What is Operational Technology?
Operational Technologies (OT) is the broad categorization of hardware and software components which support industrial operations and processes. Within the OT category, Industrial Control Systems (ICS) are the technical components which directly connected to industrial equipment and are used to remotely monitor and manage the equipment through both manual and automated means. You can consider Operational Technologies as the nervous system of most modern mining operations and are considered mission critical for both safety and production.
Such technologies have existed in various forms since the introduction of integrated circuits and were designed to perform simple and very specific functions reliably, consistently and run uninterrupted “forever”. However, with the advent of the Internet and the proliferation networking, the inter-connection of Operational Technologies to the rest of the world started to unfold. While remote management and increased automation have been quite beneficial to industrial operations and processes, the lack of security considerations within Operational Technologies have resulted in an expanding attack surface of vulnerable mission critical systems and real world examples such as intentional sabotage of municipal water systems, nuclear enrichment facilities and power grids.
Let’s dive in.
Built for a Simpler Time
At its most basic form ICS devices generally receive an input, make a decision, do something and report an output. This can be as simple as a system designed to turn a furnace on or off based on temperature changes and as complex as orchestrating an automatic shutdown of a nuclear power plant when unsafe conditions are detected. Most ICS devices were designed to run fairly autonomously, performing explicit functions and require little to no maintenance.
Traditional ICS devices could be managed and monitor remotely via discreet circuits run to a remote location. These circuits were analogue and deployed on a per ICS device basis. As industrial operations became more complex and organizations wanted more control and increased automation, Operational Technologies needed to support new connectivity options over converged networks. However, adding such connectivity to these existing technologies were “smart” bolt-ons to otherwise “dumb” devices.
Never Built with Security
Decades of #facepalm security flaw announcements and an ever increasing number of breaches against OT make it easy to form the conclusion that security in OT was never a thing. This is because for decades these systems were simple systems, isolated from threats and just needed to do one thing well, never needing to consider the threats of today. As an example many systems lack access control mechanisms like passwords because they were never intended to be needed. Sound crazy? Have a read on a similar decades long fight to add a passcode and then not have it set to ‘00000000’ for nuclear weapons here.
Connectivity capabilities were added to ICS devices to allow for remote monitoring and management. This started with simple analogue circuits that evolved to digital communication protocols and eventually to TCP/IP. This evolved ICS communications from private point to point or bus networks to fully routable IP networks with the Internet a few hops away.
With the intended simplicity of ICS devices, the addition of the TCP/IP stack brought risk. Sometimes this was because the legacy protocols were vulnerable themselves and were being encapsulated within IP packets, but more often because computer engineers were working with limited hardware processing power and would implement stripped down versions of the network stack.
Network enabled remote management was a big evolution for ICS. Companies saw the value in accessing ICS devices from a far and started deploying ICS with attached dial-up and high speed modems or directly onto the corporate network. The exposure to public networks such as the Internet created a larger attack surface of highly vulnerable systems.
During a previous lunch and learn I gave a quick tour of https://www.shodan.io who has a list of ICS devices sitting on the Internet, awaiting to be connected to and many vulnerable to attack.
When OT devices were first installed, they were typically in locations that were not connected to the Internet or network and usually in physically secured buildings. The threat of an unauthorized person interacting with ICS devices was very low and therefore access control systems such as passwords were either non-existent, hard-coded/unchangeable or always left to the default.
The combination of publicly exposed ICS systems with weak access control mechanisms has resulted in and will continue to be a cause for concern.
It is common knowledge that ICS devices need to be handled with care when interacting with them over a network. This extends to performing normal cyber security activities such as vulnerability management and penetration testing. Along with the reasons above, like all software (especially with stripped down TCP/IP stacks), there is almost certainty that a bug or vulnerability will eventually be discovered. When ICS devices were isolated, the “set it and forget it” deployment of ICS with eventually vulnerable software was not considered a major risk. The introduction of connectivity combined with the lack of ability or process to patch bugs/vulnerabilities within ICS systems deployed in the field has resulted in a large attack surface of vulnerable systems.