How Threat Actors Get Into OT Systems

How Threat Actors Get Into OT Systems

In the past, cyber-attackers largely ignored operational technology (OT) systems, such as industrial control systems and SCADA systems, because it was difficult to access proprietary information, or OT systems that were not connected to external networks and data could not be easily infiltrated. .

But it’s not like that anymore. Today, many industrial systems are connected to the company’s network with access to the Internet, and which use everything from connected sensors and big data analytics to deliver operational improvements. This convergence and integration of OT and IT has resulted in a growing number of cyber risks, including efficient and effective cyber incidents across both IT and OT.

Cyber ​​security threats in the OT world are different from IT as the impact goes beyond data loss, damage to reputation or erosion of customer trust. An OT cybersecurity incident can lead to production losses, equipment damage, and environmental spills. Defending OT against cyber attacks requires a different set of tools and strategies than those used to protect IT. Let’s look at how cybersecurity threats commonly find their way into OT’s protected environment.

2 main vectors for OT
There are two main vectors where malware can penetrate a secure production facility in an OT environment: through the network or through removable media and devices.

Attackers can enter an OT system by exploiting cyber assets through firewalls across routable networks. Proper OT networking best practices like network segmentation, strong authentication and multiple firewalled zones can help prevent a cyber incident.

BlackEnergy malware, used in the first recorded targeted cyberattack on a power grid, compromised an electrical company via spear-phishing emails sent to users on the IT side of the networks. From there, the threat actor was able to turn into the critical OT network and used the SCADA system to open switches in substations. This attack is reported to have resulted in more than 200,000 people losing power for six hours during the winter.

While the term “sneaker core” may be new or sound awkward, it refers to the fact that devices such as USB storage and floppy disks can be used to upload information and threats to critical OT networks and air-gap systems, simply by the cyber attacker physically carrying them into the plant and connect them to the relevant system.

USB devices continue to be a challenge, especially as organizations increasingly rely on these portable storage devices to transfer patches, collect logs and more. USB is often the only interface supported for keyboards and mice, so it can not be disabled, leaving additional USB ports enabled. As a result, there is a risk of inserting foreign devices on the very machines we are trying to protect. Hackers have been known to plant infected USB drives in and around the facilities they are targeting. Employees will then sometimes find these compromised drives and connect them to a system because it’s the only way to determine what’s on one of them – even without any labels like “financial results” or “changes in number of employees.”

Stuxnet may be the most notorious example of malware being brought into an air-gap system via USB. This extremely specialized and sophisticated computer worm was uploaded to an air gap nuclear facility to change the programming of the programmable logic controllers (PLCs). The end result was that the centrifuges rotated too fast for far too long, ultimately causing physical damage to the equipment.

Now more than ever, production environments face cyber-security threats from malicious USB devices capable of bypassing the air gap and other security measures to disrupt operations from within. The “2021 Honeywell Industrial Cybersecurity USB Threat Report” found that 79% of threats detected from USB devices had the potential to cause interference in the OT, including loss of vision and loss of control.

The same report found that USB usage has increased 30%, while many of these USB threats (51%) tried to gain remote access to a protected facility with air gap. Honeywell reviewed anonymized data in 2020 from its Global Analysis Research and Defense Engine (GARD), which analyzes file-based content, validates each file, and detects malware threats transmitted via USB to or from actual OT systems.

TRITON is the first registered use of malware designed to attack security systems in a manufacturing facility. A Safety Instrumented System (SIS) is the latest line in automated safety defense for industrial plants, designed to prevent equipment failures and catastrophic events such as explosions or fire. Attackers first infiltrated the IT network before moving to the OT network through systems accessible to both environments. Once in the OT network, the hackers then infected the SIS engineering workstation with the TRITON malware. The end result of TRITON is that a SIS can be shut down and endanger people in a production facility.

Physical devices can also lead to cyber incidents
It is not just content-based threats that we need to keep an eye on. A mouse, cable, or other device can also be a weapon against OT.

In 2019, malicious actors targeted a trusted person with access to a control network. This authorized user subconsciously swapped a real mouse for the armed mouse. Once connected to the critical network, another took control of the computer from a remote location and launched ransomware.

The power plant paid the ransom; however, they did not get their files back and had to rebuild, which affected the facility for three months. It is imperative that you know where your devices come from before using them.

3 steps to overcome cyber threats
Cyber ​​threats are constantly evolving. First, set a regular time to review your cybersecurity strategy, policies, and tools to stay on top of these threats. Second, threats to USB usage are increasing, so it’s important to assess the risk of your OT operations and the effectiveness of your current security measures for USB devices, ports, and their controls.

Last but not least, an in-depth defense strategy is recommended. This strategy should lay out OT cyber security tools and policies to give your organization the best chance of staying safe from ever-evolving cyber threats.


Please enter your comment!
Please enter your name here