OT networks and IT networks are closely intertwined

Malware like NotPetya and Triton highlight the vulnerability of companies to cyberthreats that stem from incursions on operational technology networks.

SAN FRANCISCO -- It was June 27, and a group of chief information security officers had assembled to learn about the vulnerability of companies’ critical infrastructure networks.

Suddenly CISOs’ phones lit up around the room. Galina Antova—who led the workshop and is the cofounder of a company that focuses on securing industrial networks—realized that “something pretty significant was happening.”

That something was NotPetya.

NotPetya (also known as Nyetya) was malware that made its debut via a software update to M.E.Doc, which is accounting software used extensively in Ukraine. But what began as a software exploit that infected enterprise IT networks spread pervasively to disrupt companies’ operational technology (OT) networks. At Chernobyl, a Russian nuclear plant, operators had to revert to older technology after radiation monitoring systems shut down.

The White House deemed NotPetya the most destructive and costly cyberattack in history, causing a reported $900 million in losses. Unofficially, though, a senior U.S. intelligence official disclosed that the dollar amount was likely much higher—to the tune of billions of dollars. Further, NotPetya demonstrated a new kind of attack: the incursion of individual and nation-state actors into critical infrastructure, not only causing financial loss but also threatening human life.

OT networks support infrastructure, such as manufacturing, utilities and defense, as well as building infrastructure that operates key facility systems such as lights, elevators, and heating and cooling systems. OT systems monitor and ensure the safety of these operations. An OT network, for example, may monitor a switch and trigger a shutdown if a certain value is exceeded. While OT systems run critical infrastructure, they paradoxically often run on aging software and obsolete hardware, which makes them difficult to patch and highly vulnerable to exploits by malicious actors.

The Cisco Talos team, a threat and intelligence research team at Cisco Systems, determined that the NotPetya hackers had gained access to administrator credentials at Intellect Service, the makers of M.E. Doc. The stolen credentials were then used to propagate the virus rapidly. Talos worked with M.E. Doc analysts to mitigate the spread of the NotPetya malware and keep constituents informed about details of the malware and impact.

Cyberthreats like NotPetya demonstrate a new “focus on destroying the last line of defense in safety,” said James Lyne, head of R&D at the SANS Institute at the RSA 2018 conference.

The significance of the NotPetya OT attack

What makes NotPetya and its ilk of cyberattacks all the more concerning is that OT networks are increasingly connected to enterprise IT networks that house critical company data. As Internet of Things (IoT)-connected sensors and other smart devices proliferate and become part of running businesses, OT networks and IT networks have converged even more—often because of costs or the need for data sharing.

This convergence makes businesses vulnerable to attacks not only on data and IT systems but also on key operational and safety infrastructure.

NotPetya was such an event. Antova noted that the inability of security teams to peer into activities on OT networks made the situation hazardous.

“You do have industrial networks, and they are invisible to your security teams,” Antova cautioned during a session on risk to OT networks at the RSA 2018 conference. She underscored the warning after about 15% of attendees identified themselves as responsible for industrial networks.

As Antova noted, the NotPetya attack also indicated that even if companies secure IT systems and data, their business crown jewels remain vulnerable. “It tells you something about the cybersecurity posture of companies like Merck and FedEx where they are spending millions of dollars on their IT cybersecurity,” Antova noted.

Antova further emphasized that cyberattacks like NotPetya would persist unabated until IT security teams better understand the differences between IT networks and industrial networks. "Something as simple as patching is not so simple in the OT world,” Antova said. “In a lot of cases, you can’t patch [OT networks] because they have dependencies on legacy software that runs on them or because of uptime requirements.”

Targeting OT networks with cyberattacks with Triton

In December 2017, another cyberattack on OT networks further revealed the vulnerability of enterprises to industrial network attacks.

In the case of Triton malware, it targeted OT networks directly. The attackers, surmised to be a nation-state (later thought to be Iran), managed to gain remote access to an engineering workstation in Saudi Arabia. The attack exploited flaws in security procedures and, ultimately, an unknown vulnerability in Schneider's Triconex Tricon safety system firmware.

The attackers intended to manipulate emergency shutdown protocols so the system would continue to run without alerts about a safety breach while giving attackers the ability to burrow deeper into the system. The incursion was discovered only by accident, after the malware accidentally triggered emergency system shutdowns. The identity of the attackers and the full intention of the attack remain unknown.

But what is known is that these kinds of cyberattacks are becoming more common, with brazen actors testing the limits of industrial networks, often targeting key safety systems. 

“We have seen tremendous expansion of attacks on critical infrastructure,” Antova said. Further, she urged, while initially attacks on safety systems focused on reconnaissance, today “nation-state attackers are moving into a new phase. Now attacks are taking position in [industrial control system] networks, and you can only imagine the implications of that,” she warned.

Seven recommendations: Preparing for OT network cyberattacks

Antova made several recommendations for enterprises to prepare against cyberattacks on OT networks.

1. Invest in upgrading OT networks. “The good news,” Antova quipped, is that “OT networks are so behind IT networks, even minimal investment” could improve enterprises’ security posture.
2. Ask the tough questions and map out accountability. Antova noted that organizations’ lack of accountability for OT network security can augment vulnerability. She said it is important to identify “who is responsible for monitoring those networks.” Without accountability, she urged, “chances are that things will fall through the cracks.”
3. Acknowledge your company’s blind spot. Antova noted that many companies don’t know what they don’t know. “The absence of evidence is not the same as the evidence of absence of malicious actors in your network,” Antova underscored. “Just because you’re not seeing them through alerts doesn’t mean they aren’t there.”
4. Make sure there is segmentation between your IT and OT networks. Antova said that companies now have an opportunity to better demarcate the red line between OT and IT networks. “What ports are open? Even if you can’t patch Windows machines, be aware of them,” Antova said.
5. Make your OT network visible. Antova noted that IT teams need visibility into OT networks to protect the enterprise holistically. “You can’t defend properly, if you’re blind to assets,” she said.
6. Securing OT networks isn’t a one-off exercise. Think strategically about how to update and segment IT and OT networks periodically. “Make sure OT networks are part of your governance and incident response plan,” Antova said.
7. Educate executives on the impact of an attack on OT networks. Finally, executives need to understand the risk to the business if OT networks are breached and how cyberattacks now involve crossing between IT and OT networks. Educate them so they can provide the resources to proactively manage the problem.

For more Cisco news:

• Trusted partnerships fend off WannaCry
• Check out our RSA 2018 conference guide
• RSA 2018 preview: GDPR and blockchain key themes
• M&A can bring security vulnerability

For more Cisco products and services:

• Advanced Malware Protection (AMP)
• Cisco Email Security
• Cisco Next-Generation Endpoint Security