For the last six years, Dragos has leveraged their Professional Services team to develop an on-the-ground understanding of the realities facing the industrial community and to bring back insights and lessons learned from the field. In 2019, Dragos identified four common OT cybersecurity pitfalls that significantly increase risks to an enterprise. Each year, Dragos tracks progress in these four areas and publishes the results in its annual ICS/OT Cybersecurity Year in Review.
Limited or no OT network visibility
Limited visibility means that a facility is only monitoring the IT to OT boundary, and not the activity inside the OT network. Full visibility is achieved when network and device logs are centralized and can correlate various segments with network traffic analysis and asset inventories.
Visibility is the starting point for robust cybersecurity programs, which evolves into metrics to develop more mature and secure environments. Visibility comes in various forms from asset visibility to data flow inspection, but it can be summarized as anything that increases the defender’s knowledge of their own environment. It often starts with asset inventory but must also include network monitoring and device logs.
During 2022, Dragos uncovered that 80% of its services customers had limited to no visibility into their ICS environment, representing a 6% improvement from the previous year. When the results are analyzed by industry sectors, Dragos found that 89% of manufacturers had limited visibility, a 1% improvement over performance from the previous year.
Poor security perimeters
Poor security perimeters involve issues such as porous firewall rules, network boundary bypasses, or flat networks. Poor security perimeters also include instances where the only segmentation is the initial firewall between the IT-OT boundary and when there are unnecessary communication pathways to critical assets within the network.
Network security boundaries are perhaps the most common technical security control across any industry and have been for decades. As such, nearly every service engagement that Dragos executes involves evaluating the effectiveness of network segmentation. A flat network is problematic for several reasons. Flat networks often combine assets that should be separated into their own networks such as VoIP phones and IP cameras. These readily accessible assets may use vulnerable protocols, which are easily compromised. Additionally, once an adversary gets initial access, a flat network allows access to the entire network and any connected assets. This is especially true of ICS/OT networks as the assets they connect may lack the traditional security controls found on a corporate/IT network.
In 2022, 50% of Dragos services engagements identified issues with network segmentation. This is a significant improvement (27%) from 2021. However, when the findings are analyzed by sector, manufacturers continue to struggle in this area with 82% having poor security perimeters. This is a significant problem for the industry.
External connections to OT environments
An external connection is defined as any internet protocol (IP) and/or asset that communicates beyond a pre-defined security perimeter. This definition also extends to communication that originates from a location that is remote and outside of the company’s boundaries – such as in the case of third-party connections.
The ICS environment security parameters consist of implemented levels or zones for network architecture and segmentation that typically follow the Purdue Model. External access can be described as any user communicating from outside the security perimeter of a zone; or any communication that originates from a location that is remote and outside of the company’s boundaries. In many cases, external connectivity is required to facilitate remote work by employees, integrators, original equipment manufacturers, and other vendors and partners.
However, the use of out-of-band devices (modems, LTE, 5G, landlines, etc.) to facilitate remote access bypasses the normal network flow enforcement mechanisms within the defensive architecture. This results in many of these external connections not being controlled or monitored appropriately. Similarly, many OT environments are believed to be fully segmented and even appear so on their network diagrams. However, in most cases, when analyzed with the Dragos Platform, external connections are identified.
Findings related to undocumented or uncontrolled external connections to OT environments dropped significantly from 70% in 2021 to 53% in 2022. While a 17% improvement is a positive trend, 53% is still a concerningly high number of uncontrolled external connections to OT environments, and manufacturers fared even worse in the analysis. 82% of manufacturers had undocumented or uncontrolled external connections – marking one of the most concerning findings in the report.
Lack of separate IT and OT user management
Lack of separate IT and OT User Management refers to when accounts are shared or utilized in both the IT and OT networks; this includes default accounts and vendor accounts.
Leveraging valid accounts for lateral movement is a technique used by nearly all adversaries, even those not focused on OT and ICS. ICS adversaries seek to discover and compromise these shared accounts because they are frequently used to access critical industrial systems and can enable them to pivot from corporate IT networks to ICS/OT environments. When identifying any control system devices, workstations, servers, or applications, an adversary would likely attempt to leverage a manufacturer or supplier set of default credentials. These credentials are easily found in vendor documentation and online repositories available on the Internet. While the intention of creating these credentials is for the initial configuration and deployment of the devices, the default accounts commonly have administrative permissions. These types of permissions, if leveraged by an adversary, would allow them to make unauthorized changes to the devices or applications, causing an event that will likely vary in terms of consequences depending on the environment.
In 2022, 54% of Dragos services engagements included findings related to shared credentials – a 10% increase from 2021. Again, manufacturers are performing even more poorly than the average, with 73% of manufacturers studied lacking separate IT and OT user management.
Key Takeaways: Where Should Under Resourced Manufacturers Start?
Effective OT cybersecurity is a journey, and it can take a long time for companies to build and implement a holistic, comprehensive cybersecurity program. There are deeply rooted challenges in protecting OT environments, and the complexity of the ever-changing threat landscape makes it even more difficult.
Dragos founded OT-CERT to help small and medium sized businesses improve their cybersecurity posture. OT-CERT is an Operational Technology – Cyber Emergency Readiness Team dedicated to addressing the OT resource gap that exists in industrial infrastructure. Designed to support asset owners and operators of industrial infrastructure, Dragos OT-CERT provides free cybersecurity resources for the community. Two recent blogs offer practical advice for avoiding some of the most common pitfalls described in this article:
Membership is open to organizations globally. Asset owners of any size are welcome to join and get access to new resources monthly from the OT-CERT portal.