Attack Vectoring Shuts Down OT Attacks Before They Happen

December 1, 2021

• Operational technology attacks have grown dramatically in recent decades.
• Once-effective defense techniques like air-gapping are now largely ineffective.
• Attack vectoring can shut down attack paths before they’re exploited.

While operational technology (OT) environments have been around for more than 50 years, the last decade has seen a marked increase in attacks specifically targeted at them. This is due to the increase of new attack surfaces and vectors as new technologies (like IT/OT convergence) are introduced. Numerous recent attacks have affected nearly every manufacturing vertical and critical infrastructure environment imaginable. The reason for the increase in OT targeting is simple: they exist and are vulnerable. In the past, OT was largely sequestered and unreachable due to air-gapping, but this is no longer a reliable tactic.

Decades of experience securing IT can yield important lessons we can apply to OT. For example, we know that simple network tapping and “listening” doesn’t catch all attacks. Driving deeper to the device level, the target of most attacks, is a key method of detecting an attack before it starts to propagate and find new targets. This is particularly relevant in OT environments, where up to 30% of OT assets are dormant or do not communicate over the network.

A more proactive security approach accounts for your network and both IT and OT devices. “Attack vectoring” predicts an attack by identifying high-risk pathways an attack may take once inside your OT environment, and simulations can best determine your weak points, highlighting where security interventions are needed – now, before an attack.

Attack vectoring should identify and map each asset by device type, whether IT- or OT-based. Clicking into each device should provide deep situational awareness, including make, model, firmware version, vulnerabilities, device/software integrity, backplane details and much more.

Image

Furthermore, risky behaviors or situations should be identified, including which assets are reachable by whom and from where, open ports that aren’t being used, increased use of unsafe protocols, etc. Identifying all of these risk factors and addressing them before an attack can close paths and reduce risk, thereby reducing exposure.

Image

OT security is undergoing a significant paradigm shift. Air-gapping is no longer a reliable means of security. (In many instances, IT/OT convergence and adoption of IoT technology completely eliminated the air gap.) We know from IT lessons learned that waiting for a successful attack to get through before implementing new security methods can damage your organization’s long-term security and viability.

Security-at-large is rapidly embracing a more proactive approach to identifying and preventing attacks.

Gaining deep situational awareness about each device in your environment, identifying communication paths, access information and more, can help highlight weak spots and potential embarkation points for new attacks. It further helps the security community reduce risk and cyber exposure, reinforcing organizations running OT systems and strengthening their cybersecurity profiles…which is much better than dealing with an attack after the fact.