There is a new attack angle in cybersecurity: Hackers can get to objects traditionally considered unconnected, such as oil rigs and ships in the sea, becauase they are now exposed to the Internet. This article describes what we can do about it.
History repeats itself. Could we use the lessons from the first time around? At the height of ransomware attacks, people responsible for oil rigs and ships in the sea find themselves to be the next potential target. Let me explain.
A long time ago, people thought of the first computer viruses. By now, this is a well-developed area, with its tools and methods for both attacking computers and protecting them. This discipline is IT security. Ransomware falls in this category. So do denial of services attacks. For example, one can hack a camera in the child’s bedroom and wake the child with noises. Better yet (or worse), one can hack hundreds of thousands of such cameras and organize a denial-of-service attack on a website.
Let’s see what happened here. It is nice to be able to monitor your toddler’s room. And for that, it is convenient to use the Internet. The engineer makes a camera connected to the Internet and allows you to read the images it generates using the Internet. Who could have thought that a hacker might get access to it for his purposes? Even more, who could have thought that one piece of software could hack multiple cameras and organize them into a bot?
At first, it was creative hacker thinking. But when people found out about it, they implemented defenses, right? Wrong!
These cameras cannot be fixed and their vulnerabilities remain a problem. They are pieces of hardware that do not receive regular updates like your computer does. Bruce Schneier describes this situation and its ramifications in his book, “We Have Root: Even More Advice from Schneier on Security.”
The pattern of “we were building and we never thought bad guys could come” repeats itself with the machinery, like oil rigs and ships in the sea. Initially, relays were controlling the machines. However, anytime you need to change the engine’s logic, you need to take the old relay out and wire in a new relay.
That is why people went to programmable logic controllers (PLC) as a replacement for relays. Now you control your equipment with a sensor, controller (PLC) and actuator. You can think of this as a programmable computer, but its firmware may need to receive updates. So, you connect it to the Internet. That is the situation in which many people suddenly find themselves today.
The term for this area of technology is Operational Technology or OT. Earlier, we talked about IT security, maybe IoT security, but now we find ourselves talking about OT security. I taught a course on OT Security at a major oil and gas company. I saw some of the players and understood the importance of OT security, the current problems and how to solve them. Here are my findings.
By putting PLCs together, you create Industrial Control Systems (ICS). Control systems also found their way into distributed applications such as electrical power grids, railways and pipelines. When you add the Data Acquisition part, you get Supervisory Control and Data Acquisition (SCADA). Stuxnet is believed to be responsible for causing substantial damage to Iran’s nuclear program.
So, what is OT? The analyst firm Gartner defines OT as: “Hardware and software that detects or causes a change through the direct monitoring and control of physical devices, processes and events in asset-centric enterprises, particularly in production and operation.” This definition expands the scope of OT now finding applications far beyond the traditional “industrial” industries where ICS has found a home for the last 50 years.
You probably heard about the Internet of Things (IoT.) A November 2019 Gartner survey of OT operators found that 59% believed IoT adoption is likely to augment or replace most or all of their OT monitoring and control systems within 36 months.
It is a warranted change and it is unavoidable. It also puts all these industries under attack. I spoke to Mission Secure, one of the leading and forward-looking companies in this area. According to Mission Secure, the cybersecurity concerns associated with OT have never been higher as the ability to isolate OT systems becomes increasingly difficult.
With the dangers being so great, the OT security teams come into play. These OT security teams need to operate in a world where business imperatives drive technology investments. A best-case scenario for security teams is to go early enough in the acquisition cycle to raise concerns about security implications.
The good news is that the OT security team can learn from their IT counterparts. There is a Purdue security model for OT. Although it is slightly dated, updates are in the works. The first step for most enterprises is reconnaissance. There is a fantastic amount of OT components of which companies are not even aware.
Then comes threat modeling, which means looking at your system from the hacker’s point of view. Lockheed Martin calls its framework the Cyber Kill Chain, and MITRE calls its framework ATT&CK. These lessons are reusing IT security, but there are also OT-specific recommendations:
- Eliminate the need for OT cybersecurity controls where possible
- All of the NIST SP 800-82 apply
- Simplify OT cybersecurity – this amounts to rearchitecting the ad-hoc architecture
- Use of managed services – leave it to a professional
I think that by now, whether you are in the asset-centric enterprise, a security provider or just want to follow the trends, you have had enough food for thought. But what about those ships in the sea that I mentioned earlier?
Protecting the Ships in the Sea
It is an exciting area and it comes to me from the American Bureau of Shipping (ABS.) ABS’s role is to “set standards for safety and excellence as one of the world’s leading classification organizations.” ABS had a conversation with Obrela Security, whose headquarters are in Greece. They ask themselves a question: “Given all the security concerns, what is the first security-related action you would recommend?” Here are some choices:
- The data. At the end of the day, what data do I need to protect?
- The risk. What is my risk exposure?
- The risk appetite. How much risk appetite do the risk takers (senior management, shareholders) have?
- In-house security team or an outside Security as a Service?
The choices given above are essential. Yet, I think that there is another item that comes before all., and that is education. Full disclosure: I run a training company and teach security courses. Still, I think that education should come before any question in life.