By Gregory Hale
With connectivity and interconnectivity on the rise, manufacturers need to understand there are solutions out there to ward off the bad guys and they don’t have to be too complicated.
“It is not always rocket science, sometimes the solutions are pretty basic,” said Dave Weinstein, vice president of threat research at network visibility provider, Claroty, during a talk entitled, “Tales from the Field: Dissecting Recent ICS Network Assessments,” last week at the ICSJWG Fall 2018 conference in Cincinnati, OH, “(Users must) accept the reality your organization has OT networks adversaries want.”
Growth in network interest from an attacker perspective started just over 10 years ago.
“2007 was an inflection point with a massive uptick in interconnectivity, Weinstein said.
He said the most common ICS-OT risks are:
• Inherently vulnerable: Flat networks that have weak authentication, no encryption, insecure ICS protocols, problems with patch management, aging infrastructure
• Increasingly connected: Vendor remote access, visibility from the shop floor to the top floor, data analytics, supply chain
• Lacking collaboration: Shop floor vs. IT security mentality, no common IT/OT view, governance gaps and conflicts
• Insufficient visibility: No visibility across ICS networks, undetected network configuration issues, limited monitoring or threat hunting
Moving forward to the present, Weinstein said connectivity is continuing to increase between IT and OT.
The issue that still remains, and did cause some conflict between the two organizations, was IT and OT were designed with different missions in mind.
But any kind of schism that existed or even remains, has to be put aside because of the connected nature of the networks, too much is at stake – and attackers know it.
“There are now plummeting barriers to entry for threat actors,” Weinstein said. “Back in 2007, it had to be highly funded nation states. While that is still true, it is easier today to plan and execute ICS attacks.”
Plus, he said, there is an expanding attack surface with the Industrial Internet of Things (IIoT) that compounds with the increased interconnectivity between devices.
Right now, he said, “there is a very active threat landscape.”
He pointed out five observations he has seen from the ICS environment:
1. Unpatched vulnerabilities: On average, Weinstein said 5 to 10 percent of assets have unpatched vulnerabilities; most vulnerabilities relate to OT devices like PLCs. Operators are aware of most vulnerabilities, but are unwilling to risk downtime from patching.
2. External communications are usually engineering workstations and PLCs. They are using multiple protocols, often the result of misconfigurations, and commonly impersonated by hackers.
3. Insecure protocols are often used by engineering workstations and PLCs. Some of the protocols abused by attackers are Telnet, SNMP, LanMan, Net Bios, SMTP, SMB, FTP, plus the use of plain text data.
4. Abnormal write operations are mostly HMIs unnecessarily writing to PLCs, baseline details reveal unnecessary data acquisition communications.
5. Open ports: Not unusual for over half of assets to have open ports.
One key piece to all of this is understanding the baseline, he said. Once any organization understands the baseline to the network, it can become easier to interpret how everything should be.
While pointing out the issues is one thing, Weinstein also went on to offer some ecommendations and best practices.
While he did mention sometimes security solutions can end up being basic and you don’t need all the bells and whistles, it is pretty obvious the manufacturing automation sector is under the bad guys’ microscope.
That is why, he said, users need to “assign accountability for monitoring and continuously assessing risk. In addition, they need to acknowledge blind spots and orient defensive posture to identify and harden them.”
In addition, Weinstein said users should “make networks visible and prioritize network segmentation, expand the governance model to include ICS/OT and educate operators, executives and the board.”