On the State of OT Cyber Attacks and Traversing Level 3.5, the Artist Formerly Known as Airgap

Author: Ric Derbyshire

Most cyber security practitioners will be familiar with information technology (IT) and enterprise systems, but over the past decade we have seen a growing awareness of cyber security within an operational technology (OT) setting. OT, also commonly referred to as industrial control systems (ICS), is the technology that is used to control and monitor an industrial process by sensing and changing the physical environment according to its programming. The kind of devices seen in such environments include programmable logic controllers (PLCs), remote terminal units (RTUs), and human machine interfaces (HMIs), the former two of which tend to be quite fragile in the face of change or unexpected variables due the open nature required of such real-time environments. This, as you may imagine, poses some remarkably interesting security challenges.

When it comes to high-precision, complex cyber attacks against operational technology (OT), few come close to the infamous 2010 “Stuxnet” attack against an Iranian Uranium enrichment plant. Despite its complexity and infamy, Stuxnet wasn’t the first cyber attack to target OT and it certainly wasn’t the last - as depicted by Figure 1, which shows a timeline of historical OT attacks. However, 12 years on, and despite the much-anticipated “cyber war” waged by Russia against Ukraine, we are not seeing a significant volume of attacks deliberately targeting OT, especially in proportion to the number of ‘traditional’ IT attacks on organisations (for example in the manufacturing sector) that use it.

While we may not currently be inundated with high-precision, complex attacks against OT, such environments present a rich platform for creative, yet devastating impacts that will be alluring to a wide range of adversary motivations. Moreover, experience, educational content, and tools continue to evolve, steadily reducing barriers to entry for conducting such attacks. All of this culminates in OT cyber security being an area to watch carefully. It can no longer be dismissed as an obscure capability accessible only to nation-state actors. Afterall, not too long ago IT cyber security was also an obscure discipline only accessible to those with the requisite knowledge.

This post introduces the IT/OT attack imbalance and then explores it by briefly discussing the anatomy and typical security controls seen in an OT environment, before suggesting some reasons as to why we may not be seeing such attacks yet, and finally speculating on why and how OT may become more commonly targeted.

You’d be forgiven for thinking that the manufacturing sector was being specifically targeted by adversaries. You might even be correct. However, the taxonomy that we use to define industry categories, the North American Industry Classification System (NAICS[iii]), may disproportionately capture more organisation types than others due to the layout of its subcategories ( A perfectly valid reason taxonomies don’t have to be balanced). The manufacturing sector may also just be more vulnerable than others, attracting more opportunistic adversaries. It’s possible, though to our minds unlikely, that adversaries all over the world are conspiring against the manufacturing sector. Whatever the underlying reason, there’s little doubt that businesses in the manufacturing sector are experiencing more than their fair share of incidents, attacks, and compromises.

Regardless of whether the manufacturing sector is a priority target for adversaries, we are seeing high volumes of incidents and Cy-X cases; but what we are not seeing is a proportional number of attacks directly targeting OT or the physical environment (despite being self-reported in certain surveys[iv]), which are typically newsworthy events. Such newsworthiness can be seen from the reaction to incidents such as the attacks against the Iranian Steel Mills in June 2022 or the South Staffordshire Water attack by Cl0p in August 2022.  In many such cases, however, where the OT is reported to have been impacted, it turns out to have been manually paused or disconnected as a precaution during an IT incident. In the Cl0P incident, for example, the adversaries only demonstrated access to the OT with screenshots released of a human machine interface (HMI) rather than any actual physical impact. This trend of OT-but-not-actually-OT attack can be seen prominently in Kaspersky's September 2022 round up of the main industrial cyber security incidents of 2022[v], whereby few attacks directly targeted the OT and most OT impacts were circumstantial. More recently, researchers have cast doubt on reports by a group called GhostSec, who’s remote terminal unit (RTU) encryption attack is clearly not as sophisticated or novel as the hacktivist group originally purported it to be[vi] (although hacktivist groups entering the space should be taken seriously).

So why might we not be seeing more reports of directly impacted OT despite sectors such as manufacturing apparently being targeted so frequently? To answer that, let’s first look at how organisations utilising OT may look to structure and defend their assets.

