This month marks the first anniversary of the colonial pipeline shutdown – a highly influential ransomware attack on critical U.S. infrastructure that has had significant diplomatic and legal consequences. Among the numerous conversations raised by the attack was the issue of IT / OT convergence.
The attack, organized by the Ransomware group Darkside, targeted the pipeline’s IT billing systems instead of its Operation Technology (OT), but the Colonial was still forced to suspend physical activity for several days. Despite maintaining the efficiency of the oil-pumping system, the colonists believed that the risk of continuing operations with the IT compromise was too great. This was largely due to the proximity of its IT and OT systems: if the attackers had moved around the company’s operational networks, they could have imposed a longer and more costly shutdown, potentially manipulating security measures and malicious equipment – even endangering pipeline workers. .
The risk of IT attacks spreading to OTs has increased as companies operating these systems seek to gain an edge over their competitors. IT / OT convergence makes the Industry Control System (ICS) cheaper, easier to manage and more accessible to various administrators. At the same time, as the example of the colonial pipeline has shown us, it presents new risks and avenues for cyber disruption.
This is partly because most OT security tools today view industrial systems in isolation – as a disconnected silo, different from the rest of the business. The same is true of network security, email systems, and the cloud. And while many of these tools were being created, there was nothing wrong with this method. But as these digital environments come together, relying on isolated point solutions to stop cyber attacks is not effective, especially since a single attack can now cross multiple areas of target and operation.
By integrating their security stacks, defenders can use IT / OT convergence to their advantage and turn vulnerabilities into strengths.
This will require moving away from tools trained in historical attack and moving to self-learning technology that can learn its digital environment from scratch without any preconceived notions. By understanding the unique behavior of each IT and OT device – no matter how bizarre or complex the technology – this method enables detection of innovative threats. By definition, a cybertack allows a machine or user account to behave in a way that is not normal, and these deviations can be sorted out, no matter where they are seen.
How ransomware groups exploit IT / OT convergence
The risk of linking cloud platforms to ICS was highlighted last year in an attack against a European OT R&D investment firm.
The firm’s two industrial Internet of Things (IIoT) devices, which run Windows OS and regularly connect to an industrial cloud platform, were compromised when they used the Server Message Block (SMB) protocol to connect to an infected domain controller. . Security teams are often hampered by IIoT devices, which may lack CPUs, traditional operating systems, or adequate disk space for security installations.
A malicious payload had lain dormant for about a month between two IIOT devices, one with a human-machine interface (HMI) and the other with an ICS historian. Darktress’s investigation showed that network isolation was sufficient to block the command-and-control (C2) communication of the attack on HMI devices, with connections from ICS historians reaching nearly 40 unique external ends.
Both devices then wrote suspicious shell scripts to the network server and, finally, used SMB to encrypt the files stored on the network share. A ransomware note was written on devices targeted by ICS and the attack was completed. The life cycle of such attacks, which demonstrates the limitations of network segmentation and air-gaping, has become a major concern around IT / OT convergence.
No signature or threat intelligence was associated with the attack, and so it flew under the radar of the company’s traditional security equipment. Only through self-learning technology from Darktrace was the security team able to gain full visibility of the attack.
Riding the Changing Tides
The reference architecture that relies on air-gaping ICS from IT is increasingly incompatible with technological advances to keep many organizations competitive. If attackers don’t see IT and OT as separate, divided areas, then security teams shouldn’t either.
It is possible for businesses to embrace secure interconnections, with all its advantages, taking security that learns business from the ground up to deal with sophisticated threats in both their IT and OT environments.
The integrated security effort reflects the reality of the converging system and ensures that there is no gap for exploiters. When the entire digital environment is viewed through a single blade of glass and any single, exploitable system is left unprotected, companies will be able to interconnect systems without taking unnecessary risks.