Securing the modern attack surface

The challenge faced

The infrastructure that underpins organisations today is only vaguely recognisable from three years ago. Cloud adoption has soared in order to facilitate work-from-home mandates. But it is not just office workflows or data processing that have been overhauled; the same connectivity that underpins this modernisation has also revolutionised the operational side of things, as engineering and manufacturing applications have been moved to the cloud.

Physical devices and systems of all types – from corporate conference systems to power grids – are now network-connected and programmable. New digital compute platforms and development shifts such as cloud, mobile, SaaS and DevOps have made it possible to move from concept to capability on a daily basis.

This has required the convergence of two systems that were traditionally siloed from each other. On the one side are information technology (IT) systems, which utilise servers, routers, PCs and switches. On the other is operational technology (OT), encompassing programmable logic controllers (PLCs), distributed control systems (DCSs), and human machine interfaces (HMIs) in order to run physical plants and factories. Traditionally, OT environments had very limited and/or restricted connectivity – both internally with local networks, and externally to the internet, third-party contractors, etc., or by air gapping.

The result is that the defined perimeter no longer exists. Internet-facing assets are essential for organisations in the modern business world. The implication is that, when we think of traditional network security, the goal has always been to fortify the perimeter to prevent threats outside of the network from getting in. Typically, when the subject of OT security was discussed, it was quickly dismissed due to the perceived air gap. The way we work today means that this is no longer feasible. The perimeter is pervious, the devices we use are evolving, and organisations are adapting to the complications that a hybrid infrastructure brings.

The risks introduced

The merging of these two previously-separated environments increases organisational risk by expanding the available attack vectors, while making cybersecurity threats harder to detect, investigate and remediate. In addition to the threat to data, an attack against OT systems could have physical consequences – both on the business infrastructure and on the body. A further complication is that cyber breaches that start on one side of the converged infrastructure can laterally creep to the other – from IT to OT, and vice versa.

2022 saw a number of examples of IT systems being compromised, bringing organisations to their knees. In February there were attacks against two German logistic companies that are subsidiaries of the Marquard & Bahls logistics group: Oiltanking GmbH (which supplies Shell Deutschland GmbH) and Mabanaft GmbH, which affected fuel supplies and forced the company to declare a force majeure.¹

Also in February, Bloomberg reported that hackers had gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron Corp., Cheniere Energy Inc., and Kinder Morgan Inc.²

In August, the largest natural gas supplier in Greece, DESFA, confirmed that it was hit by a cyberattack that impacted the availability of some of its systems. It would be remiss not to also mention that, in May 2021, the Colonial Pipeline experienced a ransomware attack that meant the organisation took the decision to halt all pipeline operations in order to contain the attack.³

These are just a few examples of where threat actors have caused serious incidents against critical infrastructure, affecting downstream operations and resulting in disruption to services and citizens’ lives. They are not isolated incidents and the threat is expected to continue to escalate. In fact, 2023’s WEF Global Risks Report ranks ‘widespread cybercrime and cyber insecurity’ in its top 10 of the most severe risks over the next decade.⁴

One of the most prevalent issues, particularly on the OT side of things, is the zero downtime tolerance policy, given the business criticality of the systems. Another key challenge to overcome is legacy infrastructures. OT environments are often structured around legacy technologies designed for process functionality and safety, along with static devices and a perimeter protective layer. As modern practices increasingly connect machines, devices, sensors, thermostats, etc. to the internet, this is no longer realistic, and the number of touch points that are open to vulnerabilities continues to grow by the day.

It is also important to recognise the significant difference in IT and OT life cycles. While IT infrastructure is designed to be updated regularly, OT infrastructure often persists for years – even decades. It is not uncommon for OT infrastructure to be as old as the plant that it sits within. The result is that a full inventory of assets, along with maintenance and change management records, may not be current. Therefore, crucial data may be missing, including important details such as model number, location, firmware version, patch level, backplane detail, and more. Since it is impossible to secure assets that the operator may not even know exists, having a detailed inventory of OT infrastructure that can be automatically updated as conditions change is essential to protecting industrial operations.

