How to build an OT SOC — for critical infrastructure
Industry reflections | Critical Infrastructure
Article
Identifying and mitigating internet exposed systems to prevent opportunistic attacks on critical infrastructure
Operational Technology (OT) systems serve as the backbone of critical infrastructure. They drive essential processes in systems that must function continuously to ensure safety, reliability, and uninterrupted delivery of vital services such as energy, transportation, and water
Recent reports and case studies have revealed a troubling trend – opportunistic attackers are targeting internet-exposed OT devices, often without needing sophisticated techniques or advanced exploits. These opportunistic intrusions leverage basic vulnerabilities, such as default credentials or misconfigured network access, to get initial access to assets like Human-Machine Interfaces (HMIs) or Programmable Logic Controllers (PLCs) and gain control over physical systems.
Often, OT devices are exposed to the internet when a quick and easy solution is implemented without secure remote access in mind, or due to mistakes from misconfigurations. When an adversary finds and accesses these devices, direct interactions with physical systems are often possible. This means that the attacker does not need to hack anything to cause damage – they can simply use the same buttons and controls as the system operators!
Luckily, proactive actions can be taken to identify and remove these devices from the internet – significantly reducing risks of adversaries accessing OT systems.
Luckily, proactive actions can be taken to identify and remove these devices from the internet – significantly reducing risks of adversaries accessing OT systems. Sectra recommends:
- Work closely with vendors to ensure that their systems are securely implemented and are maintained throughout their entire life span.
- Inventory Industrial Control System (ICS) assets that may be exposed to the internet.
- When applicable, implement secure remote access solutions with MFA.
- Ensure that the OT network has a monitoring and detection service in place.
To assess whether OT devices are exposed to the internet, tools like Shodan [1] can be used as part of a broader security audit. Shodan allows searches for specific IP ranges assigned to an organization, which can reveal exposed devices, such as Windows hosts or systems using ICS protocols. Another aspect is to check for OT devices connected to mobile networks (e.g., 3G, 4G, LTE modems) and determine whether they are assigned public IP addresses and exposed to the internet. A third way of assessing the network is to use a service like Sectra Network Alert [2] for validating the isolation of networks.
Performing these checks for internet exposed OT systems – and taking actions to remove them from the internet is strongly recommended to reduce the risk of low effort opportunistic attacks with physical consequences.
References
[1] https://www.shodan.io/
[2] https://communications.sectra.com/product/sectra-network-alert/
Related reading
Securing the energy systems of tomorrow
Articles | Critical Infrastructure | Secure Communication
Accelerating digitization and the virtual power plants of the future
Articles | Critical Infrastructure | Secure Communication
Related products
Sectra Managed Detection and Response
Product | Energy and Utilities
Sectra Network Alert
Product | Energy and Utilities
Sectra Tiger/E Managed Service
Product | Civil Authorities | Corporations