"Most OT networks today are still self-contained"

Mr. Hiestand, what is the worst-case scenario for cyber attacks in the industrial sector?

Roger Hiestand: We have to distinguish between IT security and OT security. In the OT area, the understanding of IT security and, in some cases, the technology is ten years behind IT. This is therefore also the biggest attack vector or the worst-case scenario. Even script kiddies, i.e. users without much know-how, have a relatively easy time attacking industrial plants. For example, you could raise the temperature of a refrigeration system in a food processing plant by five degrees without anyone noticing, and all the food would be spoiled. That goes on to CNC machine controls. That could be millimeters when milling in an engine block, which could result in a total loss of the engine if necessary. From the OT side, the industrial sector is still a very conservative sector. First and foremost, it's about functionality, security is downstream: However, as before, a lot of things are still unencrypted in industrial plants by design. For a long time, no thought has been given to IT security, for example with SNMP or BACnet, in industry and building technology. It is true that there are efforts to make the devices or the communication protocols such as SNMP v3 or BACnet Secure more secure. However, it is usually a long way until the end devices and the software fully support the standards.

Why are more and more ransomware attacks on industrial control systems currently in vogue?

A cyber attack always depends on what you want to achieve. If you want to spy on a trade secret, you are more likely to use a classic Trojan. Then you are on the move "in silence". The damage always comes afterwards. In the case of ransomware, the attacker wants to extort money - as much money as possible: However, very many industrial control systems are still operated with Windows 7 or even Windows XP today - and not, for example, with a current (possibly hardened) version of Windows 10. Since the two previously mentioned operating systems no longer receive security updates, a ransomware attack has therefore become correspondingly easier and more effective. To do this, an attacker does not even have to engage in large-scale social engineering. He could theoretically put a USB stick on a janitor's desk, and the probability is very high that this stick will be plugged in to check what is on it - and with this step the attack has begun. The effort is thus very small and the success factor rather large that the companies pay the ransom, e.g. in the form of Bitcoins, because most companies have no security precautions, such as for backups, and are thus dependent on the attacker decrypting the data.

Which attack vectors pose the greatest risk in OT?

A large part of the networks in industrial plants are flat and have little to no safety measures. To illustrate, a flat network is like a power rail. There are no security measures to prevent you from plugging anything in and drawing power; it's the same with these flat networks. Anyone with access to a switch can plug in any device and scan the network for vulnerabilities. The problem: In OT, many of the switches are located somewhere in the basement, in storage rooms or riser zones. Thus, one is also more likely to go unnoticed in the event of an attack, as the flow of people in such rooms tends to be lower than in a busy office. The fact that the networks are flat (layer 2) means that video surveillance cameras or ventilation controllers, for example, can be found quickly and easily and compromised if necessary.

Whose job is it to protect industrial networks?

In industrial networks, the installer usually provides the necessary infrastructure. Conversely, if the installer provides the infrastructure, the IT department (if it exists) often says that it no longer has anything to do with the system. There we are already in a field of tension, in the sense of "fire and forget". A system is built, but often no longer supplied with security-relevant patches. Monitoring that detects whether third-party devices are connected, for example, is also missing. A specific team that takes care of the security of industrial networks therefore tends not to exist. At best, if a service contract is in place, the necessary security updates from the manufacturers are imported during the annual inspections. Incorrectly, the view persists that nothing should be changed on functioning systems (proverb: "Never touch a running system").

Are there any independent "OT security experts" or expert teams at all that can be convened for a target/actual analysis regarding network segmentation and general OT security?

This is precisely where we at the SES Association have come in. Our goal is to address these issues through our work. We have produced fact sheets, guidelines, best practice approaches and training to raise awareness of this issue. As indicated in a question earlier, the first step is to create an understanding of IT security in the first place. Once this first step is taken on both sides (installer and contractor), IT/OT security experts can assist. And to answer the question clearly: Yes, there are such independent experts. As an IT security expert, it is a relatively simple "undertaking" to familiarize yourself with the peculiarities of the OT world.

What should I look for when choosing an OT security provider?

This is a difficult question. Since the requirements and the possibilities are sometimes rather low, it is certainly important to ensure that professional hardware is used that has a long service life in every respect. This means that consumer hardware is not used, which, for example, is "end of life" after just one year. There are manufacturers who offer a lifecycle of seven to ten years in extreme cases, including hardware replacement and security updates. As a second criterion, it is important to ensure that process-related solutions are taken into account. Keywords: employee sensitization, patch management and backup strategy.

You can read the full interview in the print edition of SicherheitsForum from March 3, 2021.