Blog > Best Practices OT Malware and Meeting the Security Challenge

Thursday, Jan 30, 2020

BY: Team Nuspire

In the industrial industry, a lot of organizations are struggling to wrap their head around the best way to secure their infrastructure. A lot of this issue stems from the fact that operational technology (OT) networks and systems are very different from their IT counterparts. The unique operating environment of OT systems requires a different approach to cybersecurity. And by this year in 2020, Gartner predicts that there will be 20.4 billion IoT devices.

While OT networks often contain several specialized systems, many of these systems are controlled, monitored, and operated via desktop workstations. As a result, OT environments face many of the same cyber threats as IT systems. While some cyberattacks are specialized to attack OT systems, others use the same tools, techniques, and procedures that cybercriminals use to attack traditional IT networks and systems.

See what types of malware target OT networks and the impact it’s had on these organizations.

Want to know more about Ransomware? Check out our on demand webinar here about the reality of ransomware.

Stuxnet: The Original OT Malware

In 2010, Stuxnet became the first (and most famous) OT malware to be discovered in the wild.  Stuxnet was originally delivered via a malicious USB drive by an Iranian double agent working in the Nanatz nuclear facility; however, it was designed as a worm, spreading itself to any removable media connected to the device and any system that that media is later plugged into.

The malware was targeted at OT systems, testing to see if it was on a device running software by Siemens, a common industrial control systems (ICS)/supervisory control and data acquisition (SCADA) device manufacturer. If so, it deployed rootkit functionality, enabling remote control of the infected machine. To cover its tracks, the malware sent fake status reports regarding the operation of the centrifuges under its control, allowing it to cause physical damage to the devices without detection.

Cyberphysical Impacts at a German Steel Plant

While Stuxnet was the first malware with physical impacts, it was far from the last. A few years later, in 2015, a cyberattack impacted operations and even caused physical damage within a German steel plant.

The attackers initially gained access to the company’s network through a combination of spear phishing and social engineering. From there, they were able to move laterally throughout the organization’s network until they reached production systems. The attackers caused frequent failures of various components within these systems, culminating in an attack that rendered operators unable to regulate or shut down a blast furnace.

Norsk Hydro and LockerGoga

Recently, ransomware has been the malware of choice for many cybercriminals, and OT networks and systems have not gone unscathed. In 2019, a ransomware attack against Norsk Hydro, one of the world’s biggest aluminum producers resulted in a final price tag of about $71 million.

Several months before the attack, a cybercriminal weaponized an email from a legitimate Norsk Hydro customer. This email enabled the attacker to gain access to the company network and plant their malware. The attack impacted the entire company and locked files on thousands of servers. With the help of Microsoft, the company was able to clean their network, improve their defenses, and restore from trusted backups.

The NotPetya Ransomware Wiper

While ransomware is bad enough, it is not the worst type of malware out there, as Maersk, a shipping company, discovered during the NotPetya attacks of 2017. With ransomware, an organization can theoretically decrypt their data if they pay the ransom or otherwise can access the decryption key.

Wiper malware, on the other hand, is designed to destroy a machine by encrypting all of the files and then destroying the decryption key. Maersk, when hit by the NotPetya wiper, had over 50,000 machines encrypted by the malware. The cost of remediating this attack against Maersk made it one of the most expensive cyberattacks of the decade.

Learn more on why you should segment your IT and OT network, and how to do it efficiently.

Meeting the OT Security Challenge

OT networks, with their high availability requirements, are very different from traditional IT networks. The inability to perform updates, upgrades, and patching leaves organizations with a network of end-of-life machines that are vulnerable to a wide range of known exploits.

Until recently, many OT networks were protected through “air gapping”, which raised the bar for cybercriminals attempting to gain access to and exploit these vulnerable machines. However, the convergence of IT/OT networks means that these insecure devices are potentially accessible from and vulnerable to the public Internet.

The potential impacts of a cyberattack against critical infrastructure are significant, including productivity impacts, defective or malicious products, and even physical danger to workers and nearby residents. Protecting these systems and networks requires cybersecurity solutions specifically designed for and tailored to the needs and capabilities of OT systems and networks.

With the high performance and availability requirements of OT systems and the outdated hardware and software used by them, deploying traditional cybersecurity solutions on endpoints is a necessary but incomplete solution. By addressing threats at the network level, through network segmentation, virtual patching and access control, and through improved policies and procedures, including improved visibility and cyber hygiene, OT networks and systems will be secure while still meeting the demanding requirements of their operating environments.

Of course, most organizations may not have the necessary resources to perform these tasks accurately or efficiently. Partnering with an MSSP that offers SOC-as-a-Service and has its own SIEM solution, can help organizations perform each of these tasks in addition to monitoring and managing its network 24x7x365 to ensure threats don’t slip through the cracks and on to your network.

To read the full whitepaper on OT network security, click here.