Attacks on operational technology pose a greater risk to human life than information technology threats, and security prioritization should reflect that, according to new research by Gartner.
A new report by Wam Voster, senior director of research at Gartner, predicted that by 2025, attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans. Recent incidents like the ransomware attack against the Colonial Pipeline Co. and the remote tampering of the Oldsmar water supply in Florida are some examples from 2021 of how OT attacks have the potential to inflict real-world risks, as opposed to IT security, which only impacts data.
An element that has elevated the risk over the years, Voster explained, is that OT environments that were traditionally separated are no longer completely isolated and now have direct connections for businesses, original equipment manufacturers (OEMs) and other third parties.
According to the report, attacks on OT environments have evolved from immediate process disruption from threats like ransomware to a far more alarming type of attack: compromising the integrity of industrial systems.
While the future of OT attacks outlined by the report looks dim, there is a way to address the threats.
"The increase in attacks on operational technology environments causes risks to the environment and to human life. Security and risk management leaders should not worry about information theft, but about real-world hazards, and implement this OT security control framework to address these risks," Voster wrote in the report.
Gartner recommended 10 controls to safeguard the safety of operational technology systems, including well-defined roles and responsibilities, appropriate training and awareness, proper backups, an up-to-date asset inventory, collection logs and ability to implement real-time detection, a formal patching process, and establishing proper network segmentation. Additionally, the report suggests that risk managers should shift the focus from "protecting confidentiality, integrity and availability to working on implementing the security control framework."
Voster told SearchSecurity that the top takeaway from the report is that logical network segmentation is a must. Clearly segregated networks for IT and OT reduces the attack surface and years ago, they were completely separate systems. They were even air gapped, Voster said, meaning there was no physical or logical connection between the two systems. However, recently there is more and more connectivity.
"These days people in the office want to know how well my plan is doing. Am I meeting the forecast of production? What's my uptime? So, they want to actually read information out of the OT system," he said. "The other way around, you see that in OT you have sensors that can see, for example, how full the vessel is. If it is nearly empty, that might mean you have to order stuff from another vendor, and you want to do that automated so you have automated replenishment orders in your ERP system like SAP. But you have to tell SAP, 'My customer is near the end so there's more and more activity.'"
That escalated activity was also highlighted in Dragos Inc.'s Year in Review 2020 report, which determined that industrial control systems (ICS) and OT cyberthreats increased threefold. Earlier this month, the Department of Homeland Security ordered a second round of pipeline requirements after the attack on the U.S. oil pipeline. According to the announcement, operators must also "implement specific mitigation measures" to combat ransomware attacks and other IT and operational technology (OT) threats.
Voster said because of the increased connectivity, organizations can become more competitive, but it also means that they will introduce new risks to their environments. One example he cited was the International Space Station (ISS), which Voster referred to as essentially just a large OT system. While the station is 255 miles above earth, it was discovered in 2008 that the ISS' systems had be infected with a Trojan designed to seal online gaming passwords. "Why was that? Because astronauts brought the latest software with them on a USB stick," he said.
To grapple with the growing threat, traditional IT security vendors are moving into OT through a number of acquisitions. For example, in 2019 Tenable acquired OT security vendor Indegy Ltd. and Cisco purchased Sentryo. One acquisition that surprised Voster was Microsoft's 2020 addition of CyberX, Inc., an IoT and ICS security company. Voster said the market for OT security products is small, and compromises around 20 to 30 players.
"The majority of these companies are fairly young, between five and 10 years old, which is why they're attractive to take over as targets," he said.
In addition to IT vendors taking new steps in prioritizing OT and ICS defenses, OT manufacturers themselves are also improving the built-in security of their products. While Voster didn't mention specific companies, he said a majority of the OEMs are indeed making inroads.