When It Comes to Your Drinking Water, How Safe Is Your Operational Technology?

The recent intrusion of a Florida water-treatment plant highlights the need for strong protection of industrial control systems. Here's what you should consider.

This past Friday, in Oldsmar, Florida, an eagle-eyed technician at a water purification plant noticed a chemical change setting to the water supply. With a quick response, the technician found that remote access was made to the operational technology (OT) network in charge of purifying the water, and the unknown intruder had increased the amount of sodium hydroxide, essentially lye, from 100 parts per million to potentially harmful levels of 11,100 ppm. If not for the quick response of the technician, there could have been a direct impact to the lives of people in Pinellas County who rely on the safe delivery of this water as a drinking source. 

While in this case, the potentially calamitous, unauthorized change to the OT network was quickly detected and resolved before any damage to the public occurred, this is not always the case. Unfortunately, over recent years, OT networks have seen a dramatic uptick of security incidents. 2020 global events only accentuated the security challenge, forcing companies to “open up” their network for remote access to quarantined or otherwise limited personnel. These factors, along with technological advances such as the convergence of IT and OT environments and the rapid adoption of IoT technology, have further expanded OT attack surfaces and vectors, making industrial environments into prime targets.

For most industrial organizations, the need for vigilant security is nothing new. Threat vectors and the security forecast is constantly evolving given emerging threats. The convergence of IT and OT operations, whether planned or unplanned, is in almost all cases a reality. Setting the appropriate safeguards will help ensure secured operations for your organization and will give OT operators the tools needed to safeguard critical infrastructure. What should you consider?

Visibility that extends beyond traditional borders

Until only recently, IT security and OT infrastructures inhabited completely different worlds, thus the ability to see into either environment was bifurcated along these lines. Modern-day attacks are amorphous and travel across the traditional IT and OT security borders, as was evidenced in this most recent incident. Our ability to track these types of propagation routes requires the de-siloing of traditional visibility parameters. Being able to gain a single view of IT and OT, along with the conversations happening between the two worlds, is essential. This holistic view can help illuminate potential attack vectors and asset blind spots that may have eluded traditional security strategies.

Deep situational analysis

Whether or not an OT environment is converged, it is important to recognize the significant difference in IT and OT life cycles. While IT infrastructures update regularly, OT infrastructures often persist for years, even decades. It is not uncommon for an OT infrastructure to be as old as the plant itself. The result is that a full inventory of assets, along with maintenance and change management records, may not be current. Therefore, crucial data may be missing, including important details such as model number, location, firmware version, patch level, backplane detail and more. Since it is impossible to secure assets that you may not even know exist, having a detailed inventory of your OT infrastructure that can be automatically updated as conditions change is essential to protecting your industrial operations.

Reduction of cyber risk

When it comes to modern OT environments, cyberthreats can originate from anywhere and travel everywhere. Therefore, it is important to utilize as many capabilities and methodologies as possible to find and mitigate exposure risk. This includes network-based detection that:

• Leverages policies for allow- and block-listing capabilities
• Anomaly-based detection that can find zero-day and targeted attacks and is predicated on baseline behaviors unique to your organization
• Open-source attack databases, such as Suricata, that centralize threat intelligence from the greater security community, bringing together more eyes on any potential threat to yield significantly better security response

Since most attacks target devices rather than networks, it is essential to utilize a solution that actively queries and provides security at the device level. Because OT device protocols can vary widely, security and health checks must be unique to the make and model of the device, including the device language. These deep checks should not scan but rather be precise in query nature and frequency.

In 2020, over 18,300 new vulnerabilities were disclosed, affecting OT devices as well as traditional IT assets. However, less than half of these vulnerabilities actually had an available exploit. Gaining a full awareness of the vulnerabilities that are relevant to your environment, along with a triaged list of exploitable vulnerabilities and critical assets, will enable you to prioritize the threats with the highest risk score, thereby dramatically reducing your cyber exposure profile.

Knowing when changes happen

The core of any OT infrastructure is the programmable logic controller, or PLC, that controls the industrial or manufacturing process. In the case of water purification, the PLC orchestrates the delicate process of ensuring the appropriate mix of chemicals that renders drinking water safe. 

Attacks architected against industrial control systems (ICS) consist of making an unauthorized change to a PLC. Configuration control creates a snapshot or papertrail to highlight a delta before and after a PLC change. By taking snapshots at regular intervals, you get visibility into such changes, how they were made and by whom. Configuration control can provide a full audit trail and give ICS administrators the intelligence, insights and ability to roll back to a “last known good state” if someone actions sub-optimal or unauthorized changes to a PLC.

OT environments are core to the operation of nearly all critical infrastructure and manufacturing facilities. They have grown more sophisticated and interconnected over time, producing and manufacturing essential goods and services to exacting standards. Our need to secure these critical environments against threats is as important, if not more, than securing our IT infrastructures which are connected to them. Gaining visibility, security and control over OT environments is crucial – lives literally depend on it. 

For more information on implementing these OT safeguards, check out the whitepaper, Secure Industrial Control Systems With Configuration Control.