What is OT and ICS | cybersecurity
hey everyone and welcome back to my YouTube channel and today we are going to speak about operational Technologies and Industrial control layer systems so let's begin so operational technology is an industrial control system are used by many Industries across the globe to support anyone their critical infrastructure besides these utilities such as water drainage systems power grids oil and gas communication networks trains Etc all rely on operational Technologies OT and Industrial control system ICS to deliver critical Services exposing OTS and icss to vulnerabilities and cyber attacks will lead to Serious catastrophic events cyber attacks against operational Technologies and Industrial Control Systems can lead to power outages manufacturing downtime disruption in Water Supplies disrupting transportation services and communication systems attackers are continuously evolving their strategies to Target industrial control systems and our bypassing security measures to damage key critical infrastructure with Jerry's security measures are required to secure the otics for protecting the critical infrastructure and today we will talk about the cyber security of operation Technologies and Industrial Control Systems major cyber attacks against those systems and mitigation strategies to protect the critical infrastructure of different Industries so why cyber security of OT and ICS systems is a major Challenge and the narrower functionality of of OT and ICS systems make a smaller attack surface as compared to traditional I.T systems but in terms of cyber security these systems are generally more problematic one the proprietary interface of these systems make the job of the cyber security professional more difficult if these systems are misconfigured or running a vulnerable application and second that makes cyber security difficult is that security patches are not easily available and industries cannot afford downtime to run security audits and to configure security patches for its applications so why operational Technologies and Industrial Control Systems cyber security is a Hot Topic today you may ask right and the cyber security of OT and ICS has become a Hot Topic today as cyber attacks on Ukraine has increased drastically since the Russia invaded the country in late February research by the NSA by the way and cyber security organizations showed that Russian apt groups are continuously targeting industrial control systems of the country to disrupt the power grids and other communication services on April 8 2022 Russian backed a APT group to use updated malware known as in Destroyer 2 to malfunction the key of electric grid the attack was detected and stopped but it has raised eyebrows of the Nations across the globe as Nations can use sophisticated cyber attacks against industrial control system to paralyze their adversaries followed by this attack the department of energy doe the cyber security and infrastructure Security Agency sisa and the National Security Agency and they say issue the warning that russian-backed apt group send one has gained access to multiple industrial control systems and supervisory control and data Acquisitions scada devices using a new malware toolkit pipe dream this should be serious concern for all the countries across the globe because attacks on these systems can cause serious damage to the key infrastructure of a country one such example of this type of attack is 2015 Act of Ukrainian power grid which threw about 200 000 citizens of Ukraine to blackout for eight hours we can consider such types of attack as a wake-up call for all of us as nuclear plants power grids or other critical infrastructure of your country might be the next step by the way the Russia Ukrainian exam is only a recent one but there are plenty of examples of otics cyber attacks where maybe the most famous one is tax net if you'd like to learn more about it I will leave a link in the description I did a nice video about it so please watch it how cyber security is maintained to protect the OT and ICS and we will take water treatment plant as an example in order to understand how cyber security measures are used to protect the OT and ICS a water treatment plant is safeguarded by using first generation ICS best security practices security measures probably include firewalls that are used to segment the network based on different levels of trust individuals user accounts are all protected by using strong encryption algorithms scada one system for water pumping is configured as private DMZ is used to segregate the industrial control system from the I.T systems of water treatment plant and as industrial Control Systems cannot be updated quickly as it system therefore security update program is always in plan to not disrupt any operation and to protect the infrastructures from any Security misconfiguration Antivirus programs are installed on all of the equipment and are updated regularly to protect it from latest malware and network monitoring systems are in place which is directly connected to the network equipment to in order to share all the logs of the IT department and all logs of antivirus intrusion detection system and other security information passed through the DMZ it department and internet to the third-party cloud provider provider so what things make the otics more vulnerable and OT and ICS are more vulnerable today due to the following reasons one use of outdated technology and majority of the OT and Industrial Systems are outdated and were built when no one was caring about cyber security too much research shows that about 71 percent of these systems are outdated if not updates and are using plain text password for security yes plain text password second is complex nature of patching and we discuss it before though security patches are available for these systems it seems difficult for organizations to patch their systems regularly because they cannot afford downtime another reason is increasing