Contributed to this research: Adam Laurie and Sameer Koranne.
Given the accelerating rise in operational technology (OT) threats, this blog will address some of the most common threats IBM Security X-Force is observing against organizations with OT networks, including ransomware and vulnerability exploitation. IBM will also highlight several measures that can enhance security for OT networks based on insights gained from the X-Force Red penetration testing team and X-Force incident responses experience assisting OT clients with security incidents. These include a focus on data historian and network architecture, such as domain controllers.
OT is hardware and software that controls industrial processes, such as heavy manufacturing equipment, robotics, oil pipeline or chemical flows, electric utilities and water and the functionality of transportation vehicles.
Typically, OT networks are segregated from information technology (IT) networks at organizations that have both. Email, customer transactions, human resources databases and other IT are separated from technologies that control physical processes. Even so, typical threats against IT networks have the potential to affect OT networks, particularly if segmentation is not effective or engineers decide to shut down the OT network as a precaution after an attack on the IT network, such as ransomware.
Threats to OT networks are arguably more dangerous than threats to IT networks because of the physical outcomes that can result, such as passenger vehicle malfunctions, explosions, fires and potential loss of life. A cyberattack with these outcomes becomes, in effect, a physical weapon.
Of all the attack types X-Force observes against OT organizations, ransomware is the leader. In fact, nearly one-third of all attacks X-Force has observed against organizations with OT networks in 2021 have been ransomware a significantly higher percentage than any other attack type.
In many cases, ransomware attacks affect only the IT portion of a network. Yet, these IT infections can still have tremendous consequences for operations governed by OT networks. Research by X-Force and Dragos in late 2020 found that 56% of ransomware attacks on organizations with OT networks affected operational functionality in cases where the scope of impact was known. In many of these cases, OT networks were probably shut down as a precaution to prevent ransomware from spreading to OT networks or negatively affecting operations. This was the case in the high-impact ransomware attack on Colonial Pipeline that resulted in gasoline shortages in several U.S. states in May 2021.
In other cases, however, ransomware does make its way over to the OT portion of the network. Ryuk is the ransomware strain most commonly observed by IBM as attacking the OT network.
In the fall of 2019, Ryuk ransomware actors hit at least five oil and gas organizations in what appeared to be part of a targeted campaign aimed at OT specifically oil and gas entities.At least one of these organizations was a natural gas compression facility at a U.S. pipeline operator as reported by the U.S. Coast Guard, according to a report by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and analysis by Dragos.
AMaritime Safety Information Bulletin issued by the Coast Guard on Dec. 16, 2019, indicated that segregation between the pipeline organizations IT and OT network was insufficient to prevent the attacker from reaching the OT environment. The report stated that after infecting the organizations IT network, the virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The bulletin further indicated that the attack disrupted camera and physical access control systems and resulted in the loss of critical process control monitoring systems.
X-Force Incident Response has similarly observed Ryuk affiliates cross over into OT networks in attack remediation and investigations, using methods similar to those observed by the Coast Guard.
In February 2021, a report by theFrench government noted that newer Ryuk variants have worm-like capabilities and can replicate autonomously across an infected network. X-Force malware analysis of a Ryuk malware sample in June 2021 substantiated these findings, similarly revealing these worm-like capabilities in newer Ryuk variants. X-Force analysis of Ryuk malware showed that samples were packed in loaders similar to those used in Emotet and Trickbot campaigns, andEmotethas been known to worm into OT networks in the past.
It is possible that the new worm-like characteristics of recent Ryuk ransomware samples will give the group a higher likelihood of worming into OT networks in future ransomware operations, particularly if robust segmentation is not in place.
X-Force Incident Response data reveals that, in 2021, vulnerability exploitation is the primary method attackers are using to gain unauthorized access to organizations with OT networks. In fact, vulnerability exploitation has led to a staggering 89% of incidents X-Force has observed at organizations with OT networks so far this year, where the initial infection vector is known.
