeblood of our nations and the global economy, it is paramount that we weave cybersecurity into the safety fabric that underpins all of this. Safety is king.
Michael Piccalo is the Director of OT/ICS Systems Engineering at Forescout Technologies. With over 25 years of experience in the cybersecurity industry, he worked on deploying some of the first firewalls protecting OT and critical infrastructure back in 2001 and served in the U.S. Air Force prior to that working in various fields including communications, intelligence, and security.