How cyber criminals attack OT infrastructures - and that's what they're after

​

Machines and systems in industry are increasingly being monitored and controlled by IT systems, which offers many advantages, but also has its downsides. This is because OT, which was previously strictly isolated, is exposed to the cyber threats familiar from the IT world - and is generally extremely vulnerable. Cyber criminals are aware of this and exploit vulnerabilities to achieve the following goals:

• Paralyze important systems to extort a ransom. Ransomware is usually used here, which not only encrypts control systems, but often also backups so that companies cannot simply restore the affected systems. The result is long-lasting disruptions and outages that can quickly threaten a company's existence - especially if they result in a major loss of revenue or contractual penalties.
• Infiltrate infrastructures to steal intellectual property. Here, the attackers behave inconspicuously and work their way from the initially compromised system to a company's data treasures, such as design data or information on production processes. They then use this data for blackmail by threatening to publish it or sell it directly to competitors. The consequences include product piracy and the loss of competitive advantages.
• manipulate OT systems in order to reduce production quality or provoke accidents. This is sabotage intended to damage a company's reputation, for example because products no longer meet the usual standards or pose a risk to people and the environment. There is also the threat of high costs, for example due to faulty batches, recalls or consumer protection and compensation claims.

Many poorly protected infrastructures and an enormous potential for damage make the industry one of the most frequently attacked sectors. Attackers primarily use the following entry points and attack vectors:

• Unpatched vulnerabilities: OT systems are designed for long-term operation and have often been in use for ten years or more. They are rarely or never updated and patched, meaning that security gaps cannot be closed. In some cases, companies also deliberately refrain from installing available updates promptly because the systems are deeply integrated into production and other processes and processes should not be impaired as much as possible.
• Insufficient security functions: Many legacy systems no longer offer up-to-date security features. Among other things, they use outdated protocols and interfaces, weak authentication mechanisms, unencrypted data transmissions or outdated encryption algorithms. In addition, some new IoT devices do not have adequate security mechanisms. The problem: applications for endpoint security cannot usually be set up on both legacy systems and IoT devices in order to protect them retrospectively, as the systems do not support endpoint security solutions or the endpoint security solutions lack support for the devices.
• Poorly secured remote access: Many OT systems are maintained remotely - whether by internal teams or external service providers. The access points used for this are often poorly secured and use default passwords or shared passwords for several people, or are even completely open. In addition, robust security mechanisms such as multi-factor authentication, role-based access controls and session recording are often lacking, making it impossible to track who has accessed the systems, when and what changes have been made.
• Stolen login data: Hundreds of thousands of stolen access data are traded on the darknet. They mainly come from hacked databases and allow attackers to easily penetrate company networks. For targeted attacks on a specific company, however, cyber criminals also go on a planned hunt for logins, for example with malware - so-called infostealers, which steal passwords as they are typed in - or in the traditional way with phishing and social engineering. Thanks to AI, the fakes can now be designed to be extremely convincing and are difficult to recognize even for experienced users.
• Lack of network segmentation: As soon as attackers have a system under their control, they look for other systems within the network that they can infiltrate. This so-called «lateral movement» is made easier if the network is not divided into different areas between which data traffic is closely controlled. For example, an office PC in the administration can serve as a springboard into OT and jeopardize the entire operating technology.
• Insecure supply chains: OT environments consist of a complex web of systems and applications that originate from hardware providers, software specialists and system integrators. Compromising one of these suppliers is often the easiest way for cyber criminals to get a foot in the door at several companies at once. To do this, they manipulate firmware or software updates, and the manipulation of hardware components or the installation of malicious components is also possible, but more complex and therefore more likely to be used for targeted attacks. A few years ago, SolarWinds, a provider of IT management software, demonstrated the far-reaching consequences an attack on the supply chain can have. Attackers were able to install a backdoor in its platform with a manipulated update and subsequently gain undetected access to thousands of networks.
• Overloading of systems: DDoS (Distributed Denial of Service) attacks are not only a popular means of blackmailing companies by overloading their systems with countless requests. They are also often used to distract from another attack or to paralyze a security system in order to penetrate the infrastructure undetected.

«OT security is not a nice-to-have, but a must, because digitalization is increasing the attack surface and the number of attacks on industrial companies is reaching new highs year after year,» emphasizes Christian Koch, Senior Vice President Cybersecurity IT/OT, Innovations & Business Development at NTT DATA DACH. «The EU and the German government have also recognized this and are obliging industrial companies to take comprehensive security measures with the NIS Directive, the Cyber Resilience Act, the Machinery Ordinance and the IT Security Act. However, these can only be implemented if companies establish complete visibility within their entire OT environment. Only then can they identify risks and develop a suitable security concept, which should at least include basics such as network segmentation, patch management and secure remote access.»​