In what ways do these differences make OT security more challenging?
Oberholzer: A key challenge is to get the buy-in from the CXO level to prioritize OT security at the same level as their IT security. They need to understand the unique characteristics and security needs of OT and provide proper security controls.
Another challenge is securing OT for remote access in this new normal. Any employee or third-party contractor who previously worked onsite, but now works outside the facility, requires online access to ensure uninterrupted operations. Monitoring and making changes to production lines and manufacturing processes can become even more mission-critical during times of disruption, depending on the industry and products and services provided.
Because OT network traffic provides all the security information needed to monitor for threats, a solution like Claroty’s Continuous Threat Detection (CTD) provides necessary asset visibility and continuous threat monitoring.
Lastly, another challenge is securing OT with zero downtime to operations. As OT deals with physical processes and operations, there is a significant risk at hand. This includes the health and safety of human lives, serious damage to the environment, and financial issues such as production losses, and negative impact to a nation’s economy. Security protections must be implemented in a way that maintains system integrity during normal operations as well as during times of cyberattack.
To address this, the Claroty Platform leaves no footprint on the network, poses no risk to OT availability, reliability, or safety, and requires absolutely zero downtime, unlike the agent-based security tools that characterise IT remote-access solutions.
With some hindsight now, how could the SolarWinds Orion vulnerabilities have been prevented or mitigated?
Oberholzer: Numerous high-value US government agencies are Orion customers, and several have announced that they were attacked, including the US Department of Commerce, the US Department of Treasury, and the US Department of Homeland Security, and FireEye publicly disclosed it was compromised and hundreds of its red-teaming tools were accessed.
Given SolarWinds’ ubiquity inside enterprises and public-sector agencies, the stealthy nature of this supply-chain attack, and the advanced capabilities and backdoors in use, this attack should put any organization that includes nation-state actors as part of their threat mode on alert, including critical infrastructure, industrial control systems (ICS), and SCADA operators.
While IT security teams have scrambled to assess risk and remediate, it’s critical for operational technology (OT) asset owners and operators to think through the risk and remediation activities. Here are some things you need to know today if you manage OT networks and are responsible for industrial cybersecurity.
Businesses that use SolarWinds’ Orion platform to manage IT should also understand how their OT networks and industrial processes may also be impacted by this attack:
- The malicious Sunburst backdoor included in the Orion updates is difficult to detect because it is digitally signed by SolarWinds and treated as legitimate software traffic by the target host and enterprise-grade detection software. There is no “vulnerability to detect” per se—the software is the vulnerability. Asset operators need to be able to catalog the software in the OT environment to understand if they have affected versions SolarWinds Orion running.
- The Orion platform is largely a network performance management system that pulls data from connected systems to pinpoint any significant issues that need remediation. Organizations use it to centrally manage an IT environment from a single dashboard. The platform also locally stores credentials to assets and applications throughout the environment. Therefore, the scope of the potential compromise for any organization is much larger than the SolarWinds Orion software. Ensure you’re thinking about compromise scoping in this context.
- With the previous two points in mind, if you find any instances of SolarWinds in the environment that means you need to rebuild the Orion system, and any system it has credentials to access. That’s the only way to address the full scope of the compromise.
- Attackers had been using Orion to distribute multiple signed malicious updates since March and into May. The Sunburst backdoor has enabled the attackers a seemingly legitimate presence on networks. Once inside, it’s likely that they have been able to move laterally on Orion customer networks to gain access to other network domains in order to steal data or exploit other vulnerabilities. As organizations tend to “whitelist” network management systems to prevent false positives, the attackers have been able to use this foothold to hide in plain sight. Asset operators, therefore, need to leverage detection techniques to look for anomalous traffic in the OT environment.
- Security teams should inspect domain (DNS) activity for unusual or suspicious requests. In particular, look for connections to avsvmcloud[.]com which is a beaconing indicator of compromised instances of SolarWinds Orion.
- Even if you’ve taken all of these steps, it is possible that attackers are in the environment and have established additional footholds or backdoors. Therefore, it’s critical that you have detection tools in place that rely upon a variety of different detection methodologies to spot an attacker. Doing this ensures you have a broad set of traps and snares to catch lateral movement.
We are all still learning about the SolarWinds compromise, and this is a very fluid situation with an impact and scope not yet fully understood. Yet, asset owner-operators can and should take purposeful steps to triage their environments, assess risk, and drive remediation activities.