Some things you need to know if you manage OT networks and are responsible for ICS/SCADA cybersecurity.

We have all heard about the compromise of SolarWinds’ Orion IT network management platform, which has dominated headlines due to the scope, impact, and stealthy nature of the attack.

In what is known as a “supply-chain attack”, SolarWinds’ internal build and update-distribution systems were compromised and malicious updates were sent to 18,000 of 33,000 Orion customers, according to SolarWinds’ SEC 8-K filing last month, enabling hackers to hide in plain sight for several months of espionage activities.

US intelligence agencies attributed a sophisticated malware campaign to Russia in a joint statement, several weeks after public reports of the hack that has affected local, state and federal agencies in the US in addition to private companies including Microsoft and FireEye.

The massive breach, which reportedly compromised an email system used by senior leadership at the Treasury Department and systems at several other federal agencies, started in March 2020 when hackers compromised IT management software from SolarWinds.

The FBI and NSA joined the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence in saying the hack was “likely Russian in origin” but stopped short of naming a specific hacking group or Russian government agency as being responsible.

Given SolarWinds’ ubiquity inside enterprises and public-sector agencies, the extent of the impact of the attacks may not be known for some time. But the stealthy nature of this supply-chain attack, and the advanced capabilities and backdoors in use, should put any organization that includes nation-state actors as part of their threat mode on alert, including critical infrastructure, industrial control systems (ICS), and SCADA operators.

Ghian Oberholzer, Regional VP, Technical Operations, Claroty APJ,

CybersecAsia spoke to Ghian Oberholzer, Regional VP, Technical Operations, Claroty Asia Pacific and Japan, for more insights about OT security.

What are the key differences between OT security and other aspects of cybersecurity?

Oberholzer: IT assets, such as computers and communication devices, are designed for interconnection. Correspondingly, IT security is a mature field, with several decades of development to protect devices from digital threats.

On the other hand, OT assets, which include sensors and control systems were not designed to be connected, but rather to work in isolation, thus remote attacks on such assets were not a concern. It has only been relatively recently as we’ve begun to connect OT devices to IT systems and the internet, are organizations are realizing the importance of securing their OT networks.

Furthermore, while IT networks use standardized protocols, OT networks typically use proprietary protocols, which are largely unrecognizable by IT security tools.

OT assets are built to last, with a long lifecycle of several years or more, and their underlying operating systems tend to be much more dated compared to IT assets, which are routinely updated and replaced. OT assets may still be running on Windows XP or Windows 2000 for example, simply because their apps and systems were designed for those operating systems. They might cease functioning or go out of warranty on a newer version of operating software. This makes them particularly vulnerable to attacks that arise from IT issues, as the OT system could contain software loopholes that have not been patched.

Another difference between IT and OT assets is that they have different priorities when it comes to security. With IT, confidentiality is more important than availability, whereas with OT it’s the exact opposite. Most organizations simply cannot afford downtime in their OT systems. For something as critical as water utilities, OT downtime means bringing the regional or national water supply to a halt.

Remote access solutions designed for IT are often agent-based and/or use jump servers to connect to OT networks. Agents require OT downtime, while jump servers expand the attack surface by perforating the firewall and increasing unsecured connectivity between IT and OT. Organizations need a remote access solution that secures and controls remote OT access without downtime or impeding workflows. IT solutions are not designed to cater for the priorities of OT, and therefore cannot meet these needs.

Claroty bridges the gap between IT and OT environments, with an OT cybersecurity platform that deploys rapidly and integrates seamlessly with existing IT security infrastructure. This eliminates the burden of complex deployments, steep learning curves, and unfamiliar tools that operators often face.