Blog

Proactive Security for Operational Technology

Shishir Gupta, Rob Caldwell, Evan Pena
Apr 11, 2022
9 mins read
ICS
Operational Technology

Operational Technology (OT) and Industrial Control Systems (ICS) have long been used in industrial environments to monitor and automate physical processes and mission-critical operations. These systems form the foundational building blocks for some of our most critical infrastructure and support essential societal functions, such as power generation, wastewater treatment, public transportation, industrial manufacturing, resource mining, oil and gas, and telecommunications.

The last decade has seen a gradual uptick in global cyber threat actor motivation for targeting special-purpose OT networks. This trend is expected to accelerate in the current decade. The rising threat profile is based on a combination of factors but primarily driven by the iterative advancement of physical automation and digital communication at multiple levels of industrial operations. The growing level of automation and connectivity has broad benefits for efficiency, reliability, and productivity; however, it also has an unintended consequence of increasing cost-benefit for OT threat actors.

The advancement in industrial automation is also coupled with the increasing use of standard communication technologies that support off-the-shelf integration between OT networks and external networks. This often translates to enterprise-level collaboration between an operator’s OT network and the parent organization’s IT network. The provisioning of remote communication paths between IT and OT means that Internet-connected IT devices can often be used as pivot points to propagate into OT networks and attempt remote compromise of previously unreachable industrial control system devices.

In this context of increasing cost-benefit for cyber threat actors and the growing threat profile for OT, Mandiant recommends that governments and critical infrastructure organizations enhance their preparedness to protect industrial networks and operational technology environments from both opportunistic and motivated cyber attacks.

Proactive Security for OT and Critical Infrastructure

Proactive security assessments, such as Red Teaming and Penetration Testing, that involve real-world simulation of adversary techniques, have proven to be invaluable methods for uncovering critical security issues and high-risk attack paths in enterprise environments. However, such assessments, if performed using traditional techniques, without considering the differences between IT and OT environments, can often produce superfluous, irrelevant and unactionable results, or worse, introduce unacceptable risks to real-time operations in OT environments. The testing methodologies for proactive security assessments in OT networks need to account for the unique characteristics of industrial control system environments, with particular emphasis on real-time nature of operations and safety-critical concerns for physical processes controlled by these systems.

Proactive security assessments for OT should incorporate the following fundamental guiding principles (Figure 1):

Fundamental building blocks for the Mandiant approach towards proactive security for operational technology
Figure 1: Fundamental building blocks for the Mandiant approach towards proactive security for operational technology

OT Threat Modeling

Each OT network is acutely tailored to achieve the specific objectives of its industrial operation, and often includes a multitude of local area network segments, disparate or remote geographical sites, state dependent configuration settings, proprietary network communication protocols and special purpose embedded devices. Threat modeling can help organizations identify context specific attack scenarios, discard irrelevant assumptions for the operating environment, establish constraints and requirements for OT specific adversarial testing, and formulate a risk-prioritized plan that covers attack vectors across the end-to-end OT environment.

Threat Intelligence

Not every OT environment has the same threat profile. The size of the organization, critical infrastructure industry sector, area of operations, geopolitical landscape, threat actor motivations and evolving attacker techniques, can all play a part in defining the current threat profile of a critical infrastructure organization. In the context of proportionate prevention and response, threat intelligence forms an essential element for prioritization of relevant proactive efforts and informed decision-making for cost-effective mitigation of cyber security risks.

Risk Management

OT networks support mission critical industrial operations and are comprised of high availability network segments that have zero scope for unintentional disruption of real time operations. Testing approaches for security assessment of OT networks need to incorporate stringent risk management techniques that minimize the potential for real impact to critical operations in a production environment. It is imperative to base such testing on an in-depth understanding of both safety-critical (engineering) and operations-critical (business) constraints within the target environment. This often involves strategic preparation, strict rules of engagement, delineation between critical and non-critical segments, partial or even full simulation in a non-production environment, and customized OT-specific techniques or toolsets.

OT Attack Lifecycle

If an attacker can exploit a specific issue and gain unauthorized access to a critical system in OT, it does not necessarily translate to the ability to cause a profitable end-stage high consequence event in the industrial environment. On the other hand, seemingly low-risk issues can often be chained together to achieve a high-gain adversarial objective against a target organization. The goal of proactive testing is not limited to identification of standalone security issues. It is also important to uncover end to end attack chains and assess impact to operations and business (without undue exaggeration or presumed mitigation). In addition, a key component here is identification of actionable mitigation efforts or alternative compensating controls that can increase the cost for attack progression and OT-specific mission completion.

Targeted attack lifecycle for OT
Figure 2: Targeted attack lifecycle for OT

Defense in Depth

Security assessments for OT environments usually focus on network segmentation and perimeter defenses, however, these assessments often neglect security weaknesses and preventive controls within the core industrial environment itself. In an era of irrevocable demand for increased connectivity, it can often be difficult to repress the risk of a cyber attack in OT networks using perimeter protection alone. It is important for OT organizations to adapt to the evolving attack surface in their OT environments and adopt a more inclusive defense in depth approach whereby security gaps are analyzed across end-to-end OT network and preventive measures are integrated across multiple levels of the control system architecture.

