Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

How Threat Actors Get Into OT Systems

The convergence and integration of OT and IT has resulted in a growing number of cyber-risks for critical infrastructure. Here are some of the ways attackers are targeting operational technology systems.

Donovan Tindill, Senior Cybersecurity Strategist, Honeywell

November 24, 2021

5 Min Read
blurred electric lights in the road.
Source: Esterpoon via Adobe

In the past, cyberattackers largely ignored operational technology (OT) systems, such as industrial control systems and SCADA systems, because it was difficult to get to the proprietary information, or OT systems not connected to external networks and data could not be easily infiltrated.

But that’s no longer the case. Today, many industrial systems are connected to company networks with access to the Internet and which use everything from connected sensors and big data analytics to deliver operational improvements. This convergence and integration of OT and IT has resulted in a growing number of cyber-risks, including effective and impactful cyber incidents across both IT and OT.

Cybersecurity threats in the world of OT are different from IT, as the impact goes beyond the loss of data, reputational damage, or the erosion of customer trust. An OT cybersecurity incident can lead to loss of production, damage to equipment, and environmental release. Defending OT from cyberattacks requires a different set of tools and strategies than used to protect IT. Let’s look at how cybersecurity threats commonly find their way into OT’s protected environment.

2 Main Vectors into OT
There are two main vectors where malware can enter into a secure production facility in an OT environment: through the network or through removable media and devices.

Attackers can enter an OT system by exploiting cyber assets through firewalls across routable networks. Proper OT network best practices like network segmentation, strong authentication, and multiple firewalled zones can go a long way to help prevent a cyber incident.

BlackEnergy malware, utilized in the first recorded targeted cyberattack on an electrical grid, compromised an electrical company via spear-phishing emails sent to users on the IT side of the networks. From there, the threat actor was able to pivot into the critical OT network and used the SCADA system to open breakers in substations. This attack is reported to have resulted in more than 200,000 people losing power for six hours during the winter.

While the term “sneakernet” may be new or sound awkward, it refers to the fact that devices such as USB storage and floppy disks can be used to upload information and threats into critical OT networks and air-gapped systems just by the cyberattacker physically carrying them into the facility and connecting them to the applicable system.

USB devices continue to pose a challenge, especially as organizations increasingly rely on these portable storage devices to transfer patches, collect logs, and more. USB is often the only interface supported for keyboards and mice, so it cannot be disabled, which leaves spare USB ports enabled. As a result, the risk exists of inserting foreign devices on the very machines we are trying to protect. Hackers have been known to plant infected USB drives in and around the facilities they are targeting. Employees will then sometimes find these compromised drives and plug them into a system because that is the only way to determine what is on one of them – even without any labels like “financial results” or “headcount changes.”

Stuxnet may be the most infamous example of malware being brought into an air-gapped facility by USB. This extremely specialized and sophisticated computer worm was uploaded into an air-gapped nuclear facility to alter the programmable logic controllers' (PLCs) programming. The end result was that the centrifuges spun too quickly for far too long, ultimately causing physical damage to the equipment.

Now more than ever, production environments face cybersecurity threats from malicious USB devices capable of circumventing the air gap and other safeguards to disrupt operations from within. The "2021 Honeywell Industrial Cybersecurity USB Threat Report" found that 79% of threats detected from USB devices had the potential to cause disruptions in OT, including loss of view and loss of control.

The same report found that USB usage has increased 30%, while many of these USB threats (51%) tried to gain remote access into a protected air-gapped facility. Honeywell reviewed anonymized data in 2020 from its Global Analysis Research and Defense (GARD) engine, which analyzes file-based content, validates each file, and detects malware threats being transferred via USB in or out of actual OT systems.

TRITON is the first recorded use of malware being designed to attack safety systems in a production facility. A safety instrumented system (SIS) is the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire. Attackers first penetrated the IT network before they moved to the OT network through systems accessible to both environments. Once in the OT network, the hackers then infected the engineering workstation for SIS with the TRITON malware. The end result of TRITON is that an SIS could be shut down and put people within a production facility at risk. 

Physical Devices Can Also Lead to Cyber Incidents
It is not just content-based threats that we need to look out for. A mouse, cable, or other device can be weaponized against OT, too.

In 2019, malicious actors targeted a trusted person with access to a control network. This authorized user unknowingly swapped a real mouse for the weaponized mouse. Once connected to the critical network, someone else took control of the computer from a remote location and launched ransomware.

The power plant paid the ransom money; however, they did not get their files back and had to rebuild, affecting the facility for three months. It’s imperative that you know where your devices come from before using them.

3 Steps to Defeat Cyber Threats
Cyber threats are constantly evolving. First, set a regular time to review your cybersecurity strategy, policies, and tools to stay on top of these threats. Second, USB usage threats are on the rise, so it is important to evaluate the risk to your OT operations and the effectiveness of your current safeguards for USB devices, ports, and their control.

Last but not least, a defense in-depth strategy is highly recommended. This strategy should layer OT cybersecurity tools and policies to give your organization the best chance to stay safe from ever-evolving cyber threats.

About the Author(s)

Donovan Tindill

Senior Cybersecurity Strategist, Honeywell

Donovan Tindill is senior cybersecurity strategist at Honeywell Connected Enterprise. He is an expert in industrial control systems (ICS) infrastructure and operational technology (OT) cybersecurity with more than 20 years of Industrial/OT cybersecurity consulting experience across multiple industries, advising those with advanced cybersecurity programs or helping start OT cybersecurity programs from zero. He’s an industry advisor to US CISA and Public Safety Canada, known globally for his expertise.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights