Cyber is no longer a new term. Cyber is so ingrained in our daily lives, we are never far from at least one, but usually more Internet connected computing devices. Words like “cyber attack”, “hack”, and “phishing” are in the news every day. The vulnerabilities of our connected world are ever-present in our minds and we have become accustomed to it.

We know that our own computers and Information Technology (IT) infrastructures must be in a constant state of watchfulness to guard against the cyber threat. But an emerging term highlights new vulnerabilities – and new career opportunities.

OT = Operational Technology

According to Gartner, OT is Operational Technology, or hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise. Think of it like this. IT is the traditional Information Technology. It is all about data or information and the systems that process and store data. OT is used more in an industrial sense and includes the direct monitoring and control or actuation of physical devices.  These devices are often referred to as Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA).  When you think in terms of industrial activity, these devices monitor, transmit data, and respond by actuating gates and motors or other controlling devices to perform the functions involved in an industrial activity.

The IT network has long been the target of nefarious cyber activity. Information obtained illicitly is used for everything from obtaining industrial secrets to state-sponsored intelligence gathering to opportunistic money-making on both small and large scale. Cybersecurity has evolved along with this threat and there are multiple firms and solutions focused on assisting users and companies with securing the IT enterprise against unwanted intrusions. We are making it harder for the bad guys to access our IT. Refined operating systems, robust security tools, network firewalls, and extensive user-awareness campaigns are making sure that our IT networks are not so vulnerable.  Companies and users are taking reasonable precautions and each step taken is a step in the right direction, making the job of the cyber hacker that much more difficult.

While we have all been focused on the hardening of our vulnerable IT networks, OT networks have been quietly (or perhaps noisily) performing in industry. I recall one of my college classes in the early ‘90s was on The Coming Information Age, an age where information, not industrial activity, would move the economic world. This has been true. Information now drives the activities of most of the world. But industry, while not so much the driving factor of society, has continued to roll on day after day. These are the oil and gas lines, the electricity grid, the industries that make goods sold around the world.

The OT network is the machinery and the processes that monitor and actuate based on pressure sensors, water temperature or flow, chemical content, electrical current, oil levels, and so on. These are our hydroelectric dams, nuclear power, gas and oil pipelines, utilities, water treatment, refineries, manufacturing and the like. If not our backbone, these systems are our nerves or even the cardiovascular system of our nation. They are vulnerable, and they are being hacked.

A problem with OT? It’s vulnerable

These systems have been around for a long time, even longer than our more familiar IT networks.  By the 1940s we had electrical utility industrial control systems deployed around the USA with sensing wires. By the time the 1950s and ‘60’s arrived, these systems had spread to a large range of industrial applications. These systems required trained personnel to monitor and perform controlling functions. By the late 60’s and early 70’s rudimentary computers or “logic controllers” would begin to perform these real-time sensing and actuation activities. These systems have evolved over the years as computing capability and memory increased and power and cost have decreased. From a cyber context, our drive towards efficiency and increased capability and function has led us to the introduction of some significant vulnerabilities. We have connected these systems to the Internet, making them potentially accessible from around the world.

Who would want to gain access to our electric grid, our critical infrastructure, or our manufacturing?  Two reasons come to mind. The first is simple industrial espionage or even company vs. company rivalry well beyond the bounds of normal business competition. The other reason is state-sponsored or terror/organized crime coordinated activity. The Stuxnet computer worm gained recognition in 2010 and opened the eyes of many to the vulnerabilities and potential damage that can be caused through the targeting of simple SCADA or ICS systems.

This brings up another important difference between IT and OT attacks. IT attacks result in data loss. OT attacks can result in significant damage to very expensive equipment and even loss of life.  Stuxnet ended up causing significant damage to Iran’s nuclear program, causing delays and physical damage. Other ICS cyber attacks include the 2013/2014 Havex/Dragonfly remote access trojan (RAT), the 2014 BlackEnergy attack that targeted Human Machine Interface (HMI) software, and the 2016/2017 CrashOverride attack platform used in the Ukraine power grid attack.  Sophistication of attacks often point directly at state-sponsored or organized crime sponsorship.

A closer look at the Havex/Dragonfly advanced persistent threat highlights why we need to be concerned with our OT networks. This attack was aimed at smaller energy companies and focused on remote access tools.  It extracted data from Outlook address books and ICS-related software files that were used for remote access to the ICS systems.  Information such as the existence of LAN devices on the OT networks were sent back to 146 Command and Control (C2) servers, sending back passwords, screenshots and documents.

How Can OT Attacks Enter Your Company?

There were three primary methods of targeting:

  1. Email to company execs and senior employees that contained malicious PDF files.
  2. Watering Hole Attack – Websites likely to be visited by energy sector employees were infected and redirected visitors to another compromised, but legitimate website hosting an exploit kit that installed the RAT.
  3. Software directly downloaded from ICS vendors

The interesting thing about this attack is that no known sabotage was reported. This was very sophisticated. Very technical. Was the perpetrator waiting for a signal to cause havoc all at once?  The whole thing sounds ominous and certainly state-sponsored, but to what end? Something else to note is that once this attack became known, there were 88 variants identified within a year.

OT attacks draw in personnel from across a company. There are currently engineers committed to overseeing and managing OT networks – those jobs will continue to expand, and require more security functions and credentialing. OT engineers work with systems administrators, network engineers, and security staff, as well as company management. A proper response will begin with recognizing and understanding the threat so that the necessary protection plans can be implemented. New cyber threats are emerging all of the time and it is extremely important to keep an eye on what the adversary is up to.

Related News

Todd Keys is a Program Manager at Cantada, Inc. He has been in the intelligence Community for 30 years, as a member of the military (USAF), and as a contractor for top 100, top 10, and small business federal defense contractors. He has held multiple roles, CONUS and OCONUS, ranging from technician to executive, providing site O&M, system administration, engineering, supervision, contract management, and Capture/BD for the DoD and multiple intelligence agencies.