In 2021, X-Force has also observed threat actors exploit CVE-2019-19781 a Citrix server path traversal flaw to access networks at OT organizations. This was the most exploited vulnerabilityX-Force observed in 2020. The ease with which threat actors have been able to exploit this Citrix vulnerability and the level of access it provides to critical servers make it an entry point of choice for multiple attackers. We strongly recommend remediating this vulnerability if your organization has not done so already.
In some cases, OT organizations became victims of theKaseya-linked ransomware attack, where exploitation of a zero-day vulnerability and a supply chain-esque operation became the initial infection vectors. In the Kaseya case, Sodinokibi/REvil ransomware operators exploited a zero-day vulnerability in Kaseyas VSA software (now known as CVE-2021-30116) to deliver a ransomware attack. This attack leveraged attack techniques that are more common to advanced nation-state actors namely, exploitation of a zero-day and a supply-chain propagation technique which are uniquely difficult to defend against.
In a separate supply chain attack, multiple OT organizations reached out to X-Force for assistance in determining the extent to which theSolarWinds supply chain attack may have affected them. For some of the OT organizations impacted by the SolarWinds attack, original equipment manufacturers (OEMs) were the entry path, underscoring how attackers seek to exploit relationships of trust built between vendors and clients. The OEMs had access to the OT clients network to perform remote maintenance and were using compromised SolarWinds software across those remote connections.
Examples such as these highlight the significant risk to OT organizations from supply chain operations.
When it comes to OT network security, X-Force Red penetration testers have indicated that data historian often provides a reliable pathway into an OT network. Compromising data historian often can create opportunities to compromise the OT network. Thus, security teams should be careful not to overlook data historian when identifying and shoring up potential weak points in their OT network.
A data historian is a type of time-series database designed to efficiently collect and store process data from industrial automation systems. It is used widely for OT networks, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks. Data historian was originally created for and continues to be used most commonly for identifying, diagnosing and remediating problems that might lead to costly downtime.
Adversaries that are able to gain access to data historian then have access to data, analysis and information on control systems at that organization useful for reconnaissance and further attack planning. In addition, data historian can provide a pathway from the IT network into the OT network, if the data historian is dual-homed. Further, data historian tends to have extensive connectionsthroughout OT networks, which can give an attacker an array of potential options for moving throughout an OT environment.
OT organizations can better secure data historian by creating historian security groups, carefully defining who has access to these groups, closely monitoring accounts with access to ensure they are not stolen or abused and implementing strong authentication measures. Organizations can also use electronic signatures and electronic recordsto demand authentication whenever a change is made to data or configurations in data historian. In addition, placing the historian in a demilitarized zone (DMZ) can help segregate it from the OT network while still providing access from the IT network.
It is not uncommon to find companies creating and using enterprise data historians hosted within the IT infrastructure. With aggressive cloud adoption strategies and an increase in Industrial Internet of Things (IIoT) devices, companies have started implementing or moving these enterprise historians to cloud environments. Typically, these historians aggregate the data from site- and plant-specific data historians. This approach provides scalability and seamless integration with cloud-based storage and applications for secure information sharing, where needed. However, companies must ensure that they store the data safely without creating an opening for an attack.
MITRE has provided several additional risk mitigation measures to help secure data historian servers/databases, and IBM recommends reviewing those and implementing as many as possible.
Securing OT networks is more critical than ever. OT network defenders can implement a range of measures to decrease the chances of encountering a cyber incident on their OT network. Some of these measures are aimed at decreasing the risk of a ransomware attack including Ryuk attacks while others can assist in preventing a range of different attack types with the potential to weaponize OT networks.
