Risk Management
OT Cybersecurity Plan to Prevent the 5Ds
Outline a cybersecurity plan to protect your operational technology network by studying the five techniques adversaries use to target them.
Some of the most dramatic changes to the cybersecurity landscape are happening in manufacturing, where industry 4.0 promises to empower businesses with faster and more dynamic capabilities, thanks to the growing prominence of 5G networks, automation, and cloud analytics.
With every new connection, cybersecurity leaders face a growing attack surface complicated by other developments like a looming global recession poised to shrink their teams and resources. A cybersecurity plan is needed to protect against these uncertainties, and the best plans will defend against the five Ds used by adversaries to target industrial systems.
What are the 5 Ds of cybersecurity?
The Cybersecurity and Infrastructure Security Agency (CISA) identified five objectives of adversaries who target industrial control systems (ICS) and operational technology (OT): to disrupt, disable, deny, deceive, and/or destroy.
While the outcomes of these techniques differ, the approach to carry each one out is largely the same. Adversaries select a target system, collect intelligence, develop tools and techniques, infiltrate the system, then execute their tools and techniques.
Often paired with ransomware extortion, this technique interferes with an owner or operator’s ability to control the target system. Industrial technologies are inherently vulnerable to such attacks because they rely on external connections. Remote access—required either by the operator or the manufacturer—offers another entry point for adversaries to incapacitate their target system.
If the target is well-chosen, even an hour of downtime could prove disastrously expensive, which makes pairing the attack with a ransomware payload offering to end the disruption for a price so effective. Your cybersecurity plan should take into account that vulnerable IT systems may lead to OT disruptions. Keeping resources like procurement documents, engineering specifications, and configurations secure can help deter would-be attackers.
Once adversaries gain access to your OT network, causing a major disruption could be as simple as modifying your system’s internal values or changing control points. The manufacturer’s own quality control standards might even be used against you, as some equipment can be remotely and automatically halted if dangerous settings are detected.
Just like the disruption technique, a crafty attacker might offer to release the disabled system—saving their victims the time and money otherwise required to resolve the attack—through ransomware. Since both options are unacceptable, your cybersecurity plan needs to secure the OT network against disabling attacks. Identify the essential services within your network and disable any others to limit the vulnerabilities with access to your critical systems.
Bad actors and advanced persistent threat (APT) groups aren’t the only ones targeting industrial systems. Nation state actors will also target crucial infrastructure, and the wide reach of supervisory control and data acquisition (SCADA) systems make them prime targets for attacks to deny access and control to industrial equipment.
Several highly-publicized attacks focused on stopping, aborting, or corrupting a SCADA system’s software, including the Stuxnet worm of 2010. The 2017 Trojan Triton even managed to cause operational shutdowns by targeting industrial safety systems. Another common approach is the distributed denial-of-service (DDoS) attack, which seeks to overwhelm and incapacitate internet-facing networks. These attacks have become more common in recent years, and the disruptions they cause are often compounded by extortion tactics, or used as cover for a more damaging attack.
Downtime and production delays are not the worst-case scenarios when these interconnected systems are attacked. Major supply chain ripples and even safety hazards are also possible. Securing a SCADA system means securing the large number of sensors and devices throughout its attack surface. Don’t overlook human-machine interfaces (HMIs), mobile applications, and communication profiles while drawing up your cybersecurity plan.
Adversaries can prevent an operator from monitoring a targeted system, either to cause further errors and delays in the industrial process or to disguise malicious activity within the OT networks. This technique includes a variety of approaches, from blocking updates to disabling HMIs. In a 2015 cyberattack on the Ukrainian power grid, the Russia-aligned actors believed to be responsible actually changed visualizations on HMIs using malware.
The knock-on effects of a deception attack can be hard to fathom, especially if such techniques are used to disguise sabotage or espionage. To neutralize this threat, make network architecture built to stop threats from spreading a key component of your cybersecurity plan. Virtual local area networks (VLANs) and firewalls can limit the exposure between interfaces and prevent bad actors from disrupting your system.
The most harmful of the five techniques used to target OT systems is also the most direct. If adversaries can take remote control of your industrial equipment—or simply infiltrate your network—then it could be easier than you would expect to destroy that equipment. Even a minor adjustment to the geometry of a computer numerical control (CNC) machine’s spindle could destroy the machine and injure or kill nearby workers.
The impact of a destructive attack on your OT network is obvious, but the vulnerabilities for such an attack might be more common than you think. Adversaries with remote access could close a breaker, raise a turbine’s speed, or throttle a valve to quickly damage vital equipment. Include industrial intrusion prevention (IPS) and detection (IDS) systems in your cybersecurity plan to halt any malicious activity before it can harm your workers and equipment.
Balancing the security of OT networks with performance and ease-of-use is just one of the many challenges facing CISOs and SOC teams as they make cybersecurity plans for the future. But make no mistake: adversaries will target your industrial systems. It’s a matter of when, not if.
A cybersecurity platform that supports integration with ICS and OT tools, like Trend One, can raise situational awareness within these complex environments, enabling you to detect and respond to threats faster.
Safeguarding your industrial operations with OT-native solutions can protect your assets throughout their entire life cycle. TXOne fulfills workforce, workload, and workplace needs to deliver security and protection across multiple industries.
Check out these resources to learn more about securing your OT network: