The Radiflow Security Blog

Managed Cyber-Monitoring – The Next Evolution in Protecting OT Networks

Recent attacks show that industrial cybersecurity requires expertise and tools that most operators do not possess. OT-MSSPs may be the solution. Case in point: The Norsk Hydro attack.

By Michael Langer, Chief Products Officer

Overview

At the end of March, one of the world’s biggest aluminum producers, multinational manufacturer Norsk Hydro, announced it had been hit by a ransomware attack. The attack caused severe damage to the corporate network and the manufacturing network to the extent that Norsk Hydro had to switch some plants over to manual or semi-manual operations.

Even though most of the cybersecurity community agrees that the Norsk Hydro incident response process was conducted professionally, the attack definitely affected manufacturing activities and caused overall business interruption and operational loss that is yet to be determined. The initial analysis of the attack pointed to a ransomware named LockerGoga that apparently leveraged some Active Directory (AD) vulnerabilities to spread from the IT to the OT network.

Active Directory in IT/OT networks – Security considerations

Using AD to manage user credentials is one of the most well-known practices in corporate IT operations. All user credentials are maintained in a central secure location and all accesses to the network assets are authenticated and monitored. That said, Radiflow has also witnessed numerous other incidents in which threat actors leverage central AD user management and its built-in mechanisms for delivering malicious payloads.

Unfortunately, in industrial enterprises with manufacturing networks, the risk derived from using AD is even higher. Networks in this kind of enterprise are usually built from at least two segments – the corporate IT network and the production OT network. Industry best practices suggest physical isolation or at least firewall-based segmentation between the IT and OT networks. Having said that, the recent trends of digital transformation in the production floor undermine these boundaries, such as using AD in the OT network.

From a usability point of view, the network administrator would like that all users have the same credentials, whether they are connecting to a PC in their office or to the HMI machine in the ICS network. However, from a security point of view, it means that either hosts in the ICS network will have access to the domain controller in the corporate network or that network administrator will deploy a separate AD server in the ICS network and will activate an automatic synchronization between the two Domain Controllers.

Both implementations will open the ICS network to external communication, resulting in an increase of  the cyber-threat to the production floor. Furthermore, the computers in ICS networks usually use older versions of Windows, which contain more vulnerabilities, such as utilization of the unsecure NTLM-based authentication instead of the more secure Kerberos protocol. This results in very easy vulnerability exploitation and smooth lateral movement.

Cyber-risk assessment

From the partial information that it is available, it is clear that the network in Norsk Hydro may have had a ‘wide attack surface’. Attack surface is the sum of the different network points in which an unauthorized user can try to exploit the network and launch the malware or to exfiltrate sensitive information from an environment. Keeping the attack surface as minimal as possible is a basic security measure.

CISOs who have responsibility for overseeing cybersecurity for ICS networks face challenges that are unique to this environment as maintenance and patching is hghliy restricted. Given such constraints, the CISO’s primary challenge is to determine which devices are most at risk from meaningful threats, and then prioritize the process of applying the appropriate controls and mitigations to reduce or eliminate the threats.

As ICS systems grow in complexity, the ability to evaluate their vulnerability to attack becomes increasingly important to automate. Security assessment tools usually begin by determining vulnerabilities of individual hosts.

Using this and other information, such as connectivity between hosts, it is possible to show the potential exploits attackers could use and the paths they can take to gain unauthorized access to a device on the ICS network. Automating this process ensures that every possible attack path is considered, and that the paths contain only those network entities that the intruder is capable of exploiting.

MSSPs: Best option to deliver OT cybersecurity

Conducting these cybersecurity assessments and designing the appropriate solutions are clearly complex and time consuming. Very few industrial enterprises are in the position to address the cybersecurity issues of their digital transformations or the merger of their IT and OT networks by themselves. According to Sherrill, Senior Analyst at 451 Research, “Most industrial enterprises and critical infrastructure operators lack the internal resources to adequately protect their OT networks”.

Radiflow is working closely with its MSSP partners to design and support a full range of managed OT cybersecurity services. These services can be as straightforward as building a network topology map of all the devices, connections, ports and data traffic flows on an OT network and monitoring for any changes. The tools and technologies provided by Radiflow map and prioritize vulnerabilities according to the specific context of an industrial enterprise’s OT network and the impact it could have on its business processes.

If we take the above example of Norsk Hydro at the end of March, the vulnerability was previously published in January and a detection signature was published in addition the same attack was performed on Altran Technologies at the end of January. Radiflow advanced supporting services for MSSPs would have advised the MSSP of the above attack vector and advised the MSSP on the mitigation steps that need to be taken. Radiflow’s monitoring systems are tuned to detect abnormal traffic to the Active Directory in real-time and abnormal traffic of command and control channels. In the case of Norsk Hydro the Radiflow detection and monitoring system would have sent a real-time alert to the MSSP, enabling the incident response program to kick in.

For more information contact us or book a demo.