Originally posted here:
The Weaponization of Operational Technology - Security Intelligence
- Technology | Define Technology at Dictionary.com [Last Updated On: March 25th, 2016] [Originally Added On: March 25th, 2016]
- Technology | Definition of Technology by Merriam-Webster [Last Updated On: March 25th, 2016] [Originally Added On: March 25th, 2016]
- Technology | Define Technology at Dictionary.com [Last Updated On: March 26th, 2016] [Originally Added On: March 26th, 2016]
- Technology | Definition of Technology by Merriam-Webster [Last Updated On: March 26th, 2016] [Originally Added On: March 26th, 2016]
- Technology Synonyms, Technology Antonyms | Thesaurus.com [Last Updated On: March 27th, 2016] [Originally Added On: March 27th, 2016]
- Technology News | Reuters.com [Last Updated On: March 27th, 2016] [Originally Added On: March 27th, 2016]
- Information technology - Wikipedia, the free encyclopedia [Last Updated On: March 27th, 2016] [Originally Added On: March 27th, 2016]
- Technology - Wikipedia, the free encyclopedia [Last Updated On: June 19th, 2016] [Originally Added On: June 19th, 2016]
- Technology Org - Science and technology news [Last Updated On: July 5th, 2016] [Originally Added On: July 5th, 2016]
- Technology - The Atlantic [Last Updated On: August 27th, 2016] [Originally Added On: August 27th, 2016]
- NOAA Ocean Explorer: Technology [Last Updated On: August 27th, 2016] [Originally Added On: August 27th, 2016]
- History of technology - Wikipedia, the free encyclopedia [Last Updated On: August 27th, 2016] [Originally Added On: August 27th, 2016]
- Technology - Blue Sky Innovation - Chicago Tribune [Last Updated On: August 27th, 2016] [Originally Added On: August 27th, 2016]
- Technology - Northern Illinois University [Last Updated On: August 27th, 2016] [Originally Added On: August 27th, 2016]
- Technology Jobs - Monster.com [Last Updated On: August 27th, 2016] [Originally Added On: August 27th, 2016]
- Urban Dictionary: technology [Last Updated On: January 5th, 2017] [Originally Added On: January 5th, 2017]
- IHS Technology The Source for Critical Information and ... [Last Updated On: January 5th, 2017] [Originally Added On: January 5th, 2017]
- Technology | NFL Football Operations [Last Updated On: January 5th, 2017] [Originally Added On: January 5th, 2017]
- Legaltech News - Law Technology News [Last Updated On: January 5th, 2017] [Originally Added On: January 5th, 2017]
- Reddit: Technology [Last Updated On: January 14th, 2017] [Originally Added On: January 14th, 2017]
- National Education Technology Plan - Office of Educational ... [Last Updated On: January 22nd, 2017] [Originally Added On: January 22nd, 2017]
- Technology: Industries: PwC [Last Updated On: January 22nd, 2017] [Originally Added On: January 22nd, 2017]
- Israeli technology let Super Bowl fans see plays at face mask level - Jerusalem Post Israel News [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Toyota, Suzuki to work together in green, safety technology - The Japan Times [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Aston Martin's architect on how to make technology beautiful - The Verge [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- How the New Fox Show APB Approaches Police Technology - Slate Magazine [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Prosthetic arm technology detects spinal nerve signals - Science Daily [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- In This Year's Super Bowl Of Technology, Intel Led The Way With A Sky Full Of Drones - Forbes [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Learning From Last Year: Technology Funding Outlooks For 2017 - Forbes [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Technology - The New York Times [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Texas transportation leaders scramble to keep up with car technology - Fort Worth Star Telegram [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- What the Tech: Neuro-Bio Monitor Technology - KFDX [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- How Powerful AI Technology Can Lead to Unforeseen Disasters - Fortune [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- Microsoft's AI group debuts customizable speech-to-text technology, rapidly expanding 'cognitive services' for ... - GeekWire [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- How 3-D technology helped surgeons separate conjoined twins - CNN [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- These Four Black Women Inventors Reimagined the Technology of the Home - Smithsonian [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- Broadcaster dangles new technology for Winter Olympics - Reuters [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- A flare for self-destruction: How technology is the means, not the cause, of our demise - National Post [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- How 3D and Self-Design Will Change Technology - Huffington Post [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- Republicans Aim to Kill Election Technology Standards Agency - Gizmodo [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- Sean Spicer: Coal will be one of the cleanest uses of technology that we have - The Independent [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- Is technology getting in the way of togetherness? - Las Vegas Weekly (blog) [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- Panera surges to record as Wall Street eyes payoff from technology - Reuters [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- Coming technology will likely destroy millions of jobs. Is Trump ready? - Washington Post [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- How Technology Transforms Dreamers Into Economic Powerhouses - Forbes [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- Technology Trends That Will Shape 2017 and Boost Your Company's UX - Entrepreneur [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- United Airlines Experiences Another Technology Glitch - Wall Street Journal [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- A growing concern: Technology and transportation - Florida Today [Last Updated On: February 10th, 2017] [Originally Added On: February 10th, 2017]
