Cyberattacks targeting critical OT and industrial organizations rose by 87% last year—the threat level to OT is higher than ever, and threat actors are finding new ways to compromise OT environments.
Only a minority of attacks are "pure" OT compromises like the 2020 EKANS ransomware attacks against Honda and Enel and recent German wind turbine attack in 2022. Attacks can come from various vectors, including insiders, the business networks that connect to protected networks and OT assets, and downstream supply chain compromise.
Increasingly, threats exploit the growing size and diversity of OT attack surfaces. Attackers can rely on industrial control systems (ICS) being connected to corporate TCP/IP networks periodically and, as a result, plugging OT assets into the wider business network.
The twin trends of legacy security and digital transformation create a wide-open target. Aside from direct attacks on OT functionality (e.g., ransomware or malware that disrupts the flow of data into a system), different attack vectors can threaten connections between endpoints, and potentially infiltrate proprietary information, throwing systems offline.
Your IT security controls probably don’t fit OT. Here’s why.
Many OT security teams know that they cannot rely on a single layer of security and that layering security (aka “defense-in-depth”) is critical. However, the desire to do defense in depth and the reality of deploying effective security controls are two different things. This is where many OT security programs struggle.
Security solutions must overcome three serious challenges to stop threats in and around unconventional, resource-constrained, and reliability-focused OT systems:
- Avoid false positive alerts. OT environments can’t afford system downtime due to false positives.
- Ensure efficient deployment across low bandwidth systems and complex network topology. OT environments need solutions that aren’t dependent on online update downloads.
- Stop advanced threats from cross-propagating business and OT systems. Industrial infrastructure is a prime target for well-funded attackers and complex attacks like zero-days, fileless worms, trojans and malware.
In OT environments scanning-based solutions like endpoint detection and response (EDR) or endpoint protection platforms (EPPs) are not suitable to OT security challenges, and so they often underperform. Here’s why:
- EPPs and EDRs rely on continual telemetry for signature and behavioral pattern updates and threat feeds they cannot operate properly in an air-gapped situation.These solutions continuously scan for malware hooks and ultimately use up scarce computing resources.
- Most EDRs are also incompatible with the diverse range of legacy OS, hardware, and applications that exist in a typical OT environment and create many false positives. None of which bodes well for their longevity in any sensitive site.
- These systems fail to detect fileless and evasive attacks reliably. We explain why in another blog, but to summarize, many threats don't create the recognizable signatures EDR looks for. Advanced threats (such as Cobalt Strike) also operate in unscannable environments like device memory during run time.
The same applies to solutions that use similar technology in other parts of the IT environment, such as NDRs deployed to analyze network traffic.
Why Your OT System Needs Automated Moving Target Defense
Automated Moving Target Defense (AMTD) is a super lightweight preventative technology that can provide an on-prem fully isolated solution for OT environments. It doesn’t need an internet connection or scanning-based agent, allowing it to thrive in isolated, legacy, and low-bandwidth OT environments.
AMTD stops zero days, fileless, and evasive attacks by randomly morphing the runtime memory environment to create an unpredictable attack surface and leaves decoy traps where targets were. This level of protection can prevent even the most advanced attacks, serving as a great means of ransomware prevention.
More than 7,000 global customers have successfully deployed Morphisec AMTD, both directly on OT endpoints and on endpoints and servers in surrounding IT systems.
One of our clients, a major seaport operator, installed Morphisec’s AMTD to protect their cranes and other autonomous vehicles. This client was particularly concerned about the vital portside infrastructure due to its Chinese manufacture and potential political motivations for threats. None of their existing solutions or security controls identified any issues with across its integrated systems, but that changed when they deployed Morphisec. Almost immediately after deployment, Morphisec found and disabled a supply chain vulnerability present within an unauthorized firmware installed on the client’s OT systems.
Long before the media was chasing the debunked “Chinese spy cranes" story, our client did, in fact, find spyware on Chinese-made crane hardware.
In another incident, Morphisec protected a manufacturing company from a previously unknown variant of the Babuk ransomware. The customers had several sites protected by Morphisec and others where Morphisec wasn’t yet installed. The ransomware bypassed the EPP and EDRs used by the customer. Where installed. Morphisec successfully blocked the attack, but unfortunately, the unprotected environment was compromised as it did not have Morphisec's anti-ransomware measures.
As these examples show, OT threats don’t follow standard playbooks. They are often unknown and dynamic, and, with OT systems firewalls dissolving, coming from more places. This is what a changing threat landscape looks like. As always, the best response is to double down on prevention. AMTD is a proven solution for preventing the worst threats OT security teams will ever experience.
Schedule a demo to see Morphisec in action.