This month marks the first anniversary of the Colonial Pipeline shutdown — a hugely impactful ransomware attack against critical US infrastructure that has had significant diplomatic and legislative consequences. Among the numerous talking points the attack raised was the issue of IT/OT convergence.
The attack, orchestrated by ransomware group DarkSide, targeted the pipeline’s IT billing systems rather than its operation technology (OT), but Colonial was still forced to shut down physical operations for several days. Despite its oil-pumping systems retaining functionality, Colonial believed the risk of continuing operations with an IT compromise was too great. This was largely due to the proximity of its IT and OT systems: Had the attackers moved laterally to the company’s operational networks, they could have imposed a longer and more costly shutdown, potentially tampering with safety mechanisms and damaging equipment — even endangering the pipeline’s employees.
The risk of IT attacks spilling over into OT has grown as the organizations operating these systems look to gain an edge over their competitors. IT/OT convergence makes industrial control systems (ICS) cheaper, easier to manage, and more rapidly available to different administrators. At the same time, as the Colonial Pipeline instance showed us, it presents new risks and avenues for cyber disruption.
This is partly because most OT security tools today look at industrial systems in isolation — as a disconnected silo, separate to the rest of the business. The same is true of network security, email systems, and the cloud. And when many of these tools were being developed, there was nothing wrong with this approach. But as these digital environments converge, relying on disjointed point solutions to stop cyberattacks isn’t effective, especially because a single attack can now target and traverse multiple fields of operation.
By unifying their security stack, defenders can use IT/OT convergence to their advantage and turn vulnerability into strength.
This requires a move away from tools trained on historical attacks and toward self-learning technology that can learn its digital surroundings from scratch, without any prior assumptions. By understanding the unique behavior of every IT and OT device — no matter how bespoke or complex the technology — this approach enables the detection of novel threats. By definition, a cyberattack causes a machine or user account to behave in a way it normally does not, and these deviations can be picked up, no matter where they appear.
How Ransomware Groups Exploit IT/OT Convergence
The risk of connecting cloud platforms to ICS was demonstrated in an attack against a European OT R&D investment firm last year.
Two of the firm’s Industrial Internet of Things (IIoT) devices, which ran Windows OS and made regular connections to an industrial cloud platform, were compromised when they used the server message block (SMB) protocol to connect to an infected domain controller and read a malicious executable file. Security teams are often stymied by IIoT devices, which can lack CPUs, traditional operating systems, or sufficient disk space for putting security measures in place.
A malicious payload lay dormant for almost a month within the two IIoT devices, one of which was a human-machine interface (HMI) and the other an ICS historian. Darktrace’s investigation showed that, while network segregation was sufficient to stop the attack’s command-and-control (C2) communications on the HMI device, connections from the ICS historian reached around 40 unique external endpoints.
Both devices then wrote suspicious shell scripts to network servers and, finally, used SMB to encrypt files stored in network shares. A ransomware note was written by the ICS to targeted devices, and the attack was complete. This kind of attack life cycle, which demonstrates the limitations of network segregation and air-gapping, has been the basis for widespread concerns around IT/OT convergence.
No signatures or threat intelligence were associated with this attack, and so it flew under the radar of the company’s traditional security tools. Only through self-learning technology from Darktrace was the security team able to gain full visibility into the attack.
Riding the Changing Tides
Reference architectures that rely on air-gapping ICS from IT are increasingly incompatible with the technological advancements many organizations are making in order to remain competitive. If attackers no longer view IT and OT as distinct, partitioned regions, neither should security teams.
It is possible for businesses to safely embrace interconnectivity, with all of its advantages, by adopting security that learns the business from the ground up to address sophisticated threats across both their IT and OT environments.
Unified security efforts reflect the reality of converging systems and ensure that no gaps are left for attackers to exploit. When the entire digital environment can be viewed through a single pane of glass and no single, exploitable system is left without protection, organizations will be able to interconnect systems without taking on undue risk.