In order for organizations to respond more quickly to the evolving marketplace, digital transformation efforts need to be extended into every corner of the distributed network. To increase efficiencies in places like manufacturing floors, energy production and delivery, or interconnected transportation systems, operational technology (OT) environments are being connected to the outside world for the first time.
This trend promises great benefits for organizations, enabling things like remote monitoring and real-time response to market changes. But adding things like Windows-based Open Platform Communications (OPC) or integrating IT-enabled devices also exposes OT systems to threats they may not be prepared to defend themselves against. The “air gap” that protected OT systems from hackers and malware no longer exists at many organizations, and as a result, adversaries are increasingly targeting those OT systems to steal trade secrets, disrupt operations, or even commit acts of cyber terrorism against critical infrastructure.
2019 Operational Technology Security Trends Report
To better understand the state of security in OT systems, Fortinet recently published a research report that examines security trends for OT networks. The Fortinet 2019 Operational Technology Security Trends Report analyzed data gathered from millions of Fortinet devices to discern the state of cybersecurity for supervisory control and data acquisition (SCADA) and other industrial control systems (ICS). Our analysis found many attacks on OT systems that seem to target older devices running unpatched software, indicating that OT networks are increasingly being targeted by IT-based legacy attacks that are no longer effective against IT networks. However,the industry as a whole, is also tracking a disturbing rise in purpose-built OT attacks designed to target SCADA and ICS systems.
The most surprising feature of our report is that the majority of these attacks tend to target the weakest parts of OT networks. Many of these attacks often taking advantage of the complexities caused by a lack of protocol standardization, and a sort of implicit trust strategy that seems to permeate many OT environments. This trend is not limited to specific locales or sectors. Threat actors targeting OT environments clearly do not discriminate according to industry or geography, as every vertical and region saw a significant rise in attacks.
Key takeaways from our 2019 Operational Technology Security Trends Report include the disturbing trend that exploits increased in volume and prevalence in 2018 for almost every ICS/SCADA vendor. And in addition to the recycled IT attacks being thrown at unpatched or non-updated OT devices, 85% of unique threats detected target machines running OPC Classic, BACnet, and Modbus.
IT-based Attacks Are Increasingly Targeting OT Systems
The 2019 Operational Technology Security Trends Report indicates that cybercriminals can use legacy IT-based threats to attack OT systems. Quite a few attacks target older technology such as unpatched applications and operating systems. OT security operations traditionally rely on Purdue model hygiene and air-gapped isolation from the IT network for protection. This means visibility from protocol analysis and deep packet inspection is not yet widely deployed. That means a great number attacks seem to be repetitive.
In addition, cybercriminals also target devices by targeting the wide variety of OT protocols in place. While IT systems have been standardized TCP/IP, OT systems use a wide array of protocols—many of which are specific to functions, industries, and geographies. This can create quite a bit of challenge as security managers have to create disparate systems to secure their environment. This creates complexity with vendor offerings and products. And as with legacy IT-based malware attacks, these structural problems are exacerbated by security hygiene practices within many OT environments that may be unintended due to digital transformation efforts.
Custom OT Attacks Also On The Rise
Malware targeted specifically at ICS and SCADA systems have been developed and deployed for a decade or longer. While examples are not numerous, attacks specifically designed for OT systems now seem to be on the rise, with safety systems increasingly a target.
A handful of OT-based attacks over the past decade have managed to make headlines, including Stuxnet, Havex, BlackEnergy, and Industroyer. Most recently, Triton/Trisis targeted safety instrumented system (SIS) controllers. This attack is especially concerning because in many respects it is the first true cyber-physical attack on OT systems. And given the fact that this malware targets a safety system, the outcome of such an attack could potentially be much worse, potentially destroying machinery and threatening lives.
Conclusion
The Fortinet 2019 Operational Technology Security Trends Report shows that the risks associated with IT/OT convergence are real, and need to be taken seriously by any organization that has begun to connect their ICS/SCADA systems with their IT networks.
Malicious actors are able to extract maximum value from each new threat they develop by continuing to exploit the unprotected systems and vulnerabilities that persist in both older and newer networks and technologies. They will also continue to exploit the slower replacement cycles and legacy technologies that are likely to remain in place for years. IT integration and convergence due to digital transformation efforts will continue to pressure this situation further. The best way to counter this new reality is by adopting and implementing a comprehensive strategic approach that simplifies the solution, and involves IT and OT experts throughout an entire organization.