Operational technology company Claroty makes a big claim about the future of OT and industrial control systems security: Based on data collected over the past few years, the distinction between OT/ICS and the rest of enterprise tech is beginning to fade in earnest, and new security headaches have appeared in their place.
Claroty states is case in its ICS Risk and Vulnerability report for the second half of 2021 (find the first half here), which found among other things that there has been a 110% year-over-year increase in the number of ICS vulnerabilities disclosed since 2018, and that non-OT products made up 34% of ICS vulnerabilities reported in 2021.
It’s that second statistic that Claroty calls particular attention to, saying that it indicates a trend of businesses merging OT, IT and IoT under a single security umbrella.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
“As more cyber-physical systems become connected, accessibility to these networks from the internet and the cloud requires defenders to have timely, useful vulnerability information to inform risk decisions,” said Amir Preminger, vice president of research at Claroty.
The name that Claroty gives to its vision of a world devoid of distinctions between operational tech, informational tech and internet of things devices is the “extended internet of things.” It describes the XIoT as “an umbrella term that captures the cyber-physical systems critical to our lives … not only for security management, but for data analysis, performance tracking and enhancement, and much more.”
There’s no avoiding this transition, Claroty said, because they’re so appealing to business owners who see it as a way to streamline their organizations. That means “it’s the job of asset owners and security teams to secure those connections.”
The risk to XIoT environments is serious
The risks associated with connecting OT, ICS and IoT networks to internet-facing systems go beyond devices and endpoints. As an example of how devastating an attack in an XIoT environment could be, Claroty provides the example of someone able to compromise not a piece of hardware, but the management console of an XIoT organization.
“An attacker could then execute any number of exploits to run code on devices managed from the cloud, which enables not only full control of an endpoint device, but also lateral network movement and a greater array of payloads at their disposal,” the report said.
Looking back to the report, it’s important to note a couple more statistics: 87% of all ICS vulnerabilities reported in 2H 2021 were considered low complexity, meaning an attacker doesn’t need any special conditions and can expect repeated success. Sixty-three percent of vulnerabilities disclosed in the same timeframe could be executed remotely, and 53% gave attackers the ability to remotely execute code.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
It’s a dangerous digital world out there. If Claroty is correct in assumptions about the future of tech being an XIoT one, and those statistics presented above are correct, we’re looking at a coming apocalypse of vulnerable devices being exposed to the internet.
Preventing an XIoT security disaster
There’s a straight, simple and honestly obvious answer that Claroty recommends to organizations concerned about connecting their tech into one big XIoT network: Segment it.
“Network segmentation is the top step, and should be a top consideration for defenders ahead of other options on our list,” the report said. Segmentation was recommended more than any other method as a way to mitigate ICS vulnerabilities disclosed in 2H 2021, followed by ransomware/phishing/spam protection, traffic restrictions, user and role-based policies and secure remote access.
In terms of specific segmentation recommendations, Claroty said organizations should configure virtual zones so they can be easily managed remotely, give zones specific policies tailored to the specific needs of the users in that zone and be sure they reserve the ability to inspect traffic, including OT protocols. Don’t neglect Claroty’s other areas of recommended protection in favor of focusing exclusively on segmentation, though: They’re all essential components of a more secure whole.