numbers of vulnerabilities and research shows that the number of vulnerabilities in these systems are doubling each year we password most of the OT and Industrial Control Systems use weak password which are easily guessable majority of the industries are using default username and password which are already won by sisa for any critical security breach remotely exploitable is another reason and most of the industries are using remote Technologies to access their facilities and substations which are easily exploitable so some common otics cyber attacks and in this section I will do light on some of the top attacks that Target industrial Control Systems some of the sophisticated attacks are ICS Insider attack and this is moderately sophisticated type of an attack in which this one related staff steals user credential of other technicians roof shoulder surfing or by any other means these credentials are further used by The Insider to issue instruction to shut down certain processes of the plant or industry the sequence of the attack depends on the industrial process and the acts of Insider which may cause serious damage to the ICS another type is common ransomware and this is a kind of very sophisticated type of ICS Cyber attack which is triggered when a technician or engineer accidentally download a ransomware from internet while searching for some technical files on the internet as an example the ransomware exploits known vulnerabilities of ICS which are not yet patched the ransom encrypts the all of the workstation and let the industrial control system shut down after a few minutes when the alert is triggered the technician safely shut down all the plan which further damage equipment at the plant the minimum damage that is caused by such type of attack is unplanned shutdown of the of plant which may last for couple of days in worse than other important equipments of ICS can be irreparably damaged by any uncontrolled shutdown of the plant an analysis shows that in most case scenario of common ransomware attack the the Palm was shut down for about one year the target advancement this is one of the most sophisticated type of attacks against industrial control system in which we see organized cyber criminal organization to Target Industries and plants through France somewhere the Cyber criminals targets inside I.T staff with the ends on knowledge of cyber security and social engineer them with malicious attachment which provide remote access control the attacker uses remote access control Tool Direct to compromise user credential and other critical information in order to gain remote control of an ICS once the Cyber criminal gain control of the ICS they then stated to started to execute ransomware for demanding a ransom for the company failing to pay Ransom can trigger the ransomware in infected equipment and can erase all the firmware and biosetting in all infected equipments this can cause serious damage to the company including plant shutdown and repairing of damage equipment another type of attack is zero day ransomware and sometimes zero days vulnerabilities are mistakenly or intensively left by the vendors in operating systems firewall antivirus programs Etc there are organized cyber criminal groups which constantly are in a hand for zero days vulnerability and one once they discover it they sell it to the organized criminal groups the Cyber criminal group then propagates ransomware by exploiting those zero days vulnerabilities and demands for a ransom the consequences of this attack are similar to targeted ransomware attack in example plan shut down and damage to Industrial Control Systems attack and the name was named so when the actors attacked Ukrainian power grid and shut down the electricity for eight hours the attack is triggered when the Cyber criminal compromise I.T staff Account Details to phishing attacks these user credentials are further used by the attackers to compromise the domain controllers once they gain complete control over the domain controller they create new user accounts for themselves with administrative user privileges which can gain access to the otni CS equipment the attacker spends a lot of time to observe the ICS operation and controls that are related to process which control of the plant once they gained enough knowledge about the process they start to destabilize the physical process of the industrial control system other co-workers in the Cyber criminal groups erase our drives firmware and other fights necessary to run the plant equipment which ultimately leads to complete shutdown of the plant and the industrial control system equipment cell phone Wi-Fi attack and in this type of attack the Cyber criminal use social engineering tactics to trap the office workers on social media to download certain applications on their cell phone once they downloaded the application the application ran in background of Staff cell phone and scan for wireless network periodically and report to the command and control server about the attacks right the attackers then extract the Wi-Fi password using a number of techniques to gain internal access to the Enterprise Network once they gain access to the internal Network they scan the whole network to find any vulnerable system or ICS equipment in order to exploit its vulnerability once exploited the attackers use denial of service attacks and scene flood attacks to trigger an unplanned shutdown disconnect the equipment from the Wi-Fi networks and repeat the attack for a few days attack two of compromise vendor website that's another one should we trust the website of the vendors from where the ICS and OT equipment are purchased and cyber's criminals often Target vendors website find bugs and exploit it to compromise the whole website of the vendors they download the firmware and software of all the OT and ICS equipment study to find the names and identifiers of these equipments the attackers then Target the users of the equipment with social engineering and