The distinction between protecting information technology (IT) and protecting operational technology (OT) became very clear in 2010, when the Iranian nuclear enrichment facility Natanz was attacked by Stuxnet malware.
OT includes programmable logic controllers (PLCs), intelligent electronic devices (IEDs), human-machine interfaces (HMIs) and remote terminal units (RTUs) that allow humans to operate and run an industrial facility using computer systems. These systems are connected to sensors and actuators within the site, which might be a power plant or a manufacturing facility. This collection of process control devices is often referred to as industrial control systems (ICSs).
Not only do these systems provide information to operators and engineers, but they also allow operators to act on what they see on screen. To change the speed of a turbine at a dam or a power plant, the operator modifies the required configuration on a workstation. In this way, when the operator sees warning signs indicating that a turbine is running too fast, he or she can slow the turbine down.
A big difference between OT and IT is that operational technologies have traditionally been designed with safety and availability in mind, but with relatively little concern for cyber security. By contrast, for decades now, most information technologies have been designed with a specific goal of countering cyber security threats. The world is now catching on to the fact that OT also needs to be designed with cyber security in mind.
Stuxnet was very sophisticated malware – the first of its calibre to attack an ICS. It famously infected engineering workstations at Natanz nuclear facility – workstations that were connected to PLCs that control nuclear centrifuges. Through this attack, threat actors were able to manipulate the speed (rotations per minute) of its rotor engines.
“Stuxnet was not decisively attributed to a specific threat actor, however, industry experts have suggested it would most likely have been the work of state-sponsored actors of Western governments with an interest in tripping up Iran’s nuclear infrastructure,” says Mohammad Al Kayed, director of cyber defence at Black Mountain Cybersecurity.
Although neither country has admitted responsibility, the US and Israel are widely believed to have built the malware in a collaborative effort. Those two countries had the expertise to develop such a sophisticated worm, and they certainly had a motive to attack Iran’s nuclear infrastructure.
One of the challenges in getting to these controllers is that industrial facilities are often “air-gapped”, which means there is no connectivity between the network inside the facility itself and the networks outside. Because it is not connected, there is no feasible way to attack the infrastructure directly. However, some of the world’s savvier governments have found ways to overcome this countermeasure.
Al Kayed says: “Stuxnet, at the time, was unique in the manner that it was designed to operate independently without the need for connectivity to a command and control (C2) infrastructure. It also specifically targeted Siemens Simatic S7-417 PLCs, a certain type of controller used in the nuclear facility that was attacked in Iran. Stuxnet does not affect any other systems.
“How the malware got onto controllers in the Iranian nuclear plant, we aren’t sure. One plausible scenario could be that the malware was transferred to this facility by employees or contractors using USB devices or laptops. This could have been accomplished by first targeting somebody’s laptop at home and infecting it with malware. Then, when that person takes their laptop back to work and connects it to the air-gapped network, they have basically bridged that gap and have given the malware a way into the industrial network, where it can start manipulating industrial controllers.”
Iran learned from the attack
Al Kayed adds: “The attack by Stuxnet opened the world’s eyes to the fact that you can now develop cyber weapons that can destroy real-life targets. You can get into an entire infrastructure of a country and cut off electricity, for example. By the way, this is exactly what Russia did to Ukraine – twice.
“Iran learned from the attack that industrial control systems can actually be targeted using the right toolset. Also, it realised how effective those attacks can be. Some time between 2012 and 2018, we started seeing cyber attacks attributed to Iranian actors targeting other countries’ industrial facilities in the region – including Saudi Arabia.
“One example was a malware called Shamoon. We have seen three different waves of that malware hit industrial facilities in Saudi Arabia. The first version hit Saudi Aramco, and a few other companies. Two other versions came out within a couple of years or so after that. All of them targeted the oil and gas industry and petrochemical companies within Saudi Arabia.
“Saudi was a target for those kinds of attacks because it has a lot of manufacturing facilities and large-scale oil-producing operations. It is also a political superpower in the region, and an adversary of Iran.”
OT connected to IT is easier to attack
It is even easier to attack industrial control systems when they are connected to an IT network. Threat actors can target OT infrastructure remotely by attacking the IT network first. All they have to do is send a phishing email to an unsuspecting employee or a consultant. If they can trick just one person to click that link in an email, they can compromise a device within the target organisation, which gives them access to the corporate infrastructure. From there, they can then traverse the network until they reach a device or server that has access to the OT infrastructure.
