When it comes to cyberattacks such as those of WannaCry , NotPetya and Industroyer , criminal attackers always have a certain advantage over the attacked organizations: they only need to find a single way into the system, while security management always has all the potential entry gates in the system Having and Closing the Eye (For a more detailed description of the different methods of attack on OT networks (Operational Technology ), see our article “How Malware Attacks the Smart Factory OT Networks”). At the same time, good security measures are today so robust and effective that they can at least partially recognize the attacks mentioned. Such security measures are usually differentiated according to their effective date. This ranges from preventive to detective and corrective to responsive measures. Without considering all options, security management remains one-dimensional.
As a rule, individual security solutions are only suitable for certain stages within the sphere of influence. A few, particularly effective solutions integrate and automate security measures across multiple phases. However, established security guidelines and processes are always needed so that the technologies used can work effectively and sustainably. However, the one, best solution does not exist.
More security for the OT network
In OT environments, any active security measure can be considered as a significant risk to the availability and up-to-dateness of operating processes. Each patch also poses an additional challenge: Each patch must be reviewed and approved by the manufacturer to ensure that there are no unwanted side effects on process control. Changing equipment and systems without manufacturer approval often leads to a loss of support and system certification. This does not happen for no reason, because it could systemically relevant functions are affected. However, there are other ways to prepare for attacks on OT environments. Instead of transferring established IT security procedures one-to-one to OT environments,
Preventive security measures
Based on industrial safety standards ( ISA-99 and IEC 62443), only the most necessary applications must be authorized for communication within an OT system. First, the network should therefore be segmented into different areas. In the best case, the security measures have already been defined on the basis of a coordinated and regularly updated IT and OT security strategy.
Log all assets
In addition, different security levels should be introduced and only systems within a certain security level should be allowed to communicate with each other. All communication – especially between IT and OT – as well as the relevant data traffic beyond the limits of one level must be monitored. For an in-depth risk analysis, an archive should also be maintained of all IT and OT (asset) assets, including, among other things, the owners, manufacturers, locations and configuration backup data.
IT endangers OT networks
All large-scale attacks on machines documented so far, such as those of WannaCry, NotPetya and Industroyer, entered the plant network via the IT infrastructures connected to the OT. Already by appropriate patching of the IT components companies could have stopped the successful attacks of WannaCry and NotPetya. The effort is manageable: Relevant patches can be controlled in IT networks from a central platform. However, this is sometimes not possible with OT stocks. However, the first providers are now also offering patch management versions for OT systems. These can often also be combined with central security solutions.
Detective security measures
Typically, central security information and event management ( SIEM) systems are responsible for collecting, analyzing, correlating, and triggering security-related data based on predefined rules. However, there are also some point solutions and network flow analyzes that can detect cyber threats.
By combining these security solutions, WannaCry might have been easier to identify: they would probably have detected the typical actions the malware must take to prevent data recovery faster and sounded the alarm. The behavior of NotPetya was also suspicious, as the malware moved noticeably sideways through the network structure, exploiting vulnerabilities and communicating with untrusted Internet sources to crack passwords. Normally, such a pattern triggers an immediate warning in any standard SIEM system.
Even with Industroyer, the system would probably have sounded the alarm. The installed proxy server waiting for requests might have been detected. Any test of the proxy server that had been communicated with an external IP would have been suspicious. Also, local communication between the malware backdoor module and an unknown internal proxy, the malware command exchange between the internal proxy and the external command instance, and communication with a TOR node would have triggered a warning in a standard SIEM system , And with both the NotPetya and the Industroyer attack, a security solution would have checked file integrity and probably alarmed when files were moved, saved or overwritten.