other techniques and try to access the OT and ICS of the industrial sites another technique that attacker use is to upload the malwares in the cyber security updates of the ICS and OT equipment by leveraging the compromise website of the vendors when the technicians download the malfunction security update it triggers the malware and starts to damage the ICS and OT equipment this can trigger an unplanned and possibly uncontrolled shutdown remote sites attack and most of the scada control systems such as power grids and pipeline use one wide area network communications to control remote sites such as substation and pumping station these remote stations are often unstuffed and are physically protected to fire fencing video surveillance Etc attackers can bypass the physical security of such remote stations plug the laptop with the switch scan the network to discover connection back to scada systems and the attackers can also then use the Aquarian style attack to physical damage the OT and ICS equipment that can cause unplanned shutdown for unknown period of time such attack can cause panic in public as attackers can interrupt electricity water and gasoline processes Vendo backdo and most of the times the software developers at vendor's site creates a backdo in the firmware that is used in OT and Industrial Control Systems the Bechtel is inserted for service support mechanism or software developer may use it for malicious intents this backdo provides remote connections to the ICS equipment so that users may be able to install any update offered by the vendor if a hacker discovers this backdo by compromising the vendor to phishing attack or by compromising the vendors website the backdoor can provide complete remote control of the OT and ICS equipment since antivirus and inclusion detection system of the site cannot detect such vectors as this Vector is not triggered as a malicious by the antivirus or nids archives can carry out plane shutdown and can damage the entire ICS and OT equipment by erasing the outdrives and firmware causing severe damages to the plant and industries so what industries can do to protect their OT and ICS from cyber attacks practices that organization can use to protect OT and ICS cyber attacks are secure the process not the technology conventional cyber security revolves around protecting the technology from cyber criminals but this approach is irrelevant to otn Industrial Control Systems security teams need to secure the OT and ICS equipment to secure the critical infrastructure organization must follow a micro segmentation strategy where security maintained at each level of functional areas in order to mitigate the risk of possible Cyber attack second deploy micro level access and Rise of remote access in OT and ICS based equipment requires a strong identity access management solution that does not extend too much trust to authorized users use of Technologies like sassy sd1 and SSE Security Service Edge is a feasible solution to manage and control the data centers and to implement never trust approach to secure the entire OT and ICS equipment make sure that everyone is stakeholder to protect OT and ICS and and team efforts are required to protect the OT and ICS assets because it requires vast experiment and knowledge in many different disciplines it is necessity for cyber security team to not consider only cyber variables but they must also know about the other variables such as temperature pressure movement time Etc employees vendors customers partners and Engineering teams are jointly required to limit the potential threats by delivering efficient response plan some NSA guidelines to secure otics critical infosight recently NSA shared some of the best practices to protect the otics critical infrastructure from cyber criminal these best practices are do not expose system information they first step cyber criminal use while targeting otics infrastructure is to gather useful information which needs to be kept confidential on the top priority identify and protect remote access points the technician and cyber security team must keep all the inventory of the sites and equipments that are accessible remotely these remote access points and equipment must be secured with best security practices limit access to network and applications and attackers often embed their malicious scripts in the Target Network and application of OT and ICS to gain complete control organization must limit it access to the network systems and application that seems to be vulnerable and which requires complete shutdown for security patches the fourth perform regular security Audits and regular security scan and audits will let the security teams to understand its vulnerabilities the security team should document these vulnerabilities procedures and practices to eliminate these vulnerabilities in timely manner so final thoughts despite ongoing warning issued by NSA and other security agencies operational Technologies and Industrial control system will remain vulnerable imagine what will happen if ICS and OT facilities or system fall into the wrong ends there is likelihood of potential substantial Financial loss environmental damage and even loss of human life resulting from a security breach and is a real possibility when we talk about the cyber attacks against OT and ICS based facilities a new approach is definitely required to protect it and ICS facilities which should cover all assets applies comprehensive and robust cyber security and we need to deeply measure that must prevent attacks from both external and internal sources and mitigate cyber attacks finally we should also need to keep business criticality and continuity in mind when we develop and Implement OT and ICS security strategies if you stayed until now thank you very much hope you like it if you have any feedback please leave it in the comments below and raise more ideas for videos you are doing all the time thank you very much and see you in the next video
2022-10-11 14:30