5 Min Read
The Urgent Case for Cyber-Attack Prevention (versus Detection) in Industrial OT/ICS Networks in Light of the FireEye and SolarWinds Hacks
Written by Roark Pollock
The recent FireEye and SolarWinds Hacks are in all the headlines changing the narrative for operational technology (OT) and industrial control system (ICS), IT, and cybersecurity teams. The COVID-19 pandemic and the recent oil and gas market crash have caused a considerable distraction and changed short-term priorities for these IT and cybersecurity teams throughout 2020. But as we head into a new year, one can make the case that these teams’ attention will return to the cybersecurity issue at hand, and 2021 and beyond will be the year(s) to focus on OT/ICS cyberattack prevention.
Looking at the FireEye and SolarWinds Hacks
FireEye publicly disclosed a sophisticated cyberattack early this month into its own systems by what it called “a nation with top-tier offensive capabilities.”
In a recent New York Times article, “The company said hackers used “novel techniques” to make off with its own [offensive hacking] tool kit, which could be useful in mounting new attacks around the world.”
“The hackers went to extraordinary lengths to avoid being seen and created several thousand internet protocol addresses — many inside the United States — that had never before been used in attacks.”
Investigators have called out units of the Russian military intelligence that have also perpetrated high-profile OT/ICS hacks on the power grid in Ukraine, on American municipalities, and for dismantling the industrial safety locks at a Saudi petrochemical plant, the very last step before triggering an explosion.
OT cybersecurity teams must expect that such sophisticated attacks on industrial control systems will be the new norm, rather than the exception.
A week later, FireEye discovered and exposed a supply chain type cyber-attack on SolarWinds’ Orion software that was used to deploy the Sunburst malware, also called the Solorigate malware by Microsoft. You can read more about this SolarWinds hack in this article by Mission Secure cybersecurity researchers.
According to a recent TechRadar article, “the SolarWinds Orion product was successfully compromised from versions 2019.4 through 2020.2.1, released between March and June 2020. The compromised Orion product contained a strain of malware named SUNBURST. While these updates required manual installation, they were available for long enough that many regulatory frameworks would force their installation.”
This hack’s severity cannot be underrated. Up to 18,000 SolarWinds Orion customers downloaded the software update containing a backdoor attackers could use to gain network access. The attack went beyond government and cyber firms to include Fortune 500 companies, critical national security and critical infrastructure providers, and beyond.
More concerning for many OT/ICS companies is that this SolarWinds attack led to attacks also focused on smaller and mid-sized enterprises.
These attacks serve as a wake-up call across both digital and physical realms. And the current climate of almost unlimited cyber warfare is a root problem here that necessitates immediate action and the implementation of network-based cyber-attack prevention in OT/ICS environments.
It’s Time to Forget these Common OT/ICS Cybersecurity Fallacies
These two high profile cyber-attacks and the resulting sense of urgency to implement OT cyber-attack prevention in 2021 and beyond should put the following OT/ICS cybersecurity fallacies to bed once and for all.
We haven’t been attacked, so cybersecurity isn’t an urgent need for us. These two cyber-attacks illustrate the sophisticated lengths attackers go to in compromising critical infrastructure networks, hiding their reconnaissance efforts, and remaining concealed with network access for long periods of time. Cyber intrusions or breaches don’t always result in an immediate and visible cyber-attack.
As the traditional aphorism goes, “the absence of evidence is not evidence of an absence.”
We’re too small, and no one wants to attack us. In the current climate of almost unlimited cyber warfare, every organization is under attack, whether they want to acknowledge it or not. In the SolarWinds Orion hack, the company has notified 33,000 customers of the hack, and as many as 18,000 had downloaded a software update containing a backdoor giving attackers network access — this clearly included large, mid-sized and small enterprise organizations.
Cyber-attacks are targeting every organization. And companies of all sizes, especially those in critical infrastructure and process industries, must avoid becoming easy prey for these attackers.
