Support
No items found.

How Effectively Are You Managing Open Ports and Services in OT Security?

August 23, 2024

Monitoring open ports and services is crucial for cybersecurity because they can be entry points for attackers to exploit vulnerabilities and gain unauthorized access to your network.

What is an Open Port?

Open ports are network endpoints that are available to accept incoming connections. Each port number corresponds to a specific service or protocol. In OT environments, open ports provide crucial access for monitoring, control, data acquisition, and various IT functions. However, these open ports can also pose security risks if not managed properly. Each service typically listens on a specific port number, which acts as a communication endpoint. When a port is "open," it means that the service associated with that port is actively listening for incoming connections.

What are Open Services?

Services in OT environments are applications or processes that provide specific functions such as data collection, process control, communication between devices, or workstation management tasks. These services are essential for the operation and management of the entire OT infrastructure.

Why Are Open Ports & Services Dangerous in OT?

Open ports and services are like doors and windows. It should be simple enough to keep them closed, right? Monitoring open ports and services sounds easy, like locking the doors in your house. However, it’s important to be very thorough, which can be a challenge when there is so many to keep track of. But here’s why it’s important to monitor open ports and services in real time.

Consider an ICS environment with various open ports for remote management, HMI access, and data collection:

  1. Initial Access: An attacker scans for open ports and finds an HMI accessible via a commonly used port. They exploit a vulnerability in the web server to gain access.
  2. Discovery: The attacker then performs network service scanning to identify other open ports and services within the network.
  3. Lateral Movement: Using an open port associated with a secure communication protocol, they move laterally to another critical system.
  4. Command and Control: They set up a persistent backdoor on a commonly used port to communicate with their command and control server.
  5. Impact: Finally, they launch a denial of service attack on a crucial port used by the PLCs, disrupting the entire production line.

Where Have Open Ports Been Exploited in Real-World Attacks on Critical Infrastructure?

We have seen elements of open ports and services exploited in real-world attacks against critical infrastructure. For example, in December 2015, the Sandworm Team (attributed to Russian state actors) conducted a cyberattack on Ukraine’s power grid, leading to power outages affecting approximately 225,000 customers. In addition to spear phishing and malware, the attackers gained remote access to the ICS network by leveraging legitimate remote administration tools. They exploited open ports on these remote services to take control of SCADA systems and open circuit breakers, causing the power outage.

In December 2016, another significant cyberattack targeted Ukraine’s power grid, attributed to the same or similar group, using the Industroyer malware. Industroyer targeted industrial communication protocols such as IEC 60870-5-104, which operates over a specific port. The attackers conducted network reconnaissance to map out the network and identify critical devices. Industroyer exploited open ports associated with these industrial protocols to communicate directly with the control systems and disrupt operations.

These examples highlight the critical need to monitor open ports and services for changes in real time. Attackers can gain initial access through various methods and then open up ports and services that should be closed. Real-time monitoring allows for the detection of such changes, enabling rapid response to potential security breaches and helping to maintain the integrity and security of the OT environment.

Monitoring Open Ports and Services in OT Environments

All leading cybersecurity frameworks stress the importance of minimizing the attack surface by managing open ports and services, including NERC CIP, NIST CSF, IEC 62443/ISA 99 and the CIS Controls. This guidance is usually in the same vein as secure configuration and vulnerability management guidance.

Examples:

The Center for Internet Security (CIS) Controls advises on ports and services throughout several controls:

  • Control 4: Secure Configuration of Enterprise Assets and Software: “Basic controls, open services and ports, default accounts or passwords, pre-configured Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of unnecessary software can all be exploitable if left in their default state.”
  • Control 12: Network Infrastructure Management: “Potential default vulnerabilities include open services and ports, default accounts and passwords (including service accounts), support for older vulnerable protocols, and pre-installation of unneeded software. Attackers search for vulnerable default settings, gaps or inconsistencies in firewall rule sets, routers, and switches and use those holes to penetrate defenses. They exploit flaws in these devices to gain access to networks, redirect traffic on a network, and intercept data while in transmission.”

NERC CIP-007-6:

  • “Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed.”
  • “Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or Removable Media.”

Challenges in Implementing These Controls in the OT Space

Complexity and Scale: OT environments are often large and complex, making it difficult to track all open ports and services across vast networks. Keeping track of these across such a wide area requires significant resources and coordination.

Sensitive and Legacy Systems: Scanning tools that work well in IT environments can cause disruptions in OT/ICS networks. Many of these systems are highly sensitive and were not designed to handle the traffic generated by typical network scans. Additionally, OT/ICS environments often include older, legacy systems that may not support modern security practices and tools, and might have limited processing power and memory, making them vulnerable to being overwhelmed by traditional scanning methods.

Diverse Protocols: OT/ICS environments use various proprietary and industry-specific protocols, making it harder to standardize monitoring practices.

Interdependency: Many OT/ICS systems are interdependent, meaning changes or disruptions in one area can have cascading effects on other systems, complicating manual tracking efforts.

Does that mean you need to manage ports and services manually?

No. Manual management of ports and services simply isn’t feasible in our modern and fast-growing OT environments. While some may start this way, organization soon experience the following issues with manual assessment and configuration of ports and services:

Manual management is too time-consuming to be effective. Creating and maintaining a detailed inventory of all devices, services, and open ports requires significant time and effort, especially in large or complex networks. Regular audits to verify the status of ports and services on each device are labor-intensive and must be performed regularly to ensure accuracy.

Manual management is also prone to human error. Accurate documentation is critical, but mistakes or omissions in records can lead to an incomplete or incorrect understanding of the network's security posture. Additionally, keeping documentation and configurations up-to-date can be inconsistent, especially when changes occur frequently or in an uncoordinated manner.

Finally, manual management lacks real-time insight. Manual tracking methods do not provide real-time visibility into the network, meaning potential security issues might go unnoticed until the next audit or review. This can lead to a reactive rather than proactive approach to security, where problems are addressed only after they are discovered during manual check

Automating Management of Ports and Services in OT

More broadly, managing ports and services is proper configuration and change management. Effective strategies for maintaining secure configurations and managing open ports and services in OT/ICS environments rely on a robust foundation of OT asset data. As mentioned above, you want the most efficient way to assess all your ports and services through OT asset data collection. But you also need a solution that truly meets the operational requirements of OT.

Industrial Defender takes an integrated data collection approach to effectively gather endpoint configuration data in a way that is operationally safe. You want to ensure that the configuration data collected is accurate and not just inferred. If you are collecting this only at the network level, configuration details can be missing or incorrectly inferred from the network information. Safely integrating active methods in addition to passive monitoring, Industrial Defender’s approach collects data as accurately as possible from the endpoints themselves.

Automating this process gives you the most comprehensive and up-to-date understanding of your configurations, open ports, and services. Efficiency is key because, in this case, efficient is effective. If you can’t keep up with all open ports and services before attackers find them, then it’s not effective.

By automating, you’re also able centralize data, manage historical data, and track system changes. This ensures that you’re alerted to changes, such as someone opening a port or service that should not be open, exposing you to security risks. Managing configurations and OT asset data in this way also allows for easy, robust reporting and auditing for any issues that go against policy. Industrial Defender provides out-of-the-box reporting for any compliance reports you may need, such as NERC CIP.

With a comprehensive OT asset data collection approach, you gain in-depth asset data and essential endpoint information, along with historical context and change detection. This enables organizations to address cyber risks across their OT environment effectively.

If you need help managing open ports and services and maintaining secure configurations overall, read our solution brief below to learn more about the platform.