Ring that bell: How creative thinking can help secure critical infrastructure

When you spend your day surrounded by cutting-edge technology, you can often feel like you should be using the latest and greatest to solve technically-complex problems.

We can see this instinct throughout human history. When the Eiffel Tower was completed in 1889, the wind made the top of the spire sway more than engineers had expected. They tried to fix it with complex structural solutions, but in the end made a simpler, cheaper fix: The engineers simply added more weight to its upper floors.

Simple, creative, low- or no-tech solutions can also help secure operational technology (OT) environments. However, creative thinking doesn’t manifest itself out of nowhere: It starts in the workplace.

For many organizations, that means shifting how their strategic and organizational foundations support problem solving. This cultural shift starts by breaking down silos between IT and OT teams.

The increasing connectivity of OT systems, coupled with clear-text protocols and a historical lack of robust security implementation, has allowed threat actors to use weaknesses in these systems as a pathway to attack critical infrastructure. It’s easy to imagine how established safety systems that were put in place to physically protect industrial workers could be overwhelmed by contemporary cyberattacks and challenged to effectively prevent catastrophic results.

Three real-world examples of organizations using creative solutions to counter threats can help demonstrate how to shift defensive thinking around the sector-specific challenges that OT systems face.

Threat modeling for OT

In our first case, we consider an actual threat modeling exercise. We designed our attack vector knowing that a malign actor could target an unencrypted protocol, like MODBUS, by sending a spurious data set to an operator while actually commanding the system with alternate, destructive data. The hypothetical outcome in this scenario could easily have been widespread process disruption and even potentially loss of life.

We thought we had established a viable, simulated attack path that would override the safety systems that prevent hazardous material combustion. Our plan of attack included overriding the system metrics while simultaneously showing normal but false system metrics to the human operator.

Feeling confident in our threat model approach, we conducted a site visit to further evaluate the risks. The organization’s standard operating procedures required a real-time visual inspection by the environment’s operator during certain critical operations. The manual requirement greatly reduced the risk of this particular type of advanced cyberattack as the operator had several courses of action they could physically implement to mitigate it.

The inconsistencies between displayed and observed data would also alert the operator that something was wrong with the control system parameters leading to a safety shutdown.

Layered security for OT

For our second use case, we consider an organization operating hundreds of OT devices, including Programmable Logic Controllers (PLCs), for critical functions such as metering, pump pressure maintenance, and hydraulic optimization.

Facing regulatory mandates for multi-factor authentication (MFA) due to the privileged control plane access, and recognizing that the PLC management interfaces only supported simple authentication, the organization adopted a layered security strategy. Instead of attempting to implement MFA directly on the PLCs, which is impractical due to legacy system limitations, they opted to physically isolate the management interfaces.

Field engineers would connect directly with secured engineering laptops when necessary, and robust physical access controls were implemented as a supplementary security measure. This approach aligns with the intent of the U.S. Department of Homeland Security Transportation Security Administration’s security directives, which emphasize the use of MFA “or other logical and physical security controls that supplement password authentication to provide risk mitigation commensurate to multi-factor authentication.”

This decision and operating model, while not universally applicable, demonstrates a practical, low-tech approach to mitigating risks in OT environments by focusing on securing access points and leveraging physical security, rather than relying on direct MFA implementation on every device.

Using DCS and SCADA to boost OT security

As a third use case, we consider a separate approach to risk mitigation: incorporating Distributed Control Systems (DCS) and Supervisory Control And Data Acquisition (SCADA) alarm data into security operations. Key switch positions and state changes are examples of alarms captured in this approach.

Many PLCs have multiple operating modes such as run, remote, and program. To switch operating modes one must turn a key or flip a switch. In this particular case, the keys are normally left in the device and do not really serve a security function. Instead, the engineering team implemented an alarm in the SCADA system for a state change as part of their change management process.

The security team was then able to incorporate that alarm information into their runbook as an indication that privileged activity was occurring in the OT environment.

As a quick closing note, we would like to highlight that there are environments that are well protected and mature in a broad sense, but may have a widespread vulnerability in a secondary or tertiary system that is a dependency of OT — thereby creating risk for the overall system. One particular area that we observed across several industries is the use of radio frequency (RF) communication for the OT environment.

This may be in the form of microwave or DMR on VHF and UHF frequencies. In many cases these technologies do not organically encrypt traffic and can be leveraged by an attacker to either bridge remote access to the OT environment or interfere with and subvert control of OT devices.

Choosing the approach that’s best for your organization

A systematic approach to continuously evaluating and modeling threats and controls is something we all should do as a matter of security practice. In industrial environments, that is already happening in many ways on the OT side of the organization. Incorporating cybersecurity into the organization’s Process Hazard Analysis can help streamline efforts to solve for regulatory and operational cybersecurity challenges.

We should keep some of the basics in mind: If perfection is the enemy of good, then perhaps complexity is the enemy of viable. We recommend constantly evaluating your approach with the following questions:

• Especially in mature industries with well-established manufacturing processes, are there simple, low-tech solutions that can help protect an enterprise and its employees?
• How has your organization quantified risk, and do the outcomes contradict previously-perceived risk severity?
• Where legacy equipment limitations prevent incorporating new technology, can alternate procedures or additional equipment be used to achieve a better cybersecurity posture?

For more information, please see our guidance on better OT/ICS security posture, and request your copy of “The Defender’s Advantage: Operational Technology” today.