IT and OT Convergence: Defending Critical Infrastructure

We recently delivered a webinar titled IT/OT Convergence: Proactive Threat Detection for Industrial Control Systems (also available via Brighttalk). In this 30-minute session, Filip Černý, Flowmon Product Marketing Manager at Progress, discusses the convergence of IT and OT (Operational Technology), how you can use the Progress Flowmon cybersecurity platform to help defend critical infrastructure, and how your IT and operations teams can do proactive threat detection for industrial control systems. This webinar joins previous videos we’ve provided about protecting OT systems, such as this five-minute example use case video titled ICS/SCADA protection against incoming attack with Flowmon cybersecurity.

In this blog, we’ll highlight the points Filip covered in his recent webinar and other OT defense topics.

Key Concepts

Before covering the convergence of IT and OT and how the Flowmon platform can help secure the expanded attack surface faced by critical infrastructure and other industrial providers, let’s define some key concepts.

• Information Technology (IT) - The traditional data and digital communication systems, where cybersecurity efforts have historically focused - servers, networks, users and endpoint devices.
• Operational Technology (OT) - The hardware and software that monitor physical processes, machines, sensors and control systems that manage critical infrastructure and other physical systems.
• Industrial Control Systems (ICS) - A subset of OT for managing industrial operations.
• Supervisory Control and Data Acquisition (SCADA) - A specific type of ICS for real-time data gathering and remote control of physical equipment in industrial settings.

Traditionally, OT systems have been separated from the IT network and IT network management solutions. However, this separation has eroded as an increasing number of OT and industrial systems get connected to the internet. The desire to remotely monitor and manage OT systems and the equipment they control has driven this change. However, as OT systems have joined IT networks, they have become exposed to the threats that have targeted IT systems for years.

OT and Critical Infrastructure Risk

OT systems provide the backbone for monitoring and controlling services that are critical to the modern world. Examples where OT plays a crucial role include:

• Electric power generation and distribution grids
• Natural gas storage and distribution
• Drinking water treatment and distribution
• Waste removal and treatment
• Public transport systems - air traffic, train networks, bus services and road network management
• Health services delivery
• Banking and other financial services
• Production, processing and distribution of food
• Space services (such as geolocation and communications)

Both the US and the EU define critical infrastructure categories. The US list is on the CISA site, and the EU list is on their Critical infrastructure resilience at EU-level page.

The results of a disruption to any of these services for an extended period can be catastrophic for towns, cities, regions, states or even whole countries. As Filip outlines in the webinar, the consequences of outages in these services can include:

• Power failures - Can lead to healthcare provision outages, downtime of communication systems, industrial base shutdowns and retail closures.
• Transportation disruption - Rail system shutdowns, supply chain delays and general traffic chaos.
• Gas network shutdown - Loss of heating, industrial shutdowns, risk to wellbeing for vulnerable people.
• Water systems compromised - Public health consequences, the need for emergency drinking water distribution.
• Loss of banking systems - Impacts on the ability to buy food, retail business loss and wider economic impacts.

Why OT Systems Are High-Value Targets

The increasing integration of OT systems with IT networks has not gone unnoticed by cybercriminals. And these attackers are actively searching for online OT systems that they can probe for vulnerabilities to exploit. These OT systems that often control the critical infrastructure outlined previously, or at the very least, are crucial systems for manufacturing and other businesses, are high-value targets. These OT systems are often complex to secure and defend due to legacy issues such as:

• Under-defended - Many OT systems were designed decades ago without cybersecurity playing a significant part in the design and deployment.
• Outdated - A significant number of OT control PCs are running legacy operating systems like Windows XP.
• Patching - It’s difficult to update OT controller PCs without operational downtime. And many of them are in locations that require an expensive site visit by a technician. This is one of the drivers for adding them to the corporate network for remote management and updating.
• Risk - Successful OT attacks can cause physical damage to machinery rather than just digital impacts like data loss or ransomware deployment.

This can lead to safety issues if the control of critical infrastructure is compromised. The USA EPA estimates that the drinking water systems serving 193 million US citizens are susceptible to OT cyberattacks. What if a cybercriminal started increasing the PH levels of our drinking water? Just imagine the consequences

Criminals prioritize attacks against OT systems due to the benefits that can accrue, from their perspective, such as the ability to get headlines due to the disruption of high-profile critical infrastructure systems. This disruption is often associated with nation-state sabotage, as state actors do not need to extract a ransom for their attacks — disruption is the point. Some attackers who are not nation-state-backed also disrupt critical infrastructure just for the notoriety it brings them in criminal and hacker circles.

Examples of Notable OT Attacks

Filip outlines some notable examples of attacks against OT systems in the webinar:

Stuxnet (2010) - A targeted attack designed to infect and surreptitiously cause damage to the centrifuges Iran was using to enrich Uranium for their nuclear program. The control systems that managed the speeds of the centrifuges were isolated from external networks. The attackers built the Stuxnet malware to run on the ICS controllers. It made the centrifuges spin faster until they failed. The malware also reported false information to the ICS systems so that operators did not see the speed changes. Eventually, a significant number of the centrifuges failed due to physical damage.

Security professionals regard the Stuxnet OT malware as the origin of OT-focused cyber warfare, as state-backed adversaries of the Iranian state created the malware. You may be wondering how the attackers got their malware onto the air-gapped OT controllers. The consensus is that they introduced it into the nuclear facility on USB storage devices that were left to be found by facility staff. Remember: you shouldn’t pick up and use that USB key you found in the office car park!

