teissTalk: Assessing and mitigating risks in your OT environment

On 21 March, teissTalk host Tom Langford was joined by Syed Ubaid Ali Jafri, Head of Cyber Defence & Offensive Security, HBL - Habib Bank Limited; Giles Dunn, Partner & OT Cyber Security leader, EY; Amir Preminger, VP Research, Claroty; and Max Higginson, Cyber Security Manager (ICS/OT), Dominos UK.

Views on news

The Colonial Pipeline ransomware infection has become a cautionary tale about how borking critical infrastructure can cause real-world pain, with fuel shortages leading to long lines and fistfights breaking out at gas stations. We have seen in the past groups that added to their arsenal the ability to kill OT processes. The code referring to these types of attacks is EKANS – a ransomware variant with capabilities including forcibly stopping some industrial control system (ICS) operations. The most common attack vectors on OT are old-fashioned equipment, unsecure protocols and outdated Windows boxes. 

What’s different in the defences of OT systems from those of banks is the inability to update as vendors in the OT systems don’t allow touching their hardware without their permission or they will void the warranty, while embedded devices often use unsecure protocols – in the case of the water pumping station in Pennsylvania, for example, a Unitronics device. BMSs are also often taken advantage of as an entry point. It takes only one contractor with a DPN (decentralised private network) or an unlicensed DSN line to create a vulnerability. Also, vendors don’t provide patches at a frequency that is in line with the vulnerability remediation life cycle, which they can still afford not to provide as they have no liability. 

A changing landscape of device manufacturer liability

However, this is likely to shift soon. Changes in attitudes to OEM responsibility have been detected in the past 12-18 months. Cyber criminals increasingly focus on OT systems, where victims are now more likely to pay ransom to get the production lines running again as soon as possible.  In the case of medical equipment and other critical infrastructure equipment manufacturers, liability is much less of an issue and Windows-based systems are also accountable in their case. 

In line with this latest trend, cyber security auditors are now increasingly called to not just do a site assessment but analyse products in depth. Another issue is that there are many niche environments in the space that don’t have standard operating systems. And it’s not just the traditional methods that cyber criminals can attack these systems with – it can happen that they simply flash the device and make it and the whole system unusable. 

The litmus test of a good architecture is whether it can deal with two types of security risks. One is fail-open, when external engineers get access to a system to sort out problems remotely and their access happens to remain open well after they have finished their job. The other is the Sunday night change window, when getting the production line ready for Monday tops every other consideration including security. Covid’s backdoor access wave may have security implications many years after the pandemic ended. Other recent risk trends include CCTVs, which raises the question of whether there should be a 4G router on site if you already have it within the Enterprise network. 

NIS2 can be a GDPR moment for the OT environment. It’s not about proving a business’s cybersecurity readiness but that it is a provider in a fit and healthy supply chain. With NIS2, if you buy a piece of equipment, you’ll have to know now what it is, what’s inside it, and if it’s fit-for-purpose for your cyber security programme.

It makes the business responsible for all the assets it owns or has in its ecosystem. But, controversially, the fact that you now will know about them won’t necessarily mean you can do something about them too. However, you will need to calculate with your third party assets too when planning your incident response or hit with ransomware from the launch of NIS2 onwards. Companies will need to create sector-specific risk assessments and incident response plans that reflect how they can tackle the cyber risk that dominates their own space. In manufacturing, for example, lockbit ransomware is the biggest threat vector.  

 

The panel’s advice

• Even if you can’t aim for zero risk, it’s important to understand what risks a certain device poses.
• When it comes to understanding the vulnerabilities of a system, ask yourself what you do NOT know, as it might be the case that the product is zero-risk only because of the loose security procedures of the manufacturer.
• To understand where you can and can’t patch, good risk articulation of the whole system is key.
• Any walls that you put into your system will make the attacker’s life harder.  
• Having a complete asset inventory of OT is instrumental to security.
• NIS2 can be a GDPR moment for the OT environment.