Three ways to modernise your OT security programs

Exponential growth in operational technology (OT) vulnerabilities. Increased cyber attacks on OT systems. Fruitless technology investments. Siloed technologies and teams.

Research findings in Skybox’s Vulnerability and Threat Trends Mid-Year Report 2021 unearths a dire need for organisations to modernise their OT security programs. An exponential growth in OT vulnerabilities has predictably led to an increase in cyber attacks on OT systems. Additionally, Skybox Research Lab discovered the frequency and scope of malicious activity are increasing apace and companies with siloed technologies and disjointed teams are helpless to stop them. Exploits in the wild are on the upswing, as this report details, and 2021 has seen some of the most audacious and potentially devastating cyber attacks in history. The most disturbing thing is that many of today’s emerging attacks are designed not to just hurt businesses financially, but injure people too.

One area that saw a particularly sharp increase in vulnerabilities in H1 2021 is OT, with 519 CVEs (critical vulnerabilities and exposures) reported by CISA, compared to 356 CVEs in H1 2020. That’s a leap of 46%. CISA advisories on OT vulnerabilities grew similarly, by 45%.

OT is the control system and backbone of energy providers and other basic utilities, communication systems, building automation, physical security systems, vehicle controls and more. They’re a prized target for bad actors. Frighteningly enough, many OT attacks are not always financially motivated – sometimes, it’s the thrill of creating devastation and mayhem.

For example, the recent Florida water plant hack was not ransomware – it was the desire to create chaos. Simply put, this was the evil work of a Joker disciple, who got jollies from seeing the world burn. The bad news is that OT breaches are not comic book fantasies and, sadly, security measures are often weak. And unfortunately, there’s no superhero to save the day; in fact, there aren’t even enough OT skilled resources.

According to Gartner, organisations continue to face growing shortages of hands-on technicians with the skills to attend to OT devices.

OT security teams are flying blind in the dark

While OT vulnerabilities have become a favourite target of threat actors, those same flaws are often invisible to security teams. That’s because many OT systems are hard or impossible to scan. At best, companies scan them infrequently (once or twice a year) because they can’t afford to take these mission-critical systems offline or degrade service. Likewise, patching many OT systems is technically impossible, or too cumbersome and costly to address all vulnerabilities.

As a result, reliance on traditional scan-and-patch methods is a non-starter when it comes to OT security. Security teams can’t find most OT vulnerabilities by scanning alone, and even if they could, they couldn’t remediate those flaws with patching. A new approach is needed, one that not only improves detection and eliminates the blind spots, but also facilitates targeted, effective remediation by identifying actual exposures and implementing effective security controls such as network segmentation and IPS systems to prevent unauthorised access.

If the findings in this report make one thing clear, it’s that traditional approaches to vulnerability management are falling further and further behind. Too many assets are difficult or impossible to scan. Vulnerabilities are too numerous, threats too varied and infrastructure too complicated (fragmented, siloed and heterogeneous) to secure using conventional, largely manual processes. Finding and patching all vulnerabilities is simply out of the question, and the criteria typically used to prioritise remediation efforts is often misleading.

Throwing money at OT security doesn’t work

As a result, IT and security teams are caught in a vicious cycle, spending more money and resources on increasingly ineffective measures, while failing to keep pace with the rapidly evolving threat landscape.

Managing OT security is a responsibility that should be shared among every role across the security organisation. Unfortunately, the use of siloed firewalls and disparate security tools has made it impossible for any single person on the team to have the visibility and insights needed to secure these OT systems. Even worse, these disjointed security tools have also made it impossible for teams to collectively view insights that help prioritise patching critical vulnerabilities and even prevent breaches.

Security teams are beginning to rethink their approach to OT security. Band-Aids don’t work. A foundational overhaul is needed that supports visibility across IT networks and OT systems.

Siloed systems challenge every security team member

There’s no way around it: Teams need a platform that connects, aggregates and normalises the data across these disparate tools to provide teams with holistic visibility to analyse where to focus remediation efforts. Without that visibility, everyone ends up flying blind in the dark, struggling to fulfil their responsibilities.

• IT directors already don’t have the resources to manage disparate technologies, nor do they have the intelligence and insights to assess, correct and mitigate risks when adding new technology. They struggle with operational complexities because managing separate environments with separate sets of tools results in blind spots that simply go unchecked.
• CISOs are concerned about breaches due to the increasing attacks on connected physical systems, but they can’t see their OT infrastructure or patch vulnerabilities.
• Security architects can’t rely on endpoint security and struggle to reconcile numerous IOT device types that are incorporated into an environment. This makes network segmentation difficult because they can’t efficiently visualise and analyse multiple systems.
• Plant managers are concerned about maintaining uptime and availability when implementing security remediation solutions. They’re also terrified about public safety if one of their systems unexpectedly goes down during an attack.
• Security operations don’t have the resources to manage all these security alerts. They don’t have the insights to know which vulnerabilities to prioritise, which is complicated by their struggle to manage across multiple vendors and tools.

Three keys to a modern OT security program

Enterprises require solutions that provide comprehensive visibility across their entire network, that precisely identify the most salient threats and that facilitate timely, cost-effective remediations. Specifically, organisations need:

1. Vulnerability detection: Beyond active scanning

Vulnerability discovery should leverage data sets not only from scans but also from direct integrations with assets that can’t be actively scanned, as well as configuration databases – across security, cloud, networking and endpoint technologies. This form of detection, sometimes referred to as “passive scanning”, can be combined with active scanning to provide a unified view of the entire attack surface.

2. Exposure analysis: Beyond limited risk scoring

Today, even a low- or medium-severity vulnerability can pose a serious risk if it’s readily accessible to threat actors. Increasingly, attackers use such seemingly innocuous vulnerabilities as the first step in sophisticated multistage campaigns. That’s why exposure analysis is the essential component of threat-centric risk assessment. Exposure analysis consists of complete path analysis (analysing all the paths to and from IT and OT assets) and attack simulation to show all the potential ways threat actors can get to an asset.

3. Optimal remediation: Beyond patching

Once exposure analysis has been used to identify and prioritise the most pressing security threats, organisations need practical ways to remediate problems and protect their networks. And since patching isn’t always feasible or practical, that means taking other measures: Adjusting configurations, enforcing appropriate policies, applying IPS signatures, implementing network segmentation and more. In so doing, security teams can ensure that assets – even those with unpatched vulnerabilities – are fully protected and not exposed.

Combining these three elements enables enterprises to maintain real-time threat awareness across their entire infrastructure – even the most complex hybrid and multicloud environments. In short, they can fortify their organisations and every member of the security team with the most powerful and cost-effective solution possible.

Download Skybox’s Vulnerability and Threat Trends Mid-Year Report 2021.