The day has come - the adage of “assume they’re already in and will stay in” applies to not only IT networks, but OT networks as well.
Not all intruders go straight to a visible attack. High-level intruders exploit vulnerabilities, then set up conditions to maintain a state of compromise, especially in the event there is a detection. We call this persistence. Once an attacker has persistence, they are free to disrupt operations at a time of their choosing. While we would obviously rather stop the intrusion, we must also be prepared to maintain operations or quickly restore operations if an attacker is successful. Many facilities and pieces of equipment are physically remote, which is an advantage in terms of access to a physical attack, but a disadvantage in terms of being able to cost-effectively manage and monitor it.
Production Operational Technology (OT) networks were designed and built to run production processes with many built before Internet connections were a normal every-day occurrence. As such, protections were built around life and process safety, not computer and network security. Because of this, securing these systems is a bolt-on after-the-fact exercise, and after what may be years of focus elsewhere, with electronic “cyber” vulnerabilities the safest assumption to make is to work from the position that the equipment and networks are already compromised.
If your defenses, future plans, processes and procedures all assume that attackers have already been somewhat successful, then protections emplaced will be resilient against not only new attacks, but existent problems as well. This means your operational processes are more likely to remain unaffected by an attack or error than if you take the traditional approach of perimeter hardening alone.
In the Ukraine power grid event in December 2015, one of the lessons learned was the malware toolkit was embedded in several of the process control networks — as in resident and undetected. We’ve seen supply-chain firmware attacks on customers Programmable Logic Controllers (PLCs) that were detected after system installation. If we start with the premise of a compromised environment, we can engineer robust protections and detections that allow the best chance of both detecting problems and stopping malice.
While we must also deal with difficult updates, long maintenance cycles, short staffing, minimal budgets and an emerging hostile set of attackers learning more about OT networks and equipment, it’s in your best interest to “assume they’re already in and will stay in.”
Originally published January 15, 2019, updated November 19, 2020.
