Tuesday, June 27, 2017, a morning like any other in Kyiv, hometown of Linkos Group. It’s a small family-run business that supports M.E.Doc, accounting software used by nearly 90% of Ukraine’s domestic firms. But within minutes, this particular morning would turn out very differently for the company’s IT systems — and for the rest of the world.
Quite suddenly, the update-server of M.E.Doc developed a second life and launched a new kind of update: a self-propagating destructive malware now known as NotPetya.
As Wired magazine puts it, NotPetya soon became the most devastating cyberattack in history, a ransomware code that quickly spread from its intended target, Ukraine, to the rest of the globe, indiscriminately shutting down governments, international shipping, hospitals. Anyone or anything with an internet connection could be hit.
It wasn’t just the lives disrupted or the billions of dollars in financial losses. The NotPetya attacks exploded the notion that air-gapped heavy industry was largely immune to cyberattacks. NotPetya shut down entire corporate systems and forced machinery and production facilities offline, underlining the cyber vulnerability of such vast sectors as energy, oil and gas, manufacturing, pharma and automotive.
Previously, cybersecurity experts assumed that the main focus of attacks was data, as criminals plundered databases for personal information and credit card details. But NotPetya showed that thevery foundation of businesses can be crippled.
It became abundantly clear that cyberattacks could target not only IT systems, but also the critical operational technology (OT) systems that manage sensors, devices and software used in industrial operations. Even if an OT system is air-gapped — physically separated from unsecured IT environments — it can fall victim to malware like NotPetya.
The Trouble With Air-Gapping and SCADA
Let’s be clear. The assumption that OT environments can be air-gapped to avoid all these problems has always been a nice daydream. There are multiple arguments why air-gapping your operational technology systems is not easy:
- Air-gapped is often not really air-gapped. You still need administrators who manage your OT environment, and those often connect from your IT environment. NotPetya proved that companies are not taking this concept seriously enough.
- An air-gapped environment requires constant in-and-out data transfers. This can be managed via technical controls such as data diodes or approved mobile storage devices like USB drives. The costs required to implement these controls are so massive that most companies don’t even try.
- An exploding number of OT components requires cloud or machine-to-machine connectivity. Air-gapping will likely become virtually impossible in OT-interconnected environments in the very near future.
Even after the malicious STUXNET worm was uncovered in 2010, few organizations secured their Supervisory Control and Data Acquisition (SCADA) systems properly. SCADA mechanisms monitor and control OT systems and equipment in heavy industry, indicating malfunctions as they occur in real time to staff on the factory floor.
However, due to lack of cyber-risk experience and strong competitive pressure, SCADA software is often built with no security in mind. For decades, this put OT infrastructures at risk, leaving nuclear plants’ centrifuges or manufacturers’ robotic devices vulnerable to attack — vulnerable, unpatched and unmanaged by IT or security professionals.
All these vulnerabilities are becoming more urgent because of the evolving cybercrime threat landscape. The shift from customer-targeted to corporate-targeted attacks and from data espionage to ransomware are the two key trends that require immediate and effective countermeasures.
If OT is critical for your business, ask yourself two simple questions: How many OT security specialists versus IT specialists do you employ, and how many monitoring use cases do you have across OT versus IT?
Organizations need to put more focus on cybersecurity of OT networks, SCADA and information-and-communications-technology systems. Developing secure software and patching vulnerabilities would be the best way to approach it. There is already a range of great initiatives, such as the Siemens Charter of Trust, to create awareness and commitment on this topic. But currently only one of 10 vulnerabilities is patched by organizations, and that statistic will likely not change dramatically with the exploding number of OT and Internet of Things (IoT) devices in the world.
How can we address this problem from an operational and architectural security point of view?
Zero Trust: Reducing the Attack Surface
Many of you have heard about Zero Trust and its increasingly strategic role in cybersecurity. The Zero Trust concept — pioneered by my Palo Alto Networks colleague John Kindervag — is vitally important not because it’s a technology (it isn’t), but rather a cybersecurity strategy and philosophy that every organization should follow when building digital assets or running digital infrastructure. It’s all about reducing the attack surface; if you can’t patch a vulnerable system, what are the next controls to reduce risk?
Zero Trust accelerates this goal by putting the crown jewels of your business in security focus, segregating them within a hard information perimeter in which no user is trusted, and all traffic is inspected and logged.
After all, why would you spend five times as much of your cybersecurity budget to secure your IT systems as you do to secure your OT environment? And why would your critical OT assets and your IT systems share multiple trusted relationships with each other?
NotPetya showed the risks of too much trust across IT assets by exploiting a single server in Ukraine to destroy, in as little as seven minutes, vital assets including IT, OT, backups and even cybersecurity systems. In this case, and in many others, too much trust led to a complete blackout.
Every time you add extra components to a “zone of trust” such as OT technology or IoT devices, you create more risk. But with the crown jewels segmented into a Zero Trust network (ZTN), the rest of the business can grow securely. Only devices and components that are critical assets need to be included in a ZTN.
Visibility and Countermeasure Enforcement
In the event that a Zero Trust network fails, the CISO needs visibility of all traffic and a way to enforce countermeasures in OT and industrial control system (ICS) networks. Visibility can be achieved only if security controls and teams know the language SCADA and ICS use to communicate; that enables security to see malicious communications. In most situations network controls (like periodic vulnerability scans and real-time traffic monitoring) are the only way to establish visibility and enforce countermeasures that block malicious traffic from devices.
On the other hand, there is an advantage to installing cybersecurity within OT infrastructures. These approaches tend to work in a very static and deterministic way, hence any unusual activity is easily noted. One such method, behavior whitelisting, allows a specified list of actions but blocks all others. Whitelisting and similar security measures are a must.
How Much Is Your Cyber Resilience Worth?
Cyberkinetic attacks leading to the physical destruction of OT infrastructures, as we saw with the Shamoon, Triton and BlackEnergy attempts, are not science fiction. Organizations need a resilience strategy in place in the event of a cyberattack.
Ask yourself and your colleagues:
- Does your business continuity plan account for the destruction of OT systems?
- Do you have a backup plan ready to reflash the systems, or even completely replace them?
- How long will that take?
- Do you have a well-thought-out communications plan in place?
- What are the costs if your OT systems have to shut down for an hour … or longer?
You need to know the answers to these questions, and to make them part of a comprehensive plan.
NotPetya as the Tipping Point
NotPetya was not the first kind of cyberthreat to strike OT, and it was not even designed to target OT infrastructures. We repeatedly saw a range of other threats specifically built to put the safety of our employees and businesses in danger.
However, NotPetya was the tipping point: After that, most organizations realized the risks caused by systematic dependencies between IT and OT, the impact of such attacks on business continuity and the importance of being able to recover from a disaster in one single event.
At the end of the day, it is essential for executives to keep in mind that securing OT and IT is not much different — if you tackle your OT security with at least the same priority as your IT and dedicate joint organizational focus and resources toward it.
Sergej Epp is Chief Security Officer, Central Europe region, at Palo Alto Networks.