For physical conflicts, we expect our government to protect us from nation-state adversaries. It turns out, though, that industrial enterprises are much better positioned to defeat most nation-state attacks on power plants, pipelines, and other critical infrastructures than governments are.
For example – consider classic industrial attacks:
- Stuxnet was an autonomous worm carried into an industrial target on a USB drive.
- TRITON was a remote-control attack on a refinery’s safety systems.
- LockerGoga was targeted ransomware that shut down Norsk Hydro’s and several of its aluminum plants.
- NotPetya was a destructive worm, introduced by a compromised software update, that crippled shipping at Maersk.
Now consider government approaches to cyber defenses:
- Information sharing programs – share detailed information about previous attacks.
- Threat intelligence programs – give early warning of possible new attacks and targets.
- Security regulations – are costly rules demanding minimal security measures.
- Central intrusion detection systems –use essentially the same technology platforms as enterprise systems.
- Insider threat detection – identifies malicious insiders, compromised insiders, spies, sleeper cells, and other human conspiracies against critical infrastructures.
What are the lessons here?
- Information sharing is backward-looking – Stuxnet, TRITON, and NotPetya “came out of nowhere” – there were no similar previous attacks to learn from.
- Threat intelligence programs are imperfect – Stuxnet, TRITON, and NotPetya were all the result of long-standing physical conflicts and succeeded in spite of presumably long-standing warnings.
- Regulations are not protection, but the government ordered us to protect ourselves, and
- Government intrusion detection is a little better at detecting attacks than our own systems and presents serious risks to corporate confidentiality.
The one cyber risk that governments are much better at controlling than we are is insider threats. Governments have been dealing with people threats for centuries and have powerful tools at their disposal for such investigations.
Secure Operations Technology
The world’s most secure industrial sites have long concluded that they must defend themselves against even sophisticated cyber attacks. How do they do it? Secure sites observe that all cyber attacks are information – and so they carry out thorough inventories of offline and online information/attack flows that come into their critical networks. These sites then deploy physical controls for these attack & information flows, instead of relying solely on software protections.
For example, to control offline threats, secure sites physically remove as many CD-drives, floppy drives, and USB ports as possible, and put technology & procedures in place to detect and remediate all use of removable media. Secure sites are similarly strict with laptops – no device that has ever been exposed to an Internet-exposed network is ever allowed to connect to an industrial network.
For online threats, secure sites deploy at least one layer of unidirectional gateway technology in their networks. Unidirectional gateway hardware can physically send information in only one direction – generally out of the industrial network. The gateway software replicates servers – most commonly historian databases that are the focus of IT/OT integration. Users and applications on the enterprise network interact normally with the replica databases.
Practitioners not familiar with the technology are often surprised to discover that unidirectional gateways support OT intrusion detection systems, remote access systems, anti-virus updates, and many other communications needs. The 2019 book Secure Operations Technology (SEC-OT) addresses this gap, documenting the perspective, methodology, and best practices of secure industrial sites.
The bottom line – with even sophisticated cyber attacks frustrated, the biggest residual risk is insiders. This is where secure sites ask their governments for help. Again, governments have much more powerful tools at their disposal than do commercial enterprises for such threats.
Looking forward
The threat environment continues to worsen. Today’s targeted ransomware uses techniques that five years ago were attributed only to nation-state adversaries – we all need to start defending against these techniques. When critical industrial sites deploy SEC-OT protections, they defeat the sophisticated attacks that governments cannot help with, and they call on the government for help with residual personnel risks.
Resources
To learn more about how secure industrial sites defend themselves, please request a free copy of the SEC-OT book, please visit: https://waterfall-security.com/sec-ot