Critical infrastructure shutdowns can be deadly. In December 2020, climate activists attacked and damaged exposed pipeline in Aspen, CO, affecting the ability to access natural gas heat for over 3,500 customer homes and businesses. Less than two months later, storm Uri set records for negative temperatures across the country, including those homes and businesses affected by the pipeline attack.
Fast forward to 2023. Ransomware shutdowns and payouts are so common, Microsoft’s Digital Defense Report places manufacturing at the top of their breached industry list. It’s not just large industrial complexes affected, though: the MDDR also reports 70% of organizations encountering human-operated ransomware had fewer than 500 employees.
Many businesses with operational technology (OT) are vulnerable to single-point-of-failure attacks like the Aspen utilities provider because placement and access is all an attacker needs (physical or otherwise). Much of the OT industry is migrating, if not already migrated, to digital components from analog. OT systems are meant to function without interruption, not designed with an attacker in mind. It’s a high-reward, low-risk target for threat actors.
So what do OT security teams need to protect against IoT vulnerabilities and agile threat actors?
1: Curated, accurate log data
Security teams need goldilocks access to log data—not reams of alert designations and not a no-code solution pulling numbers security teams can’t rationalize to leadership. Most vendors ask OT customers to pay extra for audit data + access, minimizing the chances that OT SecOps will improve past the compliance check in the box to keep operations going. No-code software only improves SecOps if security teams have access to the backend of the SIEM, XDR, EASM solution. The just-right solution provides security teams with data from multiple sources without extra payment and allows custom detection engineering to test and retest that security controls are flagging what they should be flagging.
2: Visibility + access to vendor technology
As mentioned above, cybersecurity vendors should provide visibility for network configuration. OT security teams face two barriers – cybersecurity vendors and OT vendors. There has been a lack of protocol standards for OT for a very long time. OT vendors create protocols and specific guidelines for what security practitioners can and cannot see to protect proprietary product design from theft.
Any changes made to the OT infrastructure or systems connectivity may violate agreements between customer and vendor. But for true defenders, how can you protect what you cannot see? Securing equipment directly tied to a business’ revenue is difficult. Thankfully, many vendors are slowly changing their policies to apply common standards and embracing cybersecurity for the digital age. We’d recommend continuous vulnerability monitoring to catch patches and CVEs if rigid vendor guidelines or cloud migration isn’t possible for your OT environment.
3: Threat risk awareness and the path to mitigation
Threat actor capability and intent provides vital color to vulnerability reporting. One utilities company noticed a persistent, growing botnet campaign filling up their email servers with phish. Without CTI context, it seemed like international APTs throw darts at a map blindfolded and attack whatever company it can hit. But the security team did some digging. The utilities HQ was in close proximity to national defense capabilities. If the international APT achieved placement and access through the energy provider, they would possess highly lucrative IP and leverage.
61% of the SANS ICS/OT Survey for 2023 respondents reported they were using OSINT methods to prioritize threats most likely to target their OT environment. That’s an encouraging statistic, but open-source intelligence often isn’t enough. Ascent’s SOC includes a threat intelligence team who prioritize client risk against MITRE ATT&CK data.
4: Technical control testing
Threat intelligence should support internal monitoring, but it can’t replace security controls. The SANS ICS/OT Survey reported only 52% of respondents have incident response plans.
Because ICS and OT environment breaches have a ripple effect, government regulatory bodies like TSA and the DOE create hurdles for security teams working to secure hybrid environments. Take those regulatory requirements and plan how your security team should respond to a breach and how company leadership should report and respond to public attention. For technical practitioners without the bandwidth to defend multiple physical and digital OT assets, outsource to a team who can. Creating an incident response plan and performing yearly, targeted pen tests against system updates and security controls will reduce your organization’s breach risk.
Modern SecOps and OT Security
At Ascent Solutions, our team embraces Modern Security Operations in all aspects of protecting our customers so they can focus on what matters most to their business. If you’re interested in partnering with Ascent’s SOC team to secure your OT or IoT environment, reach out to info@meetascent.com.
