Blog post written by Tim Ingalls, Project Engineer, CompTIA Security+ certified professional
NSA and CISA released an advisory July 23, 2020 recommending immediate actions be taken to reduce exposure of OT systems to the internet. As the previous months have forced the workforce to operate remotely when possible, there has been an increase in exposure of devices to the internet that are not hardened against cybersecurity threats. As the OT devices become vulnerable, the corporate IT systems become vulnerable. Now more than ever, we strongly recommend a review of your IT/OT infrastructure’s exposure – not just to the internet, but to the corporate network as well.
How vulnerable are you?
The advisory details the increase in cyber activity targeting operational technology assets. Devices include internet accessible PLCs and unsecured/unpatched Windows-based control systems. Threats include using the systems to deploy ransomware, using the OT system to access corporate IT systems. Attackers may also gain the ability to modify the control logic parameters on PLCs.
Remote work was trending before the pandemic, and now for many businesses it is a necessity. Many businesses needed to quickly support remote work for employees who didn’t have that ability before. The OT network is no longer an island. Until recently, the OT network was often its own little world, unconnected to any sort of outside network, such as corporate IT or the internet. Now it’s become more connected: devices on the OT network have become accessible from corporate computers, allowing engineers to just “remote in” and check things. Some facilities even have their OT and IT devices on the same network. These conveniences attract exploitation.
Working remotely means engineers could possibly allow access to a control system without proper security. An employee might make a spot decision to connect an isolated workstation to the corporate network, enable remote desktop connections, or use third-party remote access software such as TeamViewer. These choices can open the entire network to vulnerabilities – and it’s much more common than you may think.
An attack on the OT systems can result in the loss of product , possible damage to equipment, and access to IT systems through the OT systems. The damage is potentially catastrophic. The 2015 cyberattack on Ukraine’s power grid serves as an example of how something as simple as logging in remotely and not using two-factor authentication can have dire consequences for your business and your clients.
What can you do?
Step one: know what devices are on your network. This includes company-provided devices as well as personal devices that may also be connected.
Step two: remove all internet access from OT devices. Institute a secure connection or relay device for the users to get to those devices remotely.
Companies like Superior Controls can assist IT and automation engineers with risk assessment and a plan to fix these security vulnerabilities. This kind of problem is one that needs to be solved quickly. The longer the project takes, the more exposure companies have. If your team cannot self-perform quickly, consider bringing in an integrator to help with the risk assessment and mitigation plan.
Remember that cybersecurity concerns go beyond the Internet. With more facilities performing maintenance of OT network devices remotely from home, there is an opportunity for exploitation of these devices. Shut down any nonsecure access to OT devices.
Other things to remember:
- Convenience vs security – this is an ongoing battle in companies. The companies themselves will need to decide how much risk to take on. Being able to access desktops and devices remotely may be very beneficial, but introduces major vulnerabilities. A device is locked in a room with nothing but a power cord is very secure, but it’s rather inconvenient to use. Get your IT team and your operations team talking to find a balance that works for you.
- IT vs engineering and collaboration – this is another ongoing battle between IT and engineering teams. IT groups may believe that all of the Windows systems fall into their purview and want to patch on their schedule. Engineering teams are all about production uptime; patching and rebooting the systems is not an option for them. It’s possible to achieve a happy medium if the groups can collaborate. The time it takes to implement critical security updates is nothing compared to what facilities will have on their hands with an security breach.
- Accidental IT/OT network convergence – Unplanned expansion can lead to organizations having all of their OT and IT devices on the same unmanaged network, or having critical systems spanning the OT and IT networks. This leaves them open to multiple vulnerabilities and can threaten systems on both sides.