Detection in Depth

Security monitoring and incident response are essential requirements for an effective cyber security strategy. This is even more true for OT networks where opportunities for implementation of preventive controls or remediation efforts for security vulnerabilities are often inhibited by competing priorities and operational requirements. Thus, in addition to identification of security vulnerabilities and assessment of preventive controls, it is important that security assessments also cover preparedness and evaluation for breach detection and incident response capabilities across OT networks.

Mandiant’s Proactive Security Service Offerings for OT

Mandiant’s portfolio of proactive security service offerings for OT builds on the aforementioned fundamental guiding principles to provide evidence-based technical assurance and high-value security assessments. These service offerings help our customers identify both tactical actions and strategic steps for the mitigation of existing security risks and the implementation of actionable threat-specific defenses across different zones or multiple levels of end-to-end OT environments, as shown in Figure 3.

Mandiant’s proactive security service offerings for operational technology (OT)
Figure 3: Mandiant’s proactive security service offerings for operational technology (OT)

Mandiant Proactive Security for OT

Case Studies

Example case studies for Mandiant’s proactive security service offerings for OT

OT Red Team Security Assessment

Red Team Security Assessment for OT involves the simulation of a real-world OT-directed attack scenario. This assessment is performed within the confines of strict rules of engagement and pre-approved attacker objectives. The goal of this exercise is to assess the effectiveness of the organization to proactively detect and respond to advanced attackers, while simultaneously testing the preventive and defensive controls around different levels of OT environment. Mandiant consultants mimic advanced persistent threat actors with OT-specific objectives, thus allowing the customer organization to gain real world experience of defending and responding to the most advanced industry specific attacks—without the potential damage or impact associated with a real incident.

ot red team

OT Network Perimeter Penetration Testing

OT Network Perimeter Penetration Testing allows critical infrastructure organizations to validate perimeter security controls for OT and evaluate the risk of attack propagation from a low-trust peripheral network (such as office network, remote site, field network or radio network) to high-trust OT DMZ or OT core network. Mandiant typically begins this assessment by connecting to an initial foothold on the peripheral network and attempting to breach the protected perimeter for the target OT network. Testing in this assessment is aimed at the identification of attack paths and gaps in network segmentation controls, while active exploitation of OT components is restricted to prior approval and close coordination with relevant stakeholders.

ot network perimeter

OT Production Network Penetration Testing

Traditional methods for uncovering common security vulnerabilities (such as network wide scanning and black box active testing) can introduce unacceptable risks to continuous operation of mission critical nodes in OT environments. Thus, testing methodology for vulnerability assessment in production network needs to leverage risk conscious techniques for information gathering and service enumeration. Mandiant uses a combination of passive information gathering techniques and non-intrusive manual testing for the identification of common security issues on production nodes in OT network. In addition, Mandiant OT experts work with the process control team to model end-stage attack paths that can allow an attacker to compromise nodes at the control system level or cause high consequence events attributable to real-world attackers targeting physical processes controlled by OT networks.

ot production network

OT Laboratory Based Component Testing

Threat modeling and attack simulation can often highlight the requirement for a more intrusive level of testing for specific OT components or embedded systems. Examples of OT components can include PLC, RTU, HMI application, ICS protocol or purpose-built embedded system that plays a critical role in the operational environment. Mandiant recommends performing in-depth testing in a laboratory or non-production environment, such that the assessment team can perform a comprehensive level of testing for the target component without the risk of causing operational impact or cascading problems in the production environment. Mandiant uses a combination of open-source and custom developed software/hardware tools to identify security issues in the target component, validate the exploitability of an issue, determine the level of risk it presents to safety, operations or business and identify mitigating or compensating controls that can be utilized to reduce the risk of a high consequence event in the OT environment.

ot laboratory

OT Security Monitoring Evaluation (Purple Team)

Purple Team is a collaborative assessment where Mandiant consultants work with the client organization’s security team to identify gaps in active and passive monitoring controls and enhance breach detection indicators for attacker activities that pose the most risk for compromise of OT environments. This assessment uses Threat Intelligence and Mandiant Security Validation (MSV) to simulate threat actor TTPs across different phases of OT attack lifecycle. Each exercise is designed to assess and optimize monitoring controls for current and evolving attack vectors across industrial networks, and thus allow the client security team to provide quantifiable evidence for improved capability to respond to cyber security incidents or targeted attacks on OT infrastructure.

ot purple team

Summary

Mandiant leverages its extensive experience in providing security services to global organizations, underlined by world-leading capabilities in incident response, threat intelligence, technical assurance, managed defense, and frontline research, to deliver end to end proactive security service offerings for critical infrastructure and OT organizations.

OT specialists work with customer teams spanning multiple departments across the organization, including control engineering, network engineering, information technology, process automation, operations, and maintenance, to develop a comprehensive understanding of the operational technology environment, build a detailed assessment plan for proactive security testing and adopt an OT-specific risk-conscious approach to deliver high-value outcome throughout the engagement.

For more information, please visit the Operational Technology section on our website.