In the early days of operational technology (OT), the benefits of connecting to the internet were clear. The streamlining of processes, advancements in technology and the ability to manage industrial control systems (ICS) remotely were heralded as bringing significant benefits. However, what wasn’t fully recognised were the security issues this new way of working presented. OT was not designed with a security-first approach. It left systems with their entry points open and unprepared for attacks.
As technological advancements continue to grow, it’s essential that OT security concepts become embedded in industry. It will allow organisations to continuously monitor and control their own systems and IT environments and do everything possible to reduce the risk of cyberattack. To achieve this, there are five key phases that you can follow to improve your OT security footing.
I explore them in greater detail in this blog.
Phase one: Discovery and planning
When starting, it’s important to establish exactly which systems are involved so you can focus on these areas. It means risk can be properly quantified and prioritised based on the risk to the business.
Once the exact systems have been noted, the next step is to determine access points. Assess these networks and determine potential routes of entry. More often than not, systems are easily accessed through the internet, which is available to everyone. Ensure these connection points are clearly evaluated and, if out of date, patched and updated securely. Leaving old, unprotected legacy systems in place leaves the critical infrastructure environment even more open to attack.
A recent example of this is the cyberattack carried out on the system controlling a city’s water supply in Florida, USA. The hacker used simple remote desktop software, Team Viewer, to gain control of the system. He was able to increase the quantity of chemicals in the water supply in an attempt to poison the water. Relatively simple in creation, this hack was carried out because of an old, unprotected system– in this case, Windows 7. There were no security processes in place, such as multi-factor authentication. This allowed the hacker to gain access quickly.
Phase two: Intelligence collection and storage
After establishing the individual networks and their respective entry points, you need to look at intelligence. Have previous security personnel or assessments highlighted any key areas for review? Has a breach ever occurred that’s uncovered a security gap?
These are all questions that need to be carefully considered before establishing the correct security processes for your organisation. If vulnerabilities have been noted, make sure they’re raised with the relevant teams and tackled. When dealing with OT security, learning from experience is key. The data you’ve gathered from your intelligence collection can be used to educate your organisation and used in phase three.
Phase three: Monitoring and detection
Once you’ve collected the data, use it to establish ongoing protocols to monitor your systems and detect any foul play. Use the information to build a case framework for your organisation. For example, if you run a water reserve, what are the different and specific entry points hackers could use?
Plot out these scenarios and run a series of exercises to understand how they work in practice. Where are the gaps? What needs to be patched or fixed? Rehearsing these will enable you to try out every variation. It ensures you’re better prepared when a cyberattack occurs. Keep a close eye on outcomes. Identify any suspicious activity flags in your monitoring and detection systems. This information can then be fed back into incident response planning. It will keep your defences up to date.
Remember, security is a process, not a product. It’s not a case of implementing one tool or piece of software to fix your problem. Every organisation’s entry points are unique, and you need to develop a process, over time, that’s suited to your needs. Use cases are important for this, as well as helping to establish a baseline for phase four.
Phase four: Incident response
Once you have this baseline, the next step is to establish your incident response (IR) plan. Within operational technology, IR is primarily focused on the safety and visibility of the infrastructure. The loss or extended downtime of critical devices and systems can be devastating for organisations. It is why rapid response times are paramount.
But IR is usually reactive, so how do you carry out triage? Some organisations may be unaware of their IR capabilities, and others may rely on their internal IT or security teams. A common challenge faced by internal IT teams is not having adequate time, resource or specialist skills to effectively triage IR.
It is possible to alleviate this challenge. Organisations can partner with external IR service providers. They can provide a dedicated resource able to hunt, handle the incident, decrypt malware and run analysis. During the initial response, all containment and remediation details should flow through to the intelligence teams to develop rapid detection. It allows the analysts to monitor for additional assets or threats which have not yet been identified.
Case study: Incident
NTT’s Digital Forensics and Incident Response (DFIR) team recently responded to an incident where a coal mine was subjected to a MedusaLocker ransomware attack carried out by a nation-state. The attack affected all servers, encrypting data and rendering them unusable. The team was engaged to carry out incident handling, containment and root-cause forensic analysis. The goal was to ensure the client was operational within 48 hours so that they could continue to generate and supply essential electricity.
Case study: Response
The DFIR team provided 24-hour cover during the incident. They deployed next-generation endpoint detection and response (EDR) technologies within the first hour. It gave the team visibility into the organisation’s network, with additional threat intelligence provided by NTT’s Global Threat Intelligence Center (GTIC). Using EDR, threat hunting was carried out to identify and mitigate threats and support the forensic investigation. The threats were contained and identified.
The root cause of the MedusaLocker ransomware attack was identified. It also uncovered a ‘backdoor’, which the cyber attacker had strategically placed to regain access later. Additionally, previously unknown or undetected threats were uncovered, including multiple remote access Trojans, operating across several servers. The DFIR team mitigated these.
Phase Five: Metrics
So, your systems are in place, but how do you know they’re working? Continuous review is key at this stage. Running table-top exercises, assessing outcomes and feeding the results back in is essential. What are the findings, are there any updates required? Do new processes need to be established? Metrics are important for ensuring systems and controls are kept up to date.
As we move forward, it’s more important than ever for security to be at the core of the development of operational technology systems. Without this, they’re bound to fail. By working through these five key phases closely, any gaps can be quickly defined and remediated. When these gaps are made clear, what’s crucial is to react fast – don’t put off the necessary patches or updates, and consider specialist support if your internal teams can’t manage this alone.
Find out more about our OT security services’ here: https://hello.global.ntt/en-us/solutions/cybersecurity/secure-ot
Security is a division of NTT Ltd., a global technology services company. The Security division helps clients create a digital business that is secure by design. With unsurpassed threat intelligence, we help you to predict, detect, and respond to cyberthreats, while supporting business innovation and managing risk. Security has a global network of SOCs, seven R&D centers, over 2,000 security experts and handles hundreds of thousands of security incidents annually across six continents. Security ensures that resources are used effectively by delivering the right mix of Managed Security Services, Security Consulting Services and Security Technology.
NTT Ltd. partners with organizations around the world to shape and achieve outcomes through intelligent technology solutions. For us, intelligent means data driven, connected, digital, and secure. As a global ICT provider, we employ more than 40,000 people in a diverse and dynamic workplace, and deliver services in over 200 countries and regions. Together we enable the connected future. Visit us at our new website hello.global.ntt