Reactive to Proactive: The Urgent Need to Enhance OT Cybersecurity

As cyber threats escalate worldwide, new research from Forescout Research underscores a concerning trend. Operational technologies (OT) are increasingly vulnerable and becoming prime targets for cybercriminals. The study reveals that a proactive security strategy, rather than a reactive one, is crucial for safeguarding essential services.

In addition to ongoing threats against software libraries, exploits against network infrastructure and IoT devices increased. The most targeted IoT devices were IP cameras, building automation and network attached storage. Only 35% of these were known exploited vulnerabilities.

OT cybersecurity

Leading OT cyberattacks by protocol type

[Source: Forescout Research]

Five OT protocols were a constant target. Modbus (33%), Ethernet/IP, Step7 and DNP3 (with around 18% each) and IEC10X (e.g. networked SCADA) with 10% of attacks. The remaining 2% were across many other protocols, of which the majority is BACnet. Most attacks target protocols used in industrial automation and the power sector. Less often scanned were building automation protocols, but exploits against building automation are more common.

The United States was the most targeted country. Of more interest is the UK was in second place, then Germany, India and Japan. Almost half of the attackers came from three countries, being China, Russia and Iran. Government, financial services, media, and entertainment were the industries most targeted by these actors.

Most reported attacks were opportunistic. However, there were exploits targeting extremely specific networking devices to obtain precise information about them and drop malware. These attacks often use public proof-of-concept scripts.

Insights for defenders

Monitoring the traffic to and from OT devices is nowadays as critical as monitoring IT traffic. Attackers are constantly probing these assets for weaknesses and many organizations will be blind to that because they lack visibility into their OT infrastructure. Building automation and even protocols such as Modbus are now found in almost every organization and are a target for attackers.

The increased usage of residential proxies, ISPs and compromised devices on legitimate organisations means that you should keep up to date with threat feeds that can monitor these compromised IP addresses and help to detect compromises in your own network.

The increase in attacks targeting web and networking protocols is representative of threat actors shifting from mostly credential-based attacks to exploits on perimeter devices and applications.

Organisations should adopt technologies for risk management and threat detection that cover the entire attack surface, whether that is applications on a server, a perimeter device or an IT workstation.

Next step

The next step is to focus on enhancing OT cybersecurity through three fundamental pillars:

Risk & Exposure Management

Conduct thorough assessments of network assets, implement robust security measures like strong unique passwords, disable unused services, promptly patch vulnerabilities. Also, adopt an enterprise-wide risk-based approach extending beyond IT to OT and IoT devices.

Network Security

Avoid exposing unmanaged devices to the internet, segment networks to isolate IT, IoT, and OT devices. Moreover, restrict network connections, implement external communication restrictions, and isolate or contain vulnerable devices when immediate patching is difficult.

Threat Detection & Response

Use IoT/OT-aware monitoring solutions with deep packet inspection to detect and alert on malicious indicators and behaviours. Also monitor for known hostile actions, block or alert on anomalous traffic. Finally, consider solutions that collect telemetry from diverse sources for correlation and automated response.

External help is also available to mitigate OT cybersecurity threats. Schneider Electric offers a Managed Security Services (MSS) programme for safeguarding operational technology environments against cybersecurity threats. Go here for more information.



Notify of
Inline Feedbacks
View all comments