Skip to main content
Meet NetWitness at RSA Conference 2024!
Stop by our booth #254 or book a meeting with an expert. Reserve Your Spot Today!
Securing the Digital World

Adaptive Defense: Modernization of Cybersecurity Defense and Management Due to the Inevitable Convergence of IOT, OT and the Enterprise Environment

  • by Will Gragido, Chief Product Officer, NetWitness

Introduction

Much discussion has occurred in recent years concerning cybersecurity in and related to IOT and OT environments. Traditionally, these areas of concern have been largely kept separate from “corporate” or “enterprise” networks and environments due in large part — though not exclusively, to the sensitive operating nature of the environments where these technologies are and continue to be deployed. As a result, it is vital to take the time to learn both the similarities and differences between IOT and OT to understand best how to secure and defend them properly.

Internet of Things (IoT)

The more recent of the two, IoT, came about due to the Internet age. It is principally – though not exclusively- focused on connecting everyday devices (IP address-enabled devices and thus capable of generating and receiving traffic of one type or another) to the web. Whether your home thermostat reminds you that it has automatically adjusted your home HVAC ecosystem, your refrigerator lets you know that it is time to place an order for groceries, your whole home generator sends you a status report denoting regular and routine cycling, or your home security system updating you with alerts and status messages, the expansive realm of IoT has and continues to grow at a tremendous pace. However, with excellent connectivity comes greater responsibility for ensuring things are secure. Though the desire for these vendors is to increase the state and pace of communications and interconnectedness, robust security measures are often overlooked. This, of course, can and has led to the introduction and ultimate exploitation of vulnerabilities, resulting in these “world of tomorrow” types of technologies becoming attractive targets for adversaries of all types keen on exploiting their weaknesses through clever and, at times, not-so-clever compromise. This is primarily (though not exclusively) because many IoT devices are not shipped with a highly secure configuration by default, which is often further exasperated by their highly embedded nature and the inability to patch quickly or frequently once deployed into the respective production environment.

Examples of exploitation and compromise of IoT technologies and environments include but are not limited to:

Ring Home Security Camera Breach: The Amazon-owned company Ring faced two security incidents. In this particular case, motivated hackers were able to exploit and compromise the live feed capabilities of the ring doorbell cameras deployed throughout and around their customers’ homes due to weak or poorly curated, recycled passwords. They could even communicate remotely using the devices’ integrated microphones and speakers.i

Nortek Security & Control – Access Control System Breach: This is another example of an IoT security breach ii.

Household Appliances – Botnet Attacks: Household appliances were used to conduct botnet attacksiii.

St Jude Medical – IoT Security Breaches In Healthcare: St Jude Medical faced a security breach in their IoT devices iv.

Of Things (OT)

Unlike IoT, OT is the seasoned veteran of the two *OTs. OT has its roots in the industrial era. In large part, OT technology was conceived and remains dedicated to controlling physical processes and machinery. Examples of OT technology range from the systems that control water and sewage treatment plants to the ones that control traffic signaling to those that control the monitoring, delivery, and dosage of medications in hospitals and medical facilities used in day-to-day patient and treatment. However, as OT systems began modernizing and embracing greater and greater degrees of Internet connectivity, the introduction of risk–new risk grew due to the latest cybersecurity challenges and adversaries they were facing. And, though OT technologies are often known for the physical security accompanying their deployment, this does not usually nor always translate to the interconnected modern Internet. As a result, a vast and new frontier of risks and market opportunities has been created, requiring new and novel approaches to ensuring the state of these technologies and the systems that govern them, in addition to net new considerations concerning confidentiality, integrity, and availability.

Examples of exploitation and compromise of OT technologies and environments include but are not limited to:

The following are examples of real-world incidents that underscore the importance of introducing and maintaining robust cybersecurity measures within OT environments. These incidents underscore the potential real-world impacts of such breaches, affecting everything from public utilities to manufacturing operations:

Stuxnet (2010): First observed in 2010, Stuxnet, a malicious computer worm believed to have been in development by a coalition of Nation-States since at least 2005, targeted supervisory control and data acquisition (SCADA) systems. Stuxnet achieved infamy for the damage it caused to Iran’s nuclear program, making it a landmark in the annals of OT cyber-attacks and the weaponization of code as a deterrent to hostile, unpredictable rogue nations.viviiviiiixx.

Triton (2017): According to various sources, Triton was discovered in 2017; Triton, also known as TRISIS or HatMan, resulted in large-scale outages in the operational critical present within a critical infrastructure facility in the Middle East. It was designed to target and manipulate industrial control systems (ICS) safety instrumented systems (SIS), marking a new level of sophistication in OT attacks. xixiixiii.

Industroyer (2016): Detected in 2016, Industroyer was responsible for the December 2016 Ukraine power outage. It was the first-ever known malware specifically designed to attack electric grids, highlighting the evolving threat landscape in OT security. xivxvxvixvii.

JBS Foods (2021): A global ransomware attack disrupted meat production in North America and Australia, negatively impacting the supply and price of meat and farmers with livestock operations. This incident underscored the far-reaching impacts of OT breaches on everyday life xviiixixxxxxi.

