“Proof of Compromise” from Ransomware Attacks on Critical National Infrastructure(CNI)

Airgap Networks
9 min readSep 9, 2022

Operational Technology(OT) cybersecurity has become a hot topic in plant facilities also known as OT, Industrial Automation and Control Systems (IACS), Integrated Control Systems (ICS), etc.

The ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact is once again on the headline.

Often, facilities claim the systems are isolated away from the rest of the operations. For instance, facility operations are highly dependent on OEM, Vendors, and product suppliers for the maintenance of their systems. Suppose a system crashed or any application stopped working and the OEM support engineer is in Germany. With the plant being located in the Middle East, it will take 4 to 5 days for the service engineer to reach the site. Using remote access connectivity, the service engineer can connect and begin repairs immediately.

Once I visited a plant that was in operation and connected to the national grid. When I conducted the assessment, I noticed several lapses in security including the firewall and other security adaptive controls were disabled.

The central Internet connection was bypassed from the firewall along with the isolated SCADA network now has direct access to the internet with little or no protection.

COVID changed how remote systems became supported. Previously, any closed-looped airgap network could only be serviced by some support engineer coming on site. As a result of COVID, organizations require services needed to connect those once isolated control systems and networking devices to a public access network.

Now internet in the OT environment became a requirement, no longer a one-time strategy.

The most captured security gaps in the OT networks are:

  • Legacy/end-of-life operating systems
  • Lack of awareness of Cybersecurity
  • Unpatched systems
  • No antivirus installed
  • Flat networks
  • No zoning and segmentation
  • No policies and procedures
  • Bidirectional communication from OT to IT

The Risk of publicly connecting IT/OT devices

The notable hacks on IT/OT networks are the Colonial Pipeline Ransomware attack last year and the recent UK Water Supplier attack by Clop Ransomware. Colonial Pipeline’s billing systems were compromised, and the attacker (Ransomware group Darkside) got access to the IT networks and encrypted the business-critical data. Since the Colonial pipeline had the OT systems connected with the IT networks.

As a proactive step, they shut down the OT systems, so that hackers don’t get access to the OT systems. It took a couple of days to restore OT systems. For more information on the Colonial Pipeline’s hack, you can read at Airgap website blog on the topic here. https://airgap.io/blog/zero-trust-network-isolation-for-industrial-control-systems

Digital transformation introduces the expanding attack surface

Today when we have technologies like artificial intelligence and machine learning to help process data faster while providing additional economic value to the organization. AL & ML along with cloud-based analytics began processing data from the OT systems. The end goal for data analytics is to help organizations maximize the data of the devices to ensure they are operating with efficiency.

Using AI and ML helps increase the operational performance, efficiency, and productivity of plants. For example, a digital twin is a concept of a real-time simulation environment that analyzes the processes and assets of the plants. This also provides remote users to virtually see or visit the plant. The data from the plant helps companies to drive towards new technologies where they can save OPEX and CAPEX.

Glossary: A digital twin is a virtual representation of an object or system that spans its lifecycle, is updated from real-time data, and uses simulation, machine learning, and reasoning to help decision-making.

Since these applications require continuous connectivity with the outside world. The connectivity of OT assets with external networks has increased the threat landscape for plants.

These are lucrative for the hackers, because of the lack of awareness in the plants and the value of the assets in the OT networks, it is less effort for adversaries to target and gain bigger rewards as compared to IT networks.

Typical OT and IT network security and why this is different today

Today’s OT networks have transformed and are equipped with the latest protocols beyond hardware wired serial communications. Previously used protocols were proprietary and legacy like Modbus etc. Now OT networks are based on IP-based protocols combined with OT protocols like Modbus TCP/IP. So, these protocols are highly vulnerable if not taken care of using proper encryption techniques and network segmentation.

Glossary: Modbus is a serial communication protocol developed by Modicon and published by Modicon® in 1979 for use with its programmable logic controllers (PLCs).

Now the OEMs are developing IEC-62443–4–1 certified product, that have security features embedded in them. These products support the latest security technologies.

Glossary: IEC 62443–4:2018 specifies the process requirements for the secure development of products used in industrial automation and control systems. This specification is part of a series of standards that addresses the issue of security for industrial automation and control systems (IACS). (Source: IEC)

Previously, the manufacturing or OT architectures were designed on a flat network because these were not designed keeping security in mind and as such no connectivity was required.

Gartner Hype Cycle Security Operations 2022 — OT Security

The recently published Gartner Hype Cycle for Security Operations, 2022 (Published 5 July 2022 — ID G00770249) mentioned Airgap Networks in the OT Security sample vendor suggestion.

IT security organizations can be overwhelmed when trying to stay ahead of emerging and complex attack surfaces with the challenges below to implement the required autonomy or be predictive, proactive-learning, and dynamic regarding security enforcement and incident response decisions:

  • Zero Downtime — Since plant operations are running 24/7/365, implementation of solutions that require downtime is not easy to deploy
  • Third-Party Service Integration — Usually, OEMs don’t integrate with third-party vendors, which sometimes causes blockage for many security projects. OEMs may say, if you deploy this tool, we won’t be responsible if any OT system stops working.
  • Cyber Awareness and Resiliency — Lack of cyber skills set in OT environment
  • Compatibility — Status quo management and meeting compliance audits
  • Cost — Requiring additional budget and human resources

A few considerations to take are as follows:

  • OT security programs should be initiated based on people, processes, and technology.
  • Roles and responsibilities should be identified. Baselines should be developed e.g. IEC-62443, NIST, etc.
  • Training and awareness of IT and OT people should be done, to bridge the gaps and the security program should be a collaborative effort of both sides.