Colonial Pipeline (2021) - The ransomware attack on Colonial Pipeline in 2021 was the result of a compromised password on an obsolete VPN account from a previous data breach. When attackers deployed ransomware to IT networks, servers and PCs, the IT team used an abundance of caution. They shut down the OT equipment that controlled the flow of petroleum products to a large swathe of the Northeast United States. This shutdown caused shortages in gasoline at gas stations, mainly due to panic buying. This led to price spikes and delays at airports for a while due to aviation fuel shortages. The pipeline operator eventually paid a ransom of $4.4 million to the attackers. Law enforcement in the US later recovered some of the ransom.

A Typical OT Attack Scenario

We walk through a typical attack scenario in the ICS/SCADA protection against incoming attacks with the Flowmon security solution video. That scenario outlines how an insider threat enables the deployment of malware even across an air gap between OT systems and the wider network. Don’t forget the negligence method for jumping air gaps, as described in the Stuxnet example. A common attack scenario involves:

1. A staff member connects an infected laptop to an ICS network for routine maintenance.

2. Malware designed to activate only when connected to an industrial network gets deployed.

3. The attack proceeds while normal operations continue, with the malware taking steps to avoid detection.

4. Network reconnaissance takes place as the malware scans for vulnerable devices, such as anything with the known Samba protocol port 139 vulnerability.

5. Escalation happens when the malware gains unauthorized access to the control systems and escalates its permissions.

6. The malware changes ICS parameters to cause physical damage. Such as manipulating cooling systems and causing temperature rises that damage machinery.

This usually occurs while the ICS monitoring systems are showing nothing out of bounds, as the malware is also masking the changes it’s made and manipulating the data flow from the systems to the monitoring stations. This gives what’s known as a detection gap.

Flowmon Closes the Detection Gap

Experienced cybersecurity professionals know that no perimeter or human cybersecurity defenses are 100% reliable. They know that prevention will eventually fail and that they need to plan to detect and respond to attackers who are active on the network.

The Flowmon Network Detection and Response (NDR) solution gives you deep visibility into network traffic, whether it’s in the cloud, on-premises or hybrid environments on your IT network or your OT environment. Flowmon NDR detects anomalies based on behavioral changes. It also prioritizes threats and helps security teams respond with confidence to real threat activity.

Flowmon enables your team to detect indicators of compromise using multiple detection technologies (the following list is from our Machine Learning and AI Explained blog):

• Machine learning - Flowmon threat detection harnesses the power of ML to detect and mitigate cyberthreats by identifying anomalies in real-time. It combines supervised and unsupervised learning techniques to detect known and unknown threats. Flowmon AI models get trained on large amounts of historical network data, and they continuously update and learn as they function. When new threat patterns emerge, the AI can learn and adapt.
• Heuristics - AI models in Flowmon can help refine and optimize heuristic rules based on historical data and real-time threat intelligence. This reduces false positives and improves the accuracy of behavior-based heuristics.
• Pattern matching – Flowmon AI capabilities enhance pattern matching by learning to identify new threat patterns and variants that may evade traditional signature-based detection. ML models also learn and adapt continuously.
• Anomaly detection - Learning algorithms in the Flowmon platform work with statistical anomaly detection methods to identify unusual patterns or behaviors in network traffic that may indicate an attack or threat.

Using these methods in parallel, Flowmon network monitoring provides visibility into your IT and OT networks. When anomalous activity is detected, your IT and operations teams are alerted so that they can respond quickly to contain and remove any threat. Deploying Flowmon cybersecurity to monitor your IT and OT networks gives your organization a 24/7 security expert who never sleeps or tires.

The Flowmon platform also communicates the threats it detects using human-understandable alerts and reporting that uses the well-defined and widely used MITRE ATT&CK framework. This makes it easier for everyone to understand the thrust and severity of attacks, even those who are non-technical, such as managers, who you need to keep informed of what is happening.

Customer Success Story

EG.D is an electric and gas utility that serves over a million premises in the South Bohemia and South Moravia regions of the Czech Republic. They must keep the electricity and gas flowing 24/7. To help minimize the risk of service outages from cyberattacks, they realized that they needed to improve visibility into their OT network and LANs at substations. They needed a solution that would support the standard substation protocols used in OT networks and possess the ability to forward IPFIX data into a SIEM.

Quoting from our customer success story page, EG.D deployed a Flowmon solution that comprises around 90 Flowmon Probes gathering data at key points throughout the network, while existing routers provided additional network traffic statistics. All the data is then stored and analyzed at a central virtual Flowmon Collector.

They saw immediate results from the Flowmon deployment, including:

• Immediate identification of misconfigured devices
• Robust traffic visibility in one centralized location
• Real-time warnings about emergent or potential issues
• In-depth network usage insights and bottleneck identification
• Network-borne threat exposure and traffic anomaly reporting

“Immediately after deployment, the system helped us identify several misconfigured devices. Thanks to the insights the solution provides, we can see all of our traffic in one place and are immediately warned about any emergent or potential issues that may arise. It provides us with information on network usage, pinpoints potential bottlenecks, exposes network-borne threats, and reports on a variety of network traffic anomalies.” - Martin Keprt, Head of Cyber and Physical Security Management, EG.D.

Final Thoughts

Organizations will continue to integrate OT systems with traditional IT systems. This means that the need for real-time detection of any security breaches will become more critical. The ramifications resulting from a breach that goes undetected for long enough for attackers to do what they want can have severe financial, reputational and political consequences.

Don’t wait for a breach of your OT or IT defenses to catch you off guard. Try the Flowmon cybersecurity platform and see how its AI-powered insights can elevate your network detection and response. Visit the Flowmon platform page for additional product details and the Flowmon Anomaly Detection System (ADS) page for further information on our ADS. Contact us to talk with an expert and arrange a 20-minute live demo on how Flowmon threat detection can help improve your organization’s security.