Oldsmar Water Treatment Plant Attack (2022): An unsuccessful attempt was made to poison the water by abusing a shared Team Viewer password. Reports indicate that an operator working on behalf of the Oldsmar Water Treatment Plant had watched and taken note of the attack occurring in real-time and was able to act to mitigate the threat while preventing potentially serious consequences to the community and public at large xxiixxiiixxiv.

Ukrainian Power Grid (2022): A disruptive cyber attack with real-world (physical) ramifications and consequences conducted by threat actor / APT associate threat actor group Sandworm (affiliated with the Russian Federation) targeting a Ukrainian critical infrastructure organization. This attack was complex, involving multiple actions and stages, and appears to have leveraged technique many new and novel techniques now recognized as being highly effective in the compromise, exploitation, and impacting of both industrial control systems (ICS) and operational technology (OT) in environments that house and utilize them. xxvxxvixxvii.

Municipal Water Authority of Aliquippa (MWAA) (2023): Pro-Iranian hacktivists breached pressure monitoring equipment at one of MWAA’s booster stations over Thanksgiving weekend in 2023 xxviii.

To Be Determined (2024): Ample and well-founded concerns over nation-state readiness and targeting in 2024 and beyond. However, this year, it has gained quite a lot of attention with acknowledging and testimony given by high FBI Director Christopher Wray in April of this year and actions by the Biden administration in preparation for what can only be referred to as anticipated cyber-attacks against US ports. xxixxxxxxxi.

Practical Steps and Measures for Securing IoT and OT

Securing IoT and OT environments is a critical aspect of cybersecurity. Here are some practical steps to enhance the security of these environments:

  • Drive Toward and Ensure Visibility: Develop and maintain a comprehensive asset inventory and CMDB that accounts for all enterprise, IOT, and OT technology deployed within and throughout the organization.
  • Understand Your Risk Posture: Conduct risk assessments and analyze the findings to ensure a crisp, realistic understanding of the organization’s risk posture with IOT and OT technologies and environments factored in. Failure to do so could result in the organization being found susceptible to exploitation and compromise by an adversary or culpable in an audit conducted by a governance body.
  • Develop IoT/OT Cybersecurity Policies: These documents should outline your organization’s procedures for securing IoT and OT devices, responding to security incidents, and recovering from breaches.
  • Identity Access Management (IAM), Strong Password Policies, and Multi-Factor Authentication (MFA) Adoption Where and When Possible Best Practices: Neither new nor novel, yet essential. Ensuring that the organization adopts and adheres to strong policies that govern both strong password creation and maintenance and MFA is crucial in reducing the organization’s attack surface and managing its risk posture. This is equally true in enterprise and IOT or OT environments and should be regularly practiced and assessed per organizational policy.
  • Design Your Network to Protect Your Devices: The best and most effective security comes primarily from development work conducted where the SDLC process includes cybersecurity and thoughtful network design and architecture. Take the time to ensure that the organization’s network topology and design enable segmentation and isolation—where and when required of IOT and OT from enterprise environments. Additionally, consider the merits and applicability of a Zero-Trust Framework to ensure that the organization practices the principle of no assumption of the trustworthiness of users or devices by default.
  • Deployment and Use of Compensating Controls: Ensure that the organization’s IOT and OT environments have comparable compensating controls as analogous enterprise environments to maximize visibility while minimizing risk and increasing defensibility. This should be practiced in wired or wireless network topologies, including those enabled with LTE or 5G technology, to minimize the potential for unauthorized access.
  • Analyze Network Traffic for Threats Continuously: There is massive value and importance in actively and continuously monitoring network traffic (packets, flow, logs, etc.) for threats and hunting within that captured traffic. Doing so across the enterprise, IOT, and OT environments alike will increase your organization’s awareness of the state of the environment but also activity taking place against it (targeting efforts) or within it (normal, authorized, suspicious, and malicious activity as a result of breach and compromise by an external adversary or an insider threat actor).

Conclusion

In the evolving landscape of cybersecurity, the focus is not on whether or not IoT and OT are the more important of the two types of “Of Things”; instead, it is on recognizing and mitigating risks inherent in both categories’ technologies. Both IoT and OT have valuable lessons to offer each other. IoT can benefit from OT’s years of experience in managing critical systems. At the same time, OT can adopt IoT’s innovative connectivity and data management approaches, which are already underway across industry verticals and sectors. Naturally, ensuring that your organization is aware of these threats and risks is more important than ever.

As we move towards more integrated Security Operations Centers (SOCS) where heterogeneity is the norm – where enterprise, IOT, and OT are all under a standard banner and charter of responsibility regarding cybersecurity, the need for intelligence-driven network detection and response is more pronounced and inarguable. Solutions such as those produced here at NetWitness and others with whom we partner provide a compelling value proposition and total cost of ownership story for the organization that adopts them and industry-leading detection and response capabilities unlike any other. NetWitness delivers a robust, sophisticated, and powerful solution that empowers users with global visibility and the ability to act quickly and confidently in detection, response, mitigation, and remediation. Remember, those tasked with securing and defending modern enterprises that will or are adopting and integrating IOT and OT into what has previously been an “enterprise” only cybersecurity worldview cannot and will not be able to secure or defend against what they cannot see or understand. As a result, developing a more profound knowledge and understanding of the realities associated with the intersection of the enterprise, IOT, and OT environments and the threats targeting them is an imperative and one that our teams here at NetWitness are prepared to aid you with.