As OT Threats Grow Stealthier, Details Matter

In our increasingly connected and digitized world, infrastructure cyber threats are on the rise. We continue to see a range of cyberattacks targeting Operational Technology (OT), including ransomware and nation-state actions driven by geopolitical tensions. For example, in late September, a water plant in Kansas was forced to switch to manual operations following a cyberattack. Two days earlier, the nonprofit Water Information Sharing and Analysis Center warned that Russian-linked threat actors were targeting the water sector.

As attackers’ sophistication grows, they increasingly aim to leverage legitimate tools and processes that are built into a system, making detection even more difficult. For example, Volt Typhoon, a state-sponsored cyber actor, has been known to use Living off the Land (LotL) techniques, relying on built-in network administration tools rather than deploying malware. This allows it to blend in with legitimate operations, making detection extremely challenging with traditional security measures.

When attacks are stealthy, tracking the little details matter. Once attackers gain initial access into your environment, they’re going to work as quietly as possible -- so it’s those small but critical changes they make to system configurations to escalate privileges and move laterally that can clue you into their presence.

This makes it even more critical to know everything you have in your OT environment and monitor them at the granular level. This includes continuously tracking and managing:

• All devices, firmware, OS versions, and software installed across your environment
• Vulnerabilities and patches
• Configurations and changes
• Open ports and services
• Firewall rules
• Users and accounts
• PLC key switch settings
• Syslog and event information
• Location and operational context

By monitoring your OT environment to this level of detail, you gain the ability to detect and respond to stealthy threats more effectively:

• Configuration monitoring can help detect lateral movement when threat actors use tools that evade malware detection by changing configuration settings to gain unauthorized access.
• Monitoring system logs help identify unusual events, such as unauthorized login attempts or the clearing of event logs—both potential signs of an attacker trying to remain undetected by using LotL techniques.
• Monitoring user accounts on each system helps ensure you can track any unauthorized account creation or privilege escalation, which could indicate an attacker is gaining deeper access to your network.
• With detailed visibility, you can closely monitor specific tools, software, or programs flagged in threat campaigns. Asset monitoring becomes essential in pinpointing and tracking these tools for signs of malicious use, even when they appear legitimate.
• Baselines for all OT assets and configuration details can act as a tripwire, alerting you to any unauthorized changes that may indicate an attacker’s presence.

Of course, from a more proactive standpoint, understanding these details enables you harden your environment by addressing gaps like misconfigurations, open ports and services, or vulnerable systems, keeping your infrastructure as secure as possible.

Approaching comprehensive visibility in OT

The National Institute of Standards and Technology (NIST)’s Cybersecurity Framework (CSF) starts with “identify.” That’s because protecting an organization and effectively responding to threats require that an organization has a clear picture of assets, data, and associated risks.

Traditionally, however, maintaining comprehensive visibility can be difficult, especially in complex OT environments that are growing in connectivity. Views of the environment often are limited, lacking vital endpoint information and the ability to detect unwanted system changes.  

To keep up with the speed, scale, and sophistication of attackers, OT operators should automate their asset monitoring. While early IT-based approaches to automate fell short in OT environments, there are effective OT-specific approaches today that respect the unique safety and operational requirements of industrial environments.

For gathering the richest set of OT data, safely, you can integrate a combination of data collection methods – passive, manual, active, native, agent-based, agentless, and air-gapped. The caveat is that experience deploying these methods matters, especially when deploying active. You don’t want to run a science experiment in your operational environment.

OT monitoring approaches must have the ability to recognize the differences in information requirements for traditional industrial controllers, such as PLCs and DCS systems; industry-specific control system elements, such as substation switches; networking devices, such as firewalls and switches; and conventional PCs and servers. And, most important, the solution must meet the operational and safety requirements.

A centralized platform of rich OT asset data forms the foundation for all other security functions. Enhancing data collection improves your situational awareness, vigilance, and strengthens your security capabilities. When there’s an alert on a new or rampant threat, having all these details at your fingertips significantly reduces your investigation and response time.

To learn more about how Industrial Defender can help with OT security and operational resilience visit https://www.industrialdefender.com/ot-cyber-risk-management.