Historically, leaders in Operational Technology/Industrial Control Systems prioritized productivity, up-time, and quality control. They typically didn’t have security as first on their list. Cybersecurity was considered a concern of the CISO and the IT department. That orientation has to change. In the words of the Cybersecurity and Infrastructure Security Agency (CISA):
“OT cybersecurity often remains overlooked and under-resourced. The cybersecurity industry is still largely focused on business IT systems, often neglecting the critical risk in OT systems, which were designed to optimize reliability and availability and often lack native security capabilities. This puts critical infrastructure entities at serious risk as more OT devices become network-connected. Even so, many critical infrastructure entities lack adequate OT cybersecurity programs, especially where cybersecurity is still seen as primarily an IT concern. Entities that do have OT cybersecurity programs often lack basic OT cyber protections and are unable to find relevant OT-specific guidance for their environments.”
–DHS CISA Cross-Sector Cybersecurity Performance Goals March 2023 Update
Security by Obscurity is Over
The completely air-gaped model of Operational Technology (OT) and Industrial Control Systems (ICS) architecture, as described in the Purdue reference architecture, is compromised by the trend of IT-OT convergence. Industry 4.0 practices have made interconnectivity between the Information Technology network, including Enterprise Resource Planning (ERP) and Manufacturing Execution Systems (MES) systems, and the OT/ICS network commonplace. There are many business and productivity benefits from this convergence, such as more agile processes that can better react to market demands, higher productivity through optimization in the supply chain, and higher margins through operational efficiency. However, this convergence of IT and OT has also led to greater cyber risk because of the increased attack surface available to the adversary and an increased blast radius which amplifies the impact of any attack.
Recent OT/ICS Breaches
The 2024 Global Threat Intelligence Report by NTTDaTa reveals that manufacturing has now overtaken technology as the most targeted sector, as we see a continued focus from adversaries on targeting supply chain critical infrastructure.
According to a study from British security software and hardware company Sophos Ltd, 60% of ransom demands in manufacturing organizations were for $1 million or more and 15% were for $5 million or more. The mean cost to recover from ransomware was $1.67 million.
The most recent breaches with physical disruptions were not caused by direct manipulation of OT systems (a Stuxnet-like incident) but are downstream consequences of IT-based attacks, most often involving ransomware. Upon discovering a breach in the IT system, the OT system was often shut down to prevent spread into OT system.
These are a few significant breaches that had physical consequences:
- The Colonial Pipeline ransomware attack in May 2021 is perhaps the most significant publicly declared cyber-attack against essential infrastructure in the U.S. When Colonial Pipeline became aware of the breach, they shut down all systems, including pipelines, to lower the exposure. The company paid a ransom of more than $4 million. However, it took more than 7 days to restore the full operations. The incident resulted in fuel shortages and fuel price increases and affected dependent industries such as airlines.
- Norsk Hydro, a Norwegian renewable energy and aluminum manufacturing company, faced a ransomware attack in March 2019, which affected thousands of servers and computers. The virus locked everyone out and encrypted key areas of the company’s IT network. Hydro didn’t pay the ransom and took up the task of removing the virus and rebuilding systems on their own. It was a bold and commendable move; however, they had to shut down their OT system, fearing the virus would spread into it. Hydro managed to restart the facility quickly with manual operations, but according to their earning report for the year, this incident cost $70 million in losses.
- The Hahn Group, a German industrial automation and robotics company, was the victim of a cyberattack in March 2023. the German manufacturer Hahn Group GmbH switched off all its systems as a safety precaution. A full, clean restoration of its systems took weeks thereafter.
- Belgian glass manufacturer Sprimoglass was hit by a cyberattack in March 2024 that halted its production. Another example of ransomware affecting the production operation and the company choosing not to pay the ransom.
- US paper and packaging manufacturer International Paper was hit by a cyberattack in November 2023. Out of extreme caution, International Paper coordinated an orderly mill shutdown to address the issue. This attack did affect a limited number of manufacturing systems at the Riegelwood mill.
What To Do About It?
CISA offers a prescription:
“Reduce the likelihood of threat actors accessing the OT network after compromising the IT network…All connections to the OT network are denied by default unless explicitly allowed (e.g., by IP address and port) for specific system functionality. Necessary communications paths between the IT and OT networks must pass through an intermediary, such as a properly configured firewall, bastion host, “jump box,” or a demilitarized zone, which is closely monitored, captures network logs, and only allows connections from approved assets.”
–CISA Cross-Sector Cybersecurity Performance Goals March 2023 Update, PR.AC-5, PR.PT-4 NETWORK SEGMENTATION
We at ColorTokens agree with this, and we offer a premier solution to secure critical infrastructure and Operational Technology. Our approach is to enable a holistic strategy that protects the converged IT-OT landscape. Recent events have shown that an initial compromise of either side of the converged IT-OT landscape can lead to a breach of one or both environments. Our Xshield Enterprise Microsegmentation Platform is designed to provide pervasive microsegmentation to stop the lateral movement of ransomware and malware, and unauthorized traffic between and amongst all the assets and resources in the converged environment. Data center servers, cloud workloads, user endpoints, Kubernetes containerized applications, Cyber-Physical Systems/ICS, and IoIT devices are all visualized and have communication policies enforced in a unified administrator console. This ability to cover both traditional IT and OT using one platform gives you an edge against an intelligent and increasingly motivated adversary who seeks to exploit the interconnectivity of the modern enterprise landscape. In fact, our Xshield Enterprise Microsegmentation PlatformTM was evaluated with the highest possible score for Operational Technology and IoT in the recent Forrester Wave for Microsegmentation SolutionsTM, Q3 2024. (The report can be accessed free of charge here.)
ColorTokens designed an agentless solution using an appliance called the Xshield Gatekeeper. The Gatekeeper connects to the OT network switch like any other OT device (on the side and not physically in-line) and enables the Xshield platform to provide all the functionality that its agent-based solution would provide.
Figure: The agentless Xshield Gatekeeper protecting the OT/ICS Network
Importantly, the Xshield solution gives a unified approach to implementing zero trust security across the IT and OT environments. As shown in figure 3, its administrator console lets you visualize all assets in the converged enterprise landscape, both IT and OT, and leverages automated policy recommendation capabilities to protect the converged landscape holistically.
Figure: The Xshield Asset and Traffic Visualizer for IT and OT
Our solution can help you up your security game and not be left behind in the ongoing battle against hackers and bad actors. We understand the critical importance of protecting your Cyber-Physical Systems, and we would welcome the opportunity to have a discussion with you about how our platform can help you achieve your security goals. You can reach us at www.colortokens.com/contact-us to schedule a meeting with our solutions team to start your journey to cyber resilience and breach readiness.