We’re air-gapped, so cybersecurity isn’t a worry for us. While this comment is slowly fading, it is still echoed far too frequently in conversations with OT and ICS operations personnel. The SolarWinds hack resulted in government, defense, enterprise, and critical infrastructure organizations being exposed to backdoor malware — proving few, if any, organizations today are truly air-gapped.
Additionally, Mission Secure’s experience over multiple years of conducting cyber risk assessments for clients around the world who operate critical assets — such as UAVs, oil tankers, offshore platforms, refineries, power plants, water treatment facilities, traffic management systems, and more — have shown that not a single one was truly air-gapped.
Focusing on OT/ICS Cyber-attack Prevention and What to Do Now
2021 and beyond is the time to focus on cyber-attack prevention in OT/ICS environments. Once inside the perimeter firewall in a network lacking fine-grained or zero-trust access control and micro-segmentation, point security solutions are simply insufficient for protecting an organization’s most critical assets from today’s cyber adversaries and threats.
The CEO of Palo Alto Networks, another major cybersecurity company, put it plainly, “Every business and federal agency needs to take stock of their network security in the wake of these suspected Russian massive cyber-attacks.” Mission Secure recommends the following:
1. Immediately Address the SolarWinds Distributed SUNBURST Malware
For any SolarWinds customer, the U.S. Department of Homeland Security recommends all organizations and agencies under its purview to “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.”
“Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available.”
Further, due to the likelihood that hackers will target other tools for collecting device inventory in OT environments similar to SolarWinds, Mission Secure recommends OT cybersecurity organizations contact their vendors to request documentation that these inventory tracking mechanisms are hardened against cyber and brute force attacks.
2. Implement Network-Based Zero-Trust, Micro-Segmentation
Virtually every major cyber-attack on OT/ICS environments has included some measure of external command and control (C2) and reconnaissance or data collection in the overall attack chain. To minimize and/or completely prevent these attack techniques, Mission Secure recommends implementing network-based zero-trust micro-segmentation.
Network-based segmentation and protection that can identify and block external C2 communications and follow-on network scans or reconnaissance can prevent the impact of malware infections like that of the SolarWinds Sunburst malware.
Additionally, network-based segmentation and protection can prevent unauthorized OT/ICS protocol communications and the plethora of attack options that exist for these technologies. There is a full range of malicious and malformed protocol attacks that exist as OT systems are characterized by a wide range of legacy, proprietary, and non-standard protocols and interfaces.
Implementing network-based segmentation and protection inside OT/ICS networks can eliminate a vast array of OT threats helping to stop OT cyber-attacks head-on.
3. Conduct Continuous Signal-Integrity Monitoring of Critical Assets to Prevent Cyber-attacks on Physical Infrastructure
In OT/ICS environments, the most devastating cyber-attack is one that starts as a simple intrusion through the introduction of a simple malware like the SolarWinds Sunburst malware, but then is allowed to proceed until some sort of disruptive or destructive physical attack is enacted.
The classic example of this type of physical attack is the Stuxnet cyber-attack ten years ago that was specifically designed to destroy the target infrastructure. Cyber-attacks that reach this phase can dramatically threaten life, safety, and the environment.
It is for this reason that Mission Secure further recommends conducting continuous signal-integrity monitoring of critical physical assets to prevent these disastrous results, even in the face of successful OT network intrusions. Cyber-attacks on physical infrastructure absolutely cannot be allowed to reach this stage, and continuous signal-integrity monitoring is designed to protect against attacks and these consequences.
2020 has been a difficult year for OT and ICS critical infrastructure and process industry companies, just like it has been for the rest of us. And the recent FireEye and SolarWinds hacks are the most recent examples of the unlimited cyber warfare climate that both small and large enterprises find themselves in. So, as we head into a new year, in 2021 and beyond, there will be a renewed sense of urgency in implementing OT/ICS cyber-attack prevention technologies.
Originally published December 21, 2020, updated December 21, 2020.