How to break the cycle

When threat actors evaluate a company’s attack surface, they are not thinking in terms of organisational siloes. Rather, they are probing for the right combination of vulnerabilities and misconfigurations, and identitying privileges. Security should not be operating in siloes either. Today, as defenders, we are playing right into threat actors’ hands as organisations struggle with reactive and siloed security programmes.

The reality is that, historically, the security industry has squarely focused on creating point solutions that focus on very specific aspects of cybersecurity. The result has been a mixture of technologies that all serve a bespoke function but do not allow organisations to see the full scope of their risk exposure, and lack context to chart a path forward.

In an effort to address this, the industry has churned out products with the aim of uniting all of these disparate pieces. For example, Extended Detection and Response (XDR) takes data from point products in an effort to identify attacks as they are happening. This activity-driven approach does not give organisations the upper hand because security teams are then trapped in an endless cycle of responding to active breach notifications. The issue is that organisations that rely solely on activity data lack a complete picture of their security posture and thus cannot proactively quantify risk.

Organisations need a way to assess the efficacy of their preventive programmes as well, in order to have a complete picture of their exposure – essentially the inverse of XDR. Understanding the impact of cyber incidents requires business and security leaders to work in conjunction with each other. Security needs to understand the larger mission of the organisation and safeguard the tools and assets that enable staff to complete business-critical activity, while also ensuring that important data is safeguarded.

This requires a holistic view of both IT and OT environments and the interdependencies that exist for critical functionality, as well as the determination of where weaknesses and vulnerabilities exist. When it comes to physical OT environments, there are a myriad of hidden systems tucked away in a closet or hidden under a desk that were temporarily installed, promptly forgotten, and left underprotected.

Once a holistic viewpoint is established, the next step is to identify what would cause theoretical vs practical damage. From this stance, steps can be taken to remediate the risks where possible, or monitor the assets related to the risk of attack.

Traditional vulnerability management focuses on the act of enumerating flaws in software that could be exploited (CVEs). Exposure management extends beyond this by providing additional context such as who is using the system, what they have access to, how it is configured, etc. There is more to proactively securing an environment than patching software. Exposure management enables cybersecurity teams to operationalise their preventative security programmes, which in turn also allows organisations to clearly explain the effectiveness of their security programme.

When it comes to modern OT environments, cyber threats can originate from anywhere, and travel everywhere. Therefore, it is important to utilise as many capabilities and methodologies as possible in order to find and mitigate exposure. Additionally, organisations should employ anomaly-based detection capabilities that can find zero-day and targeted attacks, and that are predicated on baseline behaviours that are unique to the organisation.

Another powerful resource is open-source attack databases, such as Suricata, that centralise threat intelligence from the greater security community. The notion is that more eyes on a potential threat yields a significantly better security response.

The harsh truth is that the vast majority of attacks are preventable. Threat actors rely on leveraging unpatched, legacy vulnerabilities across a wide spectrum of software solutions to infiltrate organisations. They look for misconfigurations that can be abused in order to dig deeper into the environment or cause a programme to function differently to that which was intended. Additionally, they search for excessive or misconfigured identity privileges that allow them to take control of the environment and move around unchallenged.

Organisations that can anticipate cyberattacks and communicate those risks for decision support will be the ones best positioned to defend against emerging threats. Examining cyber risk based on departmental or operational units allows for collaboration among different constituencies, which saves time, improves investment decisions, supports insurability, and drives improvement over time – all while tangibly reducing risk to the organisation.

This piece was written by Bernard Montel, Technical Director for EMEA at Tenable.

References

1. ‘Cyber-attack strikes German fuel supplies’, (1 February 2022), https://www.bbc.co.uk/news/technology-60215252
2. ‘Hackers Targeted U.S. LNG Producers in Run-Up to Ukraine War’, (7 March 2022), https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine#xj4y7vzkg
3. ‘Hackers Breached Colonial Pipeline Using Compromised Password’, (4 June 2021), https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password#xj4y7vzkg
4. ‘The Global Risks Report 2023’, World Economic Forum, 18^th Edition, https://www3.weforum.org/docs/WEF_Global_Risks_Report_2023.pdf

Read the article online at: https://www.hydrocarbonengineering.com/special-reports/22022023/securing-the-modern-attack-surface/