The annual ICS/OT Cybersecurity Lessons Learned webinar offers firsthand insights from our engagements in 2022 by the Dragos Professional Services team. Dragos Professional Services team members Chrissy Grove, Curtis Chmilar, Eric Brown, Sumeet Jauhar, Markus Mueller, and Hussain Virani explore these insights.
Each year for the last six years in the Dragos ICS/OT Cybersecurity Year in Review, we’ve reflected upon our on-the-ground understanding of the realities facing the industrial community and the lessons learned from the field. In 2019, Dragos identified four key findings that we continually track year over year:
- Limited or no OT network visibility
- Poor security perimeters
- External connections to OT environments
- Lack of separate IT and OT user management
Our goal has always been to educate and share what we learn each year with industrial community. This blog summarizes the trends of these findings from our customer engagements in 2022.
80% of Service Engagements Had Limited or No OT Network Visibility
Visibility can be summarized as anything that increases the defender’s knowledge of their own environment. Our methodology for examining limited-to-no visibility is only monitoring the IT to OT boundary, and not the activity inside the OT network. Full visibility is achieved when network and device logs are centralized and can correlate various segments within network traffic analysis and asset inventories.
In 2022, we discovered that 80 percent of service engagements had limited to no visibility in ICS/OT environments. In the past, we’ve linked poor visibility to significant delays in incident response. Incidents within operational technology environments tend to show us recurring themes, such as the loss of view and inability to control. What we’ve noticed, is the role that IT/OT convergence is playing. It used to be that OT was completely segregated from other networks, but we’ve increasingly discovered that many OT environments are accessed via IT networks, which makes lateral movement within the network easier.
For example, IT and OT sometimes share domain controllers, which is problematic because you can recycle credentials. In situations like these, if you have a ransomware attack on the IT side, it tends to spill over into the OT networks, and the impact can be significant – operational downtime, lost data and revenue, and brand or reputational impact are just a few.
50% of Service Engagements Had Poor Security Perimeters
Implementing effective network segmentation is critical for building a defensible architecture. This is still a common challenge for OT asset owners and operators, as 50 percent of our service engagements in 2022 identified issues with network segmentation. We often saw direct connections between OT network segments and IT or business network segments.
Here are some of the common problems we noticed:
- Firewall rules that negate other segmentation efforts, such as commonly exploited network protocols crossing trust boundaries, leaving critical devices exposed to attacks.
- Flat OT networks – for example, no segmentation past an IT/OT boundary firewall, creating extensive exposure, where devices at that boundary can communicate down to critical components at the process level, or a lack of segmentation between different control network zones, which increases the potential of a targeted area attack.
- It is not uncommon to see internet connections into OT environments, including internet browsing.
When we look across industry verticals, we found that regulated industries are overall performing better than other verticals. While it’s true that the electric industry in North America and the manufacturing industry have had challenges, especially with ransomware, the regulatory infrastructure requires levels of compliance and iterative reviews of cybersecurity controls that generally make regulated industries better prepared for a security event, and trend more positively than their non-regulated counterparts. Let’s look at some of the specific regulations that had an impact this year.
Positive Impact from Updated Regulatory Directives
New regulatory directives introduced in 2022 provided some positive trends towards implementing cybersecurity controls. TSA Pipeline Security Directive SD02C was announced in July of 2022, and TSA Rail Security Directive 1580/82 followed in October of 2022.
For pipeline asset owners and operators, the release of version SD02C marked a shift away from a prescriptive approach to a performance-based approach, providing greater flexibility in the implementation of necessary controls to meet the requirements of the directive. Using the existing Pipeline Directive as their foundation, rail asset owners and operators welcomed and leveraged the new updates in 1580/82 as it reflected the differences that exist between the two verticals.
Data from Dragos service engagements in 2022 indicated the positive trends, showing an increase in maturity for strong network perimeters, and a reduction in both shared credentials and external connections for regulated entities compared to other OT industry verticals.
