By Chet Namboodri
A small 20-person rock crushing operation suffered a cyberattack that shut operations down for the day. One of the company’s conveyor belt control systems was unable to sense if it was on or off, so the belt kept moving. Product continued to roll in, resulting in over $100,000 in damages and unplanned shutdown.
Whatever size operation you have, malware and attacks that impact cyber-physical systems can be harmful to finances and safety, alike.
“As we think about security, regardless of the size of the environment, it usually starts with, ‘Hey, give me something that’s transparent,’ ” said Rick Peters, operational technology global enablement director at Fortinet.
“No one’s looking to take on load or latency in their environments,” Peters said. “So, they need a security system that runs in parallel, that’s very transparent and provides them with the intelligence and insight they need. They need some level of control so that if something starts to happen, they can contain the problem and keep the environment associated with the primary function clean.”
In the past, physical security and cybersecurity were different domains, addressed by different professionals using very different tools. But as energy, manufacturing and other critical infrastructure sectors move toward digitally connected environments, the security relationship between physical and cyber is tightening. These days physical assets are Internet-enabled, requiring operational technology (OT) leaders to lock down all kinds of physical assets, to prevent security entry point breaches.
“You hear the term convergence thrown around an awful lot, or digital transformation which is purposeful change driven by executives seeking operational efficiency. However, there’s a consequence of doing such things. For example, there are vulnerabilities associated with legacy technology. So OT creates its own cyber-physical burden. Today, you need to protect the cyber-physical.”
Attack Surface Multiplies
In the era of the Industrial Internet of Things (IIoT), devices not traditionally connected to the Internet are now all plugged in and capable of communicating. This includes CCTV cameras, door locks, and card readers – along with industrial automation and controls systems (IACS) – just to name a few.
“This goes beyond the traditional enterprise of OT,” Peters said. “If you’re focusing on operational technology or critical infrastructure, you’ve been fortunate in that it’s reflective of a well understood infrastructure framework based on the Purdue model. Now, we’ve gone way beyond that, the expanded attack surface is a very legitimate concern. How do you know that the devices with video or audio capabilities that provide access to your business or home, are properly controlled and not being used to someone else’s benefit, like a competitor or hacker?”
One well-known, classic cyber-physical attack involved the 2016 Mirai botnet which took advantage of insecure IoT devices to allow its developers to scan big blocks of the Internet for open Telnet ports. They then attempted to log in using common, default username/password combinations for these devices. As a result, the botnet developers were able to compromise a huge collection of closed-circuit TV cameras and routers.
“The Mirai attack is a perfect example of the vulnerabilities of OT and IoT devices. Manufacturing enterprises can be exposed through IoT elements that haven’t been considered security risks before,” Peters said. “Manufacturers have to make sure that devices like cameras and locks on doors, all the physical components within the operation that are now connected, are cyber secure as well.”
Expanding Attack Surface
Security professionals need the capabilities and the technologies to protect and defend the expanding attack surface.
“When we talk about visibility, control and automated awareness, you can extrapolate your thinking about physical assets. Otherwise, it’s the weak link in the chain. You might have invested greatly at the SCADA level or even implemented broad segmentation to accomplish control. But when it comes to the physical plant, you’re going to have holes punched in your security blanket simply because you haven’t paid enough attention to OT and the proliferation of IoT devices,” Peters said.
At the risk of oversimplifying, it’s like making a big investment in securing your front door, and then leaving the windows wide open.
This is where visibility comes into play. It’s critical to integrate a security solution that allows you to actually see what’s happening on the network. Whether it’s an unauthorized person walking in the door, a process anomaly or an attacker trying to infiltrate the network via a physical security device, network visibility is yet another line of strong defense.
“Visibility is not just detection – it’s understanding and characterizing the device,” Peters said. “It is possible to continuously ensure that devices being introduced into my environment can be trusted. They’re characterized in their current state of security readiness, and I treat them as I treat every single element because all elements provide access to what I need to protect.”
Dynamic environments require solutions that help security teams focus on important incidents, rather than distracting them with every change in the network. Given the explosion in communicating devices, it’s essential to be able to correlate visibility between each component on the network, and identify the “real” anomalies in need of attention.
Chet Namboodri is vice president of worldwide business development and partner alliances at Nozomi Networks. Click here to view the entire blog.