Jennifer Minella is an Advisory CISO and security architect for Carolina Advanced Digital, an enterprise network security company.
In the past 18 months, millions of people across the globe have been impacted by attacks on companies providing critical services to our communities. The focus on OT segmentation keeps failing — and here’s why.
According to a report by Dragos, industry specialists report that as many as 90% of OT environments have poor security perimeters. That number is even more shocking, given most of the data sources are findings from vendors providing industry-leading OT security services. If the OT security experts can’t convince these organizations to do a better job, what chance do we have?
To add insult to injury, that metric doesn’t even reflect counts of external connections into OT networks — a number that doubled from 2020 to 2021, according to Dragos.
If the past few years have taught us something, it’s that our most critical systems can be crippled or fully disabled without even touching the OT network. Think back to the 2017 attack on Danish shipping company Maersk. The largest shipping company in the world, Maersk, was the victim of the exceptionally destructive NotPetya malware. In just seven minutes, NotPetya ripped through the network, destroying 49,000 laptops, over half of its 6,500 servers and thousands of applications, even rendering phones inoperable. Maersk was able to rebuild the entire infrastructure in just 10 days, but the damage impacted operations at 76 ports across the world and carried a hefty remediation cost of $300 million. No OT systems were touched.
Then, in 2021, the largest and most widespread attack on critical infrastructure in the U.S. occurred, causing the Colonial Pipeline to shut down operations for the first time in its 57-year history. The ransomware attack was traced back to one single password that allowed attackers to access the IT network through a legacy VPN account not protected with multifactor authentication. One compromised password led to gas shortages in more than seven states — including here in North Carolina, where 70% of pumps were without fuel — and created a domino effect that forced airlines to scramble for fuel. In addition, anxiety grew in our communities as shipments of food and resources dried up. Colonial paid $4.4 million in ransom, about half of which was recovered by a U.S. Department of Justice task force. Again, no OT systems were touched, but the pipeline was inoperable when its IT billing systems were offline.
That same year, Brazil-based meat processor JBS found a similar fate when an IT system compromise impacted operations in three countries and affected the global meat supply. JBS, the world’s largest meat supplier, had to shut down operations. Just as with the prior two examples, no OT systems were touched.
There are two morals to the story. First, we have to acknowledge that our IT systems are, in many ways, both as critical and as fragile as our OT networks. Focusing attention on OT alone won’t prevent catastrophic and widespread events.
Until late, ransomware and data breaches have been (at most) a minor inconvenience to the general public — a headline for a day or two and a blip on the radar. However, those three attacks demonstrated to the world that millions of people’s daily lives could be completely disrupted in a matter of minutes.
The Target attack in 2013 may have impacted 40 million consumers, but it was a “paper” attack. When the global shipping and supply chain is disrupted, it impacts communities in palpable ways. Mom knows when her kids can’t go to school because the buses have no gas. The local restaurant owner becomes nervous as she watches the price of meat double. Grocery clerks and nurses have mounting anxiety when they realize there’s no gas at any pump within a 300-mile radius. It’s a scary, sickening feeling — one very different than the letter saying your credit card may have been compromised.
Second, segmentation is a critical strategy for securing vulnerable OT systems, and we’re still failing here. Appropriate segmentation for OT networks looks nothing like best practices in traditional IT. Not only segmentation but asset inventory and security monitoring methods for OT stand in stark contrast to what’s reasonable in enterprise IT. There are only a handful of accepted segmentation mechanisms for OT networks. While many organizations claim airgap as a strategy, the harsh reality is that virtually no OT networks are air-gapped from their IT counterparts and/or the internet.
In fact, according to Dragos, over 90% of environments had some mechanism for remote access. Over 60% had four or more remote access methods allowed into OT, and in 20%, seven or more. About one-third had persistent remote access, and over 40% of the remote traffic volume was remote desktop protocol (RDP). There are many valid remote access use cases, including vendor and operator access, but these entry points need to be known, monitored and secured appropriately. Most operators in OT environments aren’t experienced or trained in IT, and most CIOs and IT administrators are clueless as to the requirements of OT networks.
The regulations aren’t (yet) much help in this matter. The most recent guidance for ICS security cites numerous unreasonable requirements, including simply replacing all legacy systems, enabling encryption and removing vendor remote access. It all sounds great on paper, especially to an IT security professional, but it isn’t reasonable or even possible in many OT environments.
What’s the solution? Organizations with OT assets (of which there are many) will need to not just stay up to speed with regulations but stay in front of them with industry best practices for segmenting, monitoring and securing both OT and IT.
For the most part, the IT and OT environments, people and applications should be separate. However, when it comes to a holistic security strategy, leaders will be well-served to “desegment” when it comes to threat modeling and cross-training of personnel. Despite our propensity for segmentation, OT is reliant on IT — if not directly, certainly indirectly — and that trend will continue with IT-OT convergence to facilitate digital transformation projects.