Even if a threat actor gains access to only one computer, they can use numerous tactics and techniques to dump valid administrative credentials. If a computer is connected to a domain controller, for example, in an organisation where system admins log in remotely from time to time to help troubleshoot an issue or to install new software for users, administrative passwords are automatically cached on the computer by the operating system. If threat actors can collect those passwords, they can then log into other machines in the network with administrative privileges.
“Just imagine this scenario,” says Al Kayed. “An employee comes in, gets something to eat, is bored to death and gets some email that says, click here. He or she clicks on that link and a malware is installed on their device. It’s all over. That person’s computer is now compromised – and it’s connected to the IT network, where the opportunity arises for the threat actor to use certain techniques to target numerous systems.
Mohammad Al Kayed, Black Mountain Cybersecurity
“If, by any chance, some admin somewhere along the way logged in to troubleshoot that employee’s device, then it is highly likely that those administrative credentials still persist. The credentials can be dumped by threat actors and used elsewhere in the corporate network.
“Now with that administrative password, a threat actor can connect to other systems within the network. Now they start hopping from one device to another, until they find the device that they are interested in, such as a server that is connected to the industrial facility.”
Al Kayed adds: “Inside an industrial facility are engineering workstations and other computer systems that you can jump into. Now you have a way to remotely install that malware on those industrial control systems. You don’t have to initially compromise any engineering workstation in the facility, but because that facility is connected to the corporate network, which, in turn, is connected to the internet, then there is a path that you can take. You can hop from one device to another until you reach the targeted engineering workstation within the petrochemical facility or within the power plant.
“If your favourite social media platform stops working for an hour, it’s not such a big deal. But if a power plant that generates electricity for a city stops working for an hour, that’s a huge problem. With the interconnectivity of those systems, and with those systems connected to your IT network, whoever targets the IT network can gain access also to OT infrastructure.”
Saudi government fights back
One of the lessons from this series of events is that cyber weapons are dangerous for everyone. The country that is targeted can learn the tools of the trade and potentially refurbish the weapon that was used against it and then target someone else. Saudi Arabia is the country in the region with the biggest bull’s eye on its back because it has a lot of manufacturing facilities. So it isn’t surprising that the Iranians took what they learned and used it to attack their biggest competitor in the region.
But the Saudi government is taking action to prevent such attacks from happening again. It is introducing a set of laws, called the Essential Cybersecurity Controls (ECC), which are mandatory cyber security controls devised by the National Cyber Security Authority (NCA) to counter the kind of attack described above. Saudi Arabia is now one of the few countries in the region with a security initiative that focuses on more than just IT systems. It has included the risks on OT infrastructure as well.
“Regardless of the past setbacks, Saudi Arabia has proven itself to be a leading country in the region when it comes to cyber security,” says Al Kayed. “The focused efforts during the past five years and the ability to make swift decisions with regard to Saudi’s critical infrastructure cyber security has paid off. Saudi Arabia is now ranked second in the most recent Global cybersecurity index, setting an example for other countries in the region to follow.”
World learns four big lessons on ICS security
The whole world is now scrambling to protect industrial control systems. The US National Institute for Standards and Technology (NIST) published its Guide to industrial control systems security in 2015, a comprehensive set of guidelines on protecting industrial technology from cyber security threats.
But the attack on Iran and the subsequent attacks on Saudi Arabia teach four big lessons. The first is to segregate IT and OT networks. Too many organisations allow broader access to the OT network than is required.
The second is to use an industrial anti-malware and intrusion detection and prevention system. HMIs and PLCs are the prime targets for attacks on OT networks. Many people mistakenly believe they can use IT anti-malware on engineering workstations to counter these attacks. But most IT anti-malware systems do not recognise OT malware, which attacks PLCs rather than computers.
The third measure is to make use of specialised technology such as data diodes, which do in a physical manner what a network firewall does in a logical manner. The design of the circuit within a data diode only allows communication to go in one direction. So, for example, you can read data from an RTU, but you can’t instal anything on it.
The fourth critical measure is monitoring. The practice of “security monitoring” is common in IT. Analysts monitor the infrastructure on a 24/7 basis. However, not many OT facilities currently do that. They should.