Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12/31/2019
10:00 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Operational Technology: Why Old Networks Need to Learn New Tricks

Cybercriminals are maximizing their opportunity by targeting older vulnerabilities in OT environments. It's time to fight back.

Cybercriminals innovate when necessary, but like any successful enterprise, they also harvest low-hanging fruit wherever they can find it. Targeting older, vulnerable systems that have not been properly secured is not just an effective attack strategy, it is the primary cause of the vast majority of security breaches. Which is why, as Fortinet researchers recently discovered, that cybercriminals target vulnerabilities 10 or more years old more often than they target new attacks. And in fact, they target vulnerabilities from every year between 2007 and now at the same rate as they do vulnerabilities discovered in 2018 and 2019. 

Cybercriminals are maximizing their opportunity by targeting older vulnerabilities, as well as exploiting the expanding attack surface – especially with the convergence of operational technology (OT) environments with IT. OT can be thought of as hardware and software that monitor and control industrial equipment and processes – think valves, pumps, and thermostats, for example.

And with OT-IT convergence in the wings, it's critical that companies ensure they are taking the necessary precautions in their own organization.

Recycling threats
Judging by conversations with security professionals from global enterprises and the intelligence community, as well as 20 years of threat research, it’s clear that some fundamentals still need attention. The vast majority of breaches are not caused by sophisticated attacks or advanced tactics, techniques, and procedures. While many of these pose a significant, and perhaps even existential threat, most cybercriminals are content with a business-as-usual approach.

In our most recent report, FortiGuard Labs detected a rise in attempts to inject and execute code/commands on target systems. That’s nothing new, but it does seem to be reaching new heights. This trend may indicate threat actors are expanding their tactics for exploiting systems. Simply put, attackers want more bang for their buck. Attacking vulnerable services was in vogue years ago, before companies started shoring up their publicly exposed services. As a result, phishing attacks became their main delivery vehicle for implanting malicious code onto target systems. 

But it's possible that attackers could be going back to (or reincorporating) some of their old-school tactics, especially as organizations over-rotate on training users and updating their secure email gateways to detect and reject phishing attacks. Attackers love to focus their efforts where/when defenders aren’t watching. Could this recent trend indicate that organizations have let their guard down on their exposed services as a result?

Operations under attack
There is no question that traditional OT systems are among the most vulnerable assets inside any organization. In fact, Gartner analysts have found that an alarming percentage of OT networks and assets – and their security implications – have lain undiscovered and unmanaged for many years. 

OT vulnerabilities and related exploits can also affect verticals outside of heavy industry, including healthcare environments that rely on patient monitoring devices and MRI machines, or transportation systems that utilize internal OT systems to manage and control things like air traffic.

There are other security challenges, including: IT outages that impact customer-facing systems; the inability to properly identify, measure and track risk; and the interruption of business operations due to a catastrophic event. Worse, these challenges are being compounded by a lack of security expertise inside organizations – not only within their own in-house staff, but also with the third-party vendors with whom they outsource their security and other critical services. 

This is not just due to the growing cybersecurity skills gap facing the entire computing industry, but also the fact that even available security professionals often have little experience with OT environments.

This opens a huge security gap. Of the organizations with connected OT infrastructures, 90% have experienced a security breach within their SCADA/ICS architectures – with more than half of those breaches occurring in just the last 12 months. Security concerns include viruses (77%), internal (73%) or external (70%) hackers, the leakage of sensitive or confidential information (72%), and the lack of device authentication (67%). 

And as discussed earlier, quite a few of these attacks target older technology – especially unpatched applications and operating systems. OT security operations have traditionally relied on Purdue model hygiene and air-gapped isolation from the IT network for protection. As a result, visibility derived from protocol analysis and deep packet inspection is not yet widely deployed. This means that not only are older attacks highly successful in OT environments, but a great number of those attacks seem to be repetitive as there is no way to correlate attack strategies with vulnerable systems.

Bad actors also infiltrate devices through the many different OT protocols in place. While IT systems have largely been standardized through TCP/IP, OT systems use a wide array of protocols—many of which are specific to functions, industries, and even geographies. This can create quite a challenge, as security managers have to create disparate defensive systems to secure their environment. And as with legacy IT-based malware attacks, these structural problems are exacerbated by a lack of security hygiene practices within many OT environments that are now being exposed due to digital transformation efforts.

Securing the IT-OT Environment 
For many organizations, competing effectively in today’s digital economy requires converging IT and OT environments. But unless great care is taken, the result will be a broadened attack surface that is widely available to adversaries. The best way to mount a defense is by adopting and implementing a comprehensive strategic approach that simplifies the solution, and engages both IT and OT experts throughout an entire organization: 

  • Strategic alignment of executives: All team leaders must understand and agree to the business objectives and benefits of converging these resources. Common goals, clearly defined outcomes, and a clear-eyed understanding of the risks and consequences will help all teams drive towards an effective solution.
  • Joint task force: A highly effective approach is to bring representatives from all impacted teams together to voice concerns, debate strategies, scope out the project and develop a common set of processes. Their first objective should be to educate each other on the challenges such a project entails. 
  • Test and re-test: Every step of the project outlined by the joint task force needs to be run, sometimes repeatedly, in a controlled environment before turning it on in a production network. There is a lot at stake, so fine-tuning operational controls, security measures, and contingency plans before applying them to a live environment is essential.

By creating a converged framework that includes built-in cybersecurity, OT system owners will be able to confidently move forward in a digitally transformed business while sustaining safe and continuous operations.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff."

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...