For more information on Gartner’s recommendation, you can download the Hype Cycle report at the Airgap website https://airgap.io/ here.

Glossary: Gartner Hype Cycle Security Operations 2022

Security operations technologies and services defend IT systems from attack by identifying threats and exposure to vulnerabilities. The entries included in this Hype Cycle aim to help security and risk management leaders strategize and deliver effective response and remediation.

The adoption of remote work, and increased use of mobile devices and cloud services have not slowed over the last 12 months. This has led to expanded requirements for organizations to track risk and threats to a wider set of digital assets. With the expansion of digital business functions and third-party-managed assets, security and risk management leaders must reevaluate how their business-critical environments change security strategy and tooling.

Network security is the backbone of cybersecurity

IT and OT network security should be focused on and handled with expertise. Since OT is now connected to external networks, zones and conduits should be secured using best practices at every layer. Defense in depth concept should be kept in mind.

On a network level,

  1. Assets inventory should be maintained and updated, and what’s on the network in real-time
  2. Zones and conduits should be developed based on the criticality of assets
  3. Network monitoring should be enabled
  4. Visibility of network using IPS should remain
  5. Configuration of network devices should be hardened per best practices

Use of OT protocol-aware firewalls

It is observed that traditional IT firewalls are being used in OT networks. Since these firewalls don’t understand OT protocols and signatures. Modern zero-trust and agentless security platforms like Airgap Networks https://airgap.io can understand segment inter- or intra-VLAN IP communication down to protocol level including OT protocols and can block any unauthorized traffic in the OT environments.

Centralized antivirus and patch management systems should be in place

Level 3.5 of the Purdue model is the DMZ, which is the bridge between IT and OT. So the central AV server, and patch management servers should be in the DMZ. This helps secure update the systems in the OT systems securely without exposure to the external networks. Looking for solutions like Airgap Networks extend easy system integration and consistent visibility to provide a coordinated and holistic approach to complex IT/OT security problems

In the know: Purdue model

The Purdue model is helpful as a reference for designing the architecture. It helps us to segment the assets based on their functionalities at different levels. The beauty of this model is that the more critical assets in the plant are at the lower levels and as the levels increase the criticality decreases. This means the most critical assets are placed behind multiple layers. E.g., the sensors, valves, and pumps are in level 0, and PLCs are at level 1. So, any attacker who wants to access PLC needs to pass through Levels 4, 3.5, 3, and 2. To understand Purdue Model and Network security further, subscribe and watch Airgap Networks https://www.youtube.com/airgapnetworks YT channel https://youtu.be/ajQFX_uroxk.

Glossary: What is Purdue Model?

The Purdue model, formally the Purdue Enterprise Reference Architecture (PERA), is a structural model for industrial control system (ICS) security, concerning physical processes, sensors, supervisory controls, operations, and logistics. Developed in the 1990s by Theodore J. Williams and members of the Purdue University Consortium for computer-integrated manufacturing, the Purdue Enterprise Reference Architecture defines the different levels of critical infrastructure used in production lines and how to secure them. PERA was ahead of its time when it was introduced and, implemented correctly, could have achieved the air gap between industrial control systems (ICS) or operational technology (OT) and IT systems. (Source: Zscaler)

How agentless Zero Trust segmentation approaches can help to create the needed layers of defense?

Airgap provides three-tier solutions for levels 2, 3, and 3.5 which are the core levels for OT network security. The security requirements in the OT networks are very high due to criticality and we must make sure that each asset is placed in a secure zone. The more the assets are confined, the more security they get for themselves and the other assets as well. So we also eliminate the risk of ease of propagation of malware even into the assets in the same VLAN. This way all asset with IP address is isolated and segmented by default in case of a breach.

Additionally, Airgap provides secure remote access using MFA and SSO. I will write up another blog on why this is relevant.

The agentless approach is easy to implement in OT systems/networks as many headless ICS systems cannot incorporate endpoint agent software. As the OEMs don’t allow any third-party integrations with their systems. So, Airgap can be implemented independently for full visibility and policy enforcement without the forklift upgrade or solution swap.

In the digital transformation process, organizations are adapting to Industrial Revolution (IR) 4.0, OT networks are being upgraded with the latest technologies which expose these networks to external threats and emerging attack surfaces.

There are still a lot of gaps in the industries, which organizations need to fill by investing in people, processes, and technology. Starting from the cybersecurity management systems to deploying next-generation solutions in the OT network to protect them from the bad actors.

The OT industry has its challenges due to continuous operations and legacy systems. These systems include obsolete operating systems, firewalls, and switches. The reason behind these systems is because, the OT systems were designed 15–20 years of service like PLCs, RTUs, etc. But IT systems like computers, workstations, and servers have a life of 3–5 years.

For cohesive OT security operations, the objective is to enable complete visibility and control through decentralized management of security technologies and faster response on managed or unmanaged devices without agents to create depth in the OT flat networks. For more information on how Airgap can secure critical infrastructure with zero trust microsegmentation, visit Airgap Networks website at https://airgap.io



Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation. https://airgap.io