Cybercriminals are maximizing their opportunity by targeting older vulnerabilities in OT environments. It's time to fight back.

Derek Manky, Chief Security Strategist & VP Global Threat Intelligence, FortiGuard Labs

December 31, 2019

6 Min Read

Cybercriminals innovate when necessary, but like any successful enterprise, they also harvest low-hanging fruit wherever they can find it. Targeting older, vulnerable systems that have not been properly secured is not just an effective attack strategy, it is the primary cause of the vast majority of security breaches. Which is why, as Fortinet researchers recently discovered, that cybercriminals target vulnerabilities 10 or more years old more often than they target new attacks. And in fact, they target vulnerabilities from every year between 2007 and now at the same rate as they do vulnerabilities discovered in 2018 and 2019. 

Cybercriminals are maximizing their opportunity by targeting older vulnerabilities, as well as exploiting the expanding attack surface – especially with the convergence of operational technology (OT) environments with IT. OT can be thought of as hardware and software that monitor and control industrial equipment and processes – think valves, pumps, and thermostats, for example.

And with OT-IT convergence in the wings, it's critical that companies ensure they are taking the necessary precautions in their own organization.

Recycling threats
Judging by conversations with security professionals from global enterprises and the intelligence community, as well as 20 years of threat research, it’s clear that some fundamentals still need attention. The vast majority of breaches are not caused by sophisticated attacks or advanced tactics, techniques, and procedures. While many of these pose a significant, and perhaps even existential threat, most cybercriminals are content with a business-as-usual approach.

In our most recent report, FortiGuard Labs detected a rise in attempts to inject and execute code/commands on target systems. That’s nothing new, but it does seem to be reaching new heights. This trend may indicate threat actors are expanding their tactics for exploiting systems. Simply put, attackers want more bang for their buck. Attacking vulnerable services was in vogue years ago, before companies started shoring up their publicly exposed services. As a result, phishing attacks became their main delivery vehicle for implanting malicious code onto target systems. 

But it's possible that attackers could be going back to (or reincorporating) some of their old-school tactics, especially as organizations over-rotate on training users and updating their secure email gateways to detect and reject phishing attacks. Attackers love to focus their efforts where/when defenders aren’t watching. Could this recent trend indicate that organizations have let their guard down on their exposed services as a result?

Operations under attack
There is no question that traditional OT systems are among the most vulnerable assets inside any organization. In fact, Gartner analysts have found that an alarming percentage of OT networks and assets – and their security implications – have lain undiscovered and unmanaged for many years. 

OT vulnerabilities and related exploits can also affect verticals outside of heavy industry, including healthcare environments that rely on patient monitoring devices and MRI machines, or transportation systems that utilize internal OT systems to manage and control things like air traffic.

There are other security challenges, including: IT outages that impact customer-facing systems; the inability to properly identify, measure and track risk; and the interruption of business operations due to a catastrophic event. Worse, these challenges are being compounded by a lack of security expertise inside organizations – not only within their own in-house staff, but also with the third-party vendors with whom they outsource their security and other critical services. 

This is not just due to the growing cybersecurity skills gap facing the entire computing industry, but also the fact that even available security professionals often have little experience with OT environments.

This opens a huge security gap. Of the organizations with connected OT infrastructures, 90% have experienced a security breach within their SCADA/ICS architectures – with more than half of those breaches occurring in just the last 12 months. Security concerns include viruses (77%), internal (73%) or external (70%) hackers, the leakage of sensitive or confidential information (72%), and the lack of device authentication (67%). 

And as discussed earlier, quite a few of these attacks target older technology – especially unpatched applications and operating systems. OT security operations have traditionally relied on Purdue model hygiene and air-gapped isolation from the IT network for protection. As a result, visibility derived from protocol analysis and deep packet inspection is not yet widely deployed. This means that not only are older attacks highly successful in OT environments, but a great number of those attacks seem to be repetitive as there is no way to correlate attack strategies with vulnerable systems.

Bad actors also infiltrate devices through the many different OT protocols in place. While IT systems have largely been standardized through TCP/IP, OT systems use a wide array of protocols—many of which are specific to functions, industries, and even geographies. This can create quite a challenge, as security managers have to create disparate defensive systems to secure their environment. And as with legacy IT-based malware attacks, these structural problems are exacerbated by a lack of security hygiene practices within many OT environments that are now being exposed due to digital transformation efforts.

Securing the IT-OT Environment 
For many organizations, competing effectively in today’s digital economy requires converging IT and OT environments. But unless great care is taken, the result will be a broadened attack surface that is widely available to adversaries. The best way to mount a defense is by adopting and implementing a comprehensive strategic approach that simplifies the solution, and engages both IT and OT experts throughout an entire organization: 

  • Strategic alignment of executives: All team leaders must understand and agree to the business objectives and benefits of converging these resources. Common goals, clearly defined outcomes, and a clear-eyed understanding of the risks and consequences will help all teams drive towards an effective solution.

  • Joint task force: A highly effective approach is to bring representatives from all impacted teams together to voice concerns, debate strategies, scope out the project and develop a common set of processes. Their first objective should be to educate each other on the challenges such a project entails. 

  • Test and re-test: Every step of the project outlined by the joint task force needs to be run, sometimes repeatedly, in a controlled environment before turning it on in a production network. There is a lot at stake, so fine-tuning operational controls, security measures, and contingency plans before applying them to a live environment is essential.

By creating a converged framework that includes built-in cybersecurity, OT system owners will be able to confidently move forward in a digitally transformed business while sustaining safe and continuous operations.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff."

About the Author(s)

Derek Manky

Chief Security Strategist & VP Global Threat Intelligence, FortiGuard Labs

As Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs, Derek Manky formulates security strategy with more than 15 years of cybersecurity experience. His ultimate goal is to make a positive impact toward the global war on cybercrime. Manky provides thought leadership to the industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work has included meetings with leading political figures and key policy stakeholders, including law enforcement, who help define the future of cybersecurity. He is actively involved with several global threat intelligence initiatives, including NATO NICP, Interpol Expert Working Group, the Cyber Threat Alliance (CTA) working committee, and FIRST, all in an effort to shape the future of actionable threat intelligence and proactive security strategy.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights