The Weaponization of Operational Technology – Security Intelligence

Contributed to this research: Adam Laurie and Sameer Koranne.

Given the accelerating rise in operational technology (OT) threats, this blog will address some of the most common threats IBM Security X-Force is observing against organizations with OT networks, including ransomware and vulnerability exploitation. IBM will also highlight several measures that can enhance security for OT networks based on insights gained from the X-Force Red penetration testing team and X-Force incident responses experience assisting OT clients with security incidents. These include a focus on data historian and network architecture, such as domain controllers.

OT is hardware and software that controls industrial processes, such as heavy manufacturing equipment, robotics, oil pipeline or chemical flows, electric utilities and water and the functionality of transportation vehicles.

Typically, OT networks are segregated from information technology (IT) networks at organizations that have both. Email, customer transactions, human resources databases and other IT are separated from technologies that control physical processes. Even so, typical threats against IT networks have the potential to affect OT networks, particularly if segmentation is not effective or engineers decide to shut down the OT network as a precaution after an attack on the IT network, such as ransomware.

Threats to OT networks are arguably more dangerous than threats to IT networks because of the physical outcomes that can result, such as passenger vehicle malfunctions, explosions, fires and potential loss of life. A cyberattack with these outcomes becomes, in effect, a physical weapon.

Of all the attack types X-Force observes against OT organizations, ransomware is the leader. In fact, nearly one-third of all attacks X-Force has observed against organizations with OT networks in 2021 have been ransomware a significantly higher percentage than any other attack type.

In many cases, ransomware attacks affect only the IT portion of a network. Yet, these IT infections can still have tremendous consequences for operations governed by OT networks. Research by X-Force and Dragos in late 2020 found that 56% of ransomware attacks on organizations with OT networks affected operational functionality in cases where the scope of impact was known. In many of these cases, OT networks were probably shut down as a precaution to prevent ransomware from spreading to OT networks or negatively affecting operations. This was the case in the high-impact ransomware attack on Colonial Pipeline that resulted in gasoline shortages in several U.S. states in May 2021.

In other cases, however, ransomware does make its way over to the OT portion of the network. Ryuk is the ransomware strain most commonly observed by IBM as attacking the OT network.

In the fall of 2019, Ryuk ransomware actors hit at least five oil and gas organizations in what appeared to be part of a targeted campaign aimed at OT specifically oil and gas entities.At least one of these organizations was a natural gas compression facility at a U.S. pipeline operator as reported by the U.S. Coast Guard, according to a report by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and analysis by Dragos.

AMaritime Safety Information Bulletin issued by the Coast Guard on Dec. 16, 2019, indicated that segregation between the pipeline organizations IT and OT network was insufficient to prevent the attacker from reaching the OT environment. The report stated that after infecting the organizations IT network, the virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The bulletin further indicated that the attack disrupted camera and physical access control systems and resulted in the loss of critical process control monitoring systems.

X-Force Incident Response has similarly observed Ryuk affiliates cross over into OT networks in attack remediation and investigations, using methods similar to those observed by the Coast Guard.

In February 2021, a report by theFrench government noted that newer Ryuk variants have worm-like capabilities and can replicate autonomously across an infected network. X-Force malware analysis of a Ryuk malware sample in June 2021 substantiated these findings, similarly revealing these worm-like capabilities in newer Ryuk variants. X-Force analysis of Ryuk malware showed that samples were packed in loaders similar to those used in Emotet and Trickbot campaigns, andEmotethas been known to worm into OT networks in the past.

It is possible that the new worm-like characteristics of recent Ryuk ransomware samples will give the group a higher likelihood of worming into OT networks in future ransomware operations, particularly if robust segmentation is not in place.

X-Force Incident Response data reveals that, in 2021, vulnerability exploitation is the primary method attackers are using to gain unauthorized access to organizations with OT networks. In fact, vulnerability exploitation has led to a staggering 89% of incidents X-Force has observed at organizations with OT networks so far this year, where the initial infection vector is known.

In 2021, X-Force has also observed threat actors exploit CVE-2019-19781 a Citrix server path traversal flaw to access networks at OT organizations. This was the most exploited vulnerabilityX-Force observed in 2020. The ease with which threat actors have been able to exploit this Citrix vulnerability and the level of access it provides to critical servers make it an entry point of choice for multiple attackers. We strongly recommend remediating this vulnerability if your organization has not done so already.

In some cases, OT organizations became victims of theKaseya-linked ransomware attack, where exploitation of a zero-day vulnerability and a supply chain-esque operation became the initial infection vectors. In the Kaseya case, Sodinokibi/REvil ransomware operators exploited a zero-day vulnerability in Kaseyas VSA software (now known as CVE-2021-30116) to deliver a ransomware attack. This attack leveraged attack techniques that are more common to advanced nation-state actors namely, exploitation of a zero-day and a supply-chain propagation technique which are uniquely difficult to defend against.

In a separate supply chain attack, multiple OT organizations reached out to X-Force for assistance in determining the extent to which theSolarWinds supply chain attack may have affected them. For some of the OT organizations impacted by the SolarWinds attack, original equipment manufacturers (OEMs) were the entry path, underscoring how attackers seek to exploit relationships of trust built between vendors and clients. The OEMs had access to the OT clients network to perform remote maintenance and were using compromised SolarWinds software across those remote connections.

Examples such as these highlight the significant risk to OT organizations from supply chain operations.

When it comes to OT network security, X-Force Red penetration testers have indicated that data historian often provides a reliable pathway into an OT network. Compromising data historian often can create opportunities to compromise the OT network. Thus, security teams should be careful not to overlook data historian when identifying and shoring up potential weak points in their OT network.

A data historian is a type of time-series database designed to efficiently collect and store process data from industrial automation systems. It is used widely for OT networks, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks. Data historian was originally created for and continues to be used most commonly for identifying, diagnosing and remediating problems that might lead to costly downtime.

Adversaries that are able to gain access to data historian then have access to data, analysis and information on control systems at that organization useful for reconnaissance and further attack planning. In addition, data historian can provide a pathway from the IT network into the OT network, if the data historian is dual-homed. Further, data historian tends to have extensive connectionsthroughout OT networks, which can give an attacker an array of potential options for moving throughout an OT environment.

OT organizations can better secure data historian by creating historian security groups, carefully defining who has access to these groups, closely monitoring accounts with access to ensure they are not stolen or abused and implementing strong authentication measures. Organizations can also use electronic signatures and electronic recordsto demand authentication whenever a change is made to data or configurations in data historian. In addition, placing the historian in a demilitarized zone (DMZ) can help segregate it from the OT network while still providing access from the IT network.

It is not uncommon to find companies creating and using enterprise data historians hosted within the IT infrastructure. With aggressive cloud adoption strategies and an increase in Industrial Internet of Things (IIoT) devices, companies have started implementing or moving these enterprise historians to cloud environments. Typically, these historians aggregate the data from site- and plant-specific data historians. This approach provides scalability and seamless integration with cloud-based storage and applications for secure information sharing, where needed. However, companies must ensure that they store the data safely without creating an opening for an attack.

MITRE has provided several additional risk mitigation measures to help secure data historian servers/databases, and IBM recommends reviewing those and implementing as many as possible.

Securing OT networks is more critical than ever. OT network defenders can implement a range of measures to decrease the chances of encountering a cyber incident on their OT network. Some of these measures are aimed at decreasing the risk of a ransomware attack including Ryuk attacks while others can assist in preventing a range of different attack types with the potential to weaponize OT networks.

Originally posted here:

The Weaponization of Operational Technology - Security Intelligence