External Connections to OT Reduced by 17 Percent
An external connection is another finding we continue to watch each year. An external connection can be defined as any internet protocol or asset that communicates beyond a pre-defined security perimeter, or any communication that originates from a remote location and outside the company’s boundaries, such as a 3rd party vendor.
While it is very common to have external connectivity for employees, OEMs, or vendors to perform required work tasks, we found a significant improvement in 2022 compared to 2021. External connections to OT environments dropped from by 17 percent – down to an overall of 53 percent from 70 percent previously.
One explanation for this improvement is through multi-factor authentication, or MFA. MFA has become a part of our daily lives in many ways – with controls like smartphone verifications and enterprise VPNs. MFA mechanisms do add additional factors to the authentication process and have been widely deployed and adopted on enterprise and IT systems but are more recently being adopted for use in OT environments. This is in part because it is challenging to integrate security controls within an OT environment due to vendor support requirements, the unique network protocols and traffic, and the operational focus on OT system availability and safety.
The exception to remote access into OT environments – when properly deployed – is typically found when MFA is implemented at the boundary between IT and OT networks, often on an OT-specific DMZ network. MFA at this level is a bit more flexible in its implementation – of course we must look at what network segmentation is in place, what authentication mechanisms are available, and evaluate the overall risk to the environment – but the benefits here are clear. One of the most common tactics used by threat actors for initial access and privilege escalation, including ransomware, is credential compromise. MFA plays a key role in mitigating credential compromise as a potential attack vector and should strongly be considered for any remote connections required to an OT environment, particularly when connecting to any Crown Jewel assets.
Shared IT/OT Credentials Increased By 54 Percent
Reusing credentials across domains no doubt reduces a company’s resiliency against cyber attacks that leverage compromised credentials. This is an area that saw a huge increase – shared credentials were up 54 percent in 2022.
There is an anecdote among penetration testers that first credentials are the hardest to get, but once they’ve been acquired, it’s easy enough to see if they can be used across more systems within the environment, making lateral movement within a network or pivoting across boundaries so much easier. Unfortunately, it is common to see local administrator passwords or shared credentials reused, so this remains an area OT asset owners and operators should be particularly vigilant about.
Dragos incident responders also noted a few scenarios during engagements where the OT team not only re-used credentials, but also used shared logins and passwords and implemented poor password practices, leading to major issues with the separation of duties, which is an important consideration when incident responders are called to investigate an incident and the separation is unclear.
Recommendations for Implementing OT Cybersecurity Controls
It is common for organizations to be frustrated and stuck in analysis paralysis for taking next steps. “Just tell us what to do!” and “We can’t do it all immediately, so where should we start?” are common sentiments we hear during service engagements. Dragos recommends starting with the Five ICS Cybersecurity Critical Controls as defined by the SANS Institute. Creating a roadmap of next steps around these controls considers your Crown Jewel assets and are oriented around outcomes instead of taking a more prescriptive approach. These controls are also intelligence-driven, in that they have been chosen based on the analysis of recent compromises and attacks in industrial companies around the world.
For sectors with no regulation, when implementing the Five ICS Cybersecurity Critical Controls, we recommend a programmatic approach, with a focus on understanding the overall cyber risks that reduce or eliminate the potential impact to operations, within an acceptable risk tolerance.
For organizations that are subject to larger regulations (TSA SD, NERC CIP, etc.), the Five ICS Cybersecurity Critical Controls represent areas to pursue that go beyond the minimum requirements of a specific regulation.
And lastly, if you feel that you are behind or lagging in the development of your own OT cybersecurity maturity and/or program capabilities, you are not alone. These controls are meant to provide guidance based on real-world analysis and offers organizations a starting point. Our mission at Dragos is to help you understand the next steps in your cybersecurity journey, and no matter where you are, we’re ready to help you move forward.
Explore Our Frontline Insights
Ready to put your insights into action?
Take the next steps and contact our team today.