- Aberdeen Oil and Gas Technology centre due to open - BBC News [Last Updated On: February 10th, 2017] [Originally Added On: February 10th, 2017]
- Opinion: Ethics should be front and center with technology but isn't always - The Mercury News [Last Updated On: February 10th, 2017] [Originally Added On: February 10th, 2017]
- Yes, there's a job creation argument for automation and technology - The Hill (blog) [Last Updated On: February 10th, 2017] [Originally Added On: February 10th, 2017]
- Nasdaq plans venture arm to invest in financial technology: sources ... - Reuters [Last Updated On: February 10th, 2017] [Originally Added On: February 10th, 2017]
- Volvo melds technology and luxury in the XC90 T8 hybrid - Engadget [Last Updated On: February 10th, 2017] [Originally Added On: February 10th, 2017]
- Our seas have become a plastic graveyard - but can technology turn the tide? - Telegraph.co.uk [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- Technology identifying fastest checkout lanes comes to metro - KCCI Des Moines [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- This Technology Could Be a Game-Changer for the Marijuana Industry - Fox Business [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- Small cell technology is large endeavor for state - Crain's Cleveland Business [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- Grapevine: Technology at any age - Jerusalem Post Israel News [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- Feeling Tied to Technology? Neuroscientist Offers Tips to Focus and Recharge Your Brain - whotv.com [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- The technology fixing Britain's parking problem - The Independent [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- DHS Developing Technology to Identify Terrorist Travelers - Breitbart News [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- New technology has display designers thinking outside the rectangle - The Japan Times [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- Graph Technology A Data Standby By For Every Fortune 500 Company - Computer Business Review [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- Tesla obtains patent for charging metal-air battery technology that could enable longer range - Electrek [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- Tim Cook: Augmented Reality is as big of a technology as the smartphone - BGR [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- Franklin County's 911 centers sharing technology to receive texts - Columbus Dispatch [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- A New Angel Investing Platform Connects Deep Technology And Science Startups With Capital - Forbes [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- How technology is encouraging society to be stupid - The Next Web [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- Technology puts 'touch' into long-distance relationships - Phys.Org [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- VW plans to use Mobileye sensing and localization technology - Automotive News (subscription) (blog) [Last Updated On: February 14th, 2017] [Originally Added On: February 14th, 2017]
- How dangerous is technology? - OUPblog (blog) [Last Updated On: February 14th, 2017] [Originally Added On: February 14th, 2017]
- Valentine's day: what's your secret technology crush? - Naked Security [Last Updated On: February 14th, 2017] [Originally Added On: February 14th, 2017]
- Johnston educators among presenters at technology conference - News & Observer [Last Updated On: February 14th, 2017] [Originally Added On: February 14th, 2017]
- Is Magic Leap Lying About Its Acid Trip Technology? - Vanity Fair [Last Updated On: February 14th, 2017] [Originally Added On: February 14th, 2017]
- A look at North Korea's missile launches and technology - ABC News [Last Updated On: February 14th, 2017] [Originally Added On: February 14th, 2017]
- Parents and technology How much is too much? - WGBA-TV [Last Updated On: February 14th, 2017] [Originally Added On: February 14th, 2017]
- Apple's Eddy Cue says technology companies have a responsibility to combat fake news - Recode [Last Updated On: February 14th, 2017] [Originally Added On: February 14th, 2017]
- Statistical agencies looking to C-suite, new digital tools to address biggest challenges - FederalNewsRadio.com [Last Updated On: February 15th, 2017] [Originally Added On: February 15th, 2017]
- Even Indian technology entrepreneurs think they are living in a bubble - Quartz [Last Updated On: February 15th, 2017] [Originally Added On: February 15th, 2017]
- Is Hyperloop transportation technology coming to India? - YourStory.com [Last Updated On: February 15th, 2017] [Originally Added On: February 15th, 2017]