Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:00 AM
Derek Manky
Derek Manky
Connect Directly
E-Mail vvv

Operational Technology: Why Old Networks Need to Learn New Tricks

Cybercriminals are maximizing their opportunity by targeting older vulnerabilities in OT environments. It's time to fight back.

Cybercriminals innovate when necessary, but like any successful enterprise, they also harvest low-hanging fruit wherever they can find it. Targeting older, vulnerable systems that have not been properly secured is not just an effective attack strategy, it is the primary cause of the vast majority of security breaches. Which is why, as Fortinet researchers recently discovered, that cybercriminals target vulnerabilities 10 or more years old more often than they target new attacks. And in fact, they target vulnerabilities from every year between 2007 and now at the same rate as they do vulnerabilities discovered in 2018 and 2019. 

Cybercriminals are maximizing their opportunity by targeting older vulnerabilities, as well as exploiting the expanding attack surface – especially with the convergence of operational technology (OT) environments with IT. OT can be thought of as hardware and software that monitor and control industrial equipment and processes – think valves, pumps, and thermostats, for example.

And with OT-IT convergence in the wings, it's critical that companies ensure they are taking the necessary precautions in their own organization.

Recycling threats
Judging by conversations with security professionals from global enterprises and the intelligence community, as well as 20 years of threat research, it’s clear that some fundamentals still need attention. The vast majority of breaches are not caused by sophisticated attacks or advanced tactics, techniques, and procedures. While many of these pose a significant, and perhaps even existential threat, most cybercriminals are content with a business-as-usual approach.

In our most recent report, FortiGuard Labs detected a rise in attempts to inject and execute code/commands on target systems. That’s nothing new, but it does seem to be reaching new heights. This trend may indicate threat actors are expanding their tactics for exploiting systems. Simply put, attackers want more bang for their buck. Attacking vulnerable services was in vogue years ago, before companies started shoring up their publicly exposed services. As a result, phishing attacks became their main delivery vehicle for implanting malicious code onto target systems. 

But it's possible that attackers could be going back to (or reincorporating) some of their old-school tactics, especially as organizations over-rotate on training users and updating their secure email gateways to detect and reject phishing attacks. Attackers love to focus their efforts where/when defenders aren’t watching. Could this recent trend indicate that organizations have let their guard down on their exposed services as a result?

Operations under attack
There is no question that traditional OT systems are among the most vulnerable assets inside any organization. In fact, Gartner analysts have found that an alarming percentage of OT networks and assets – and their security implications – have lain undiscovered and unmanaged for many years. 

OT vulnerabilities and related exploits can also affect verticals outside of heavy industry, including healthcare environments that rely on patient monitoring devices and MRI machines, or transportation systems that utilize internal OT systems to manage and control things like air traffic.

There are other security challenges, including: IT outages that impact customer-facing systems; the inability to properly identify, measure and track risk; and the interruption of business operations due to a catastrophic event. Worse, these challenges are being compounded by a lack of security expertise inside organizations – not only within their own in-house staff, but also with the third-party vendors with whom they outsource their security and other critical services. 

This is not just due to the growing cybersecurity skills gap facing the entire computing industry, but also the fact that even available security professionals often have little experience with OT environments.

This opens a huge security gap. Of the organizations with connected OT infrastructures, 90% have experienced a security breach within their SCADA/ICS architectures – with more than half of those breaches occurring in just the last 12 months. Security concerns include viruses (77%), internal (73%) or external (70%) hackers, the leakage of sensitive or confidential information (72%), and the lack of device authentication (67%). 

And as discussed earlier, quite a few of these attacks target older technology – especially unpatched applications and operating systems. OT security operations have traditionally relied on Purdue model hygiene and air-gapped isolation from the IT network for protection. As a result, visibility derived from protocol analysis and deep packet inspection is not yet widely deployed. This means that not only are older attacks highly successful in OT environments, but a great number of those attacks seem to be repetitive as there is no way to correlate attack strategies with vulnerable systems.

Bad actors also infiltrate devices through the many different OT protocols in place. While IT systems have largely been standardized through TCP/IP, OT systems use a wide array of protocols—many of which are specific to functions, industries, and even geographies. This can create quite a challenge, as security managers have to create disparate defensive systems to secure their environment. And as with legacy IT-based malware attacks, these structural problems are exacerbated by a lack of security hygiene practices within many OT environments that are now being exposed due to digital transformation efforts.

Securing the IT-OT Environment 
For many organizations, competing effectively in today’s digital economy requires converging IT and OT environments. But unless great care is taken, the result will be a broadened attack surface that is widely available to adversaries. The best way to mount a defense is by adopting and implementing a comprehensive strategic approach that simplifies the solution, and engages both IT and OT experts throughout an entire organization: 

  • Strategic alignment of executives: All team leaders must understand and agree to the business objectives and benefits of converging these resources. Common goals, clearly defined outcomes, and a clear-eyed understanding of the risks and consequences will help all teams drive towards an effective solution.
  • Joint task force: A highly effective approach is to bring representatives from all impacted teams together to voice concerns, debate strategies, scope out the project and develop a common set of processes. Their first objective should be to educate each other on the challenges such a project entails. 
  • Test and re-test: Every step of the project outlined by the joint task force needs to be run, sometimes repeatedly, in a controlled environment before turning it on in a production network. There is a lot at stake, so fine-tuning operational controls, security measures, and contingency plans before applying them to a live environment is essential.

By creating a converged framework that includes built-in cybersecurity, OT system owners will be able to confidently move forward in a digitally transformed business while sustaining safe and continuous operations.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff."

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...