As operational technology (OT) merges with IT, vulnerabilities in operational tech systems are a new threat, not least because these networks involve control frameworks for industrial systems, buildings and major infrastructure. The problem isn’t theoretical, given past attacks that exploited critical security vulnerabilities in Windows systems that are used to control OT.
New data from asset visibility and security firm Armis shows the depth of the problem. The firm’s Asset Intelligence and Security Platform, which Armis said tracks over three billion assets, found critical vulnerabilities in engineering workstations, supervisory control and data acquisition (SCADA) servers, automation servers, control system historians and programmable logic controllers, which are also the most vulnerable OT and industrial control systems.
SEE: Too many organizations have “shadow” IT (TechRepublic)
Armis looked at all devices on the Armis Asset Intelligence and Security Platform and identified which types have the highest severity risk factors and/or Common Vulnerabilities and Exposures (CVEs). Additionally, business impact level and endpoint protections had a weighted influence.
Engineering workstations lead the security vulnerabilities list
Armis’ research found that engineering workstations were the OT device that received the most attempts of attack in the industry in the past two months, followed by SCADA servers.
The study also found that 56% of engineering workstations have at least one unpatched critical severity CVE, and 16% are susceptible to at least one weaponized CVE, published more than 18 months ago.
Uninterruptible power supplies
Third on the list of most-attacked OT are uninterruptible power supplies. According to the firm, 60% of uninterruptible power supply devices have at least one unpatched critical severity CVE, which, as showcased with TLStorm, could potentially lead criminals to cause physical damage to the device itself or other assets connected to it.
“UPS are widely used because control systems need a level of redundancy,” said Carlos Buenano, a control systems engineer and principal solutions architect at Armis. “UPS provides two things: It filters power [to shield devices against changes in power supply], and then makes sure it provides power to all the systems. The idea is to provide constant power feed across all devices and fill downtime in the power supply over a period of hours.”
UPS systems are prone to security vulnerabilities, he said, because they are designed not to interact with any networks and don’t follow specific security standards, such as those developed by ISA/IEC, by which most devices in control systems meet some requirements when it comes to security.
“UPS systems have always been seen as isolated, but that is changing as ISA realizes that UPS and other devices are connected to a network and the reason is because throughout all plans every switch has to have a UPS to maintain power. And they all need to be monitored within an integrated system, such as a building management system,” said Buenano.
Programmable logic controllers
Armis found that 41% of PLCs had at least one unpatched critical severity CVE. The firm said that because they are legacy devices found in everything from elevators to braking systems, compromised PLCs can disrupt central operations. The research found that these systems are susceptible to high risk factors such as end-of-support hardware and end-of-support firmware.
The firm said another set of devices represents a risk to manufacturing, transportation and utility environments as they have at least one weaponized CVE published before January 2022. They include:
- Barcode readers: 85% of which have at least one CVE published before January 2022.
- Industrial managed switches: 32%.
- IP cameras: 28%.
- Printers: 10%.
Risks in file-sharing protocols
Armis looked at device types and found that many are more exposed to malicious activities because they are using the legacy SMBv.1 file-sharing protocol for Windows — which had been exploited by Wannacry and the ExPetr (NotPetya) worms in 2017, the latter being the most expensive cyberattack in history at $10 billion — as well as older operating systems and many open ports. The firm said four out of the five riskiest devices run Windows OS.
Need for collaboration between OT and IT systems and teams
The firm noted that OT industries comprise both managed and unmanaged devices and complexity in location and distribution and that their convergence with IT has yet to become unified. With OT teams focused on maintaining industrial control systems, mitigating risks to OT and ensuring overall integrity within operational environments, more IT-focused duties have been left aside.
Buenano said the challenge for IT/OT convergence is that they are functionally opposed in some ways and operate on very different networks.
“IT is designed to provide more applications to enable more uses. An OT network has one role, to communicate between devices and establish connections to achieve that task,” he said. “They tend to clash because IT is focused on providing more products while OT’s aim is to ensure that the network is reliable and bandwidth stays available for applications.”
SEE: IT administrators are investing in unified platforms for comms and collaboration (TechRepublic)
That said, he explained that the convergence of IT and OT is vital because the latter has been traditionally isolated from other networks and has fallen behind in terms of system updates. “So they are conduits for threat actors. OT networks are designed for the long haul, with a ten-year operational lifespan, but using technology designed for 30 years,” he said. “And vendors and customers in OT are known to work at a slow pace, so changes in the tech are very lagging.”
He said convergence in IT/OT is about providing knowledge from a security and efficiency point of view and merging that into an OT environment, and that a benefit of convergence in IT and OT is that it creates cost efficiencies associated with not having to duplicate assets.