While not all organisations that use OT are structured in the same way, there exists a general model that is understood to represent the technological diversity and structure encountered, commonly referred to as the Purdue Model.

The Purdue Model is generally well accepted within industry and serves to guide those who utilise it toward defining certain assets and their functions as separate levels. The Purdue Model provides a fundamental step in compartmentalising assets in an OT environment, which assists in strategising network segregation, something frequently emphasised in more detail in standards and guidelines such as IEC 62443’s concept of zones and conduits[viii].

Levels 3 down to 0 get progressively closer to the physical environment with a safety wraparound provided by the safety zone:

• The safety zone wraps around the whole operational process, usually with dedicated networks and technology, with the intention of preventing the OT posing a threat to the physical environment or people within it.
• Level 0 consists of assets such as sensors, actuators, or robots. This is where the OT converges with the physical environment.
• Level 1 contains assets such as PLCs and RTUs, which take readings from the sensors and control the physical environment by manipulating the actuators or robots (or other devices) accordingly.
• Level 2 typically consists of local monitoring and control, with assets such as HMIs and engineering workstations to monitor and configure OT equipment.
• Level 3 is similar to level 2 in certain ways, such as monitoring and control using HMIs. However, it is generally more centralised and contains applicable servers and historians (database servers for capturing operational process data).

Network segregation is particularly pertinent at ‘level 3.5’, commonly known as the Demilitarised Zone (DMZ), whereby the OT assets in the strictly controlled levels of 0-3 are isolated from the enterprise/business infrastructure in levels 4-5. Such isolation is important due to the nature of OT infrastructure – these assets are performing time-critical processes, therefore certain security controls might provide too much friction, potentially jeopardising safety, availability, and integrity, which are all paramount in such an environment. Organisations who do practise network segregation typically do so using a combination of routing, firewalls, and unidirectional gateways (data diodes).

The separation of processes, and further segregation of networks, is one of the most important cyber security controls in the defence in depth approach typically considered to be best practice when securing OT environments. Context specific devices such as PLCs, RTUs, and embedded HMIs generally cannot run endpoint security agents, and rigorous and rigid change management processes required for such environments can make patching any machine a challenging endeavour. So is network segregation working and therefore the reason we’re not seeing many OT targeted attacks? Let’s investigate!

Why aren’t we seeing OT attacks?

There are a myriad of reasons as to why we may not be seeing reports of attacks targeting OT or the physical environment as regularly as we’re seeing more generalised attacks on organisations that use OT. As with most complex problems involving human behaviour that we lack the necessary data to explain, many of these reasons seem plausible, and it is likely that a combination of these reasons is applicable. So, let’s look at a few prominent hypotheses.

It could be argued that the most likely reason we aren’t seeing as many cyber attacks that deliberately target OT is simply due to a lack of reporting. If organisations are experiencing attacks targeting and causing serious impact to their OT, we may not be seeing reports due to compliance constraints, embargos during police investigations, or even businesses keeping such incidents secret to avoid reputational damage.

It also may just be an incorrect assumption that OT-impacting attacks would always be newsworthy events. We’ve already witnessed premature cries of ‘cyber attack!’ during incidents in the past, only to be exposed as either an engineering issue or a precautionary disconnection/pause during an IT incident, which has potentially created a ‘boy who cried wolf’ culture. Moreover, it may be that most successful, OT-targeted attacks are just not interesting enough to be reported on, particularly if most adversaries who are unfamiliar with the context are launching simple nuisance attacks such as PLC stop CPU commands[ix] (which stop the control logic executing but are easily recoverable). Several examples of nuisance attacks can be seen from hacktivist groups’ endeavours to enter the OT space. One instance is Forescout’s report that noted GhostSec and OneFist using stop CPU commands, native HMI functionality, and setting registers to 0[x].

Perhaps, if adversaries are managing to reach the OT environments of victim organisations, they have been unwilling to invest the additional time and money required to gain the necessary contextual knowledge and navigate that barrier to entry. Instead, it may be that these adversaries are simply compromising the Windows-based assets within that environment, such as engineering workstations or Windows-based HMIs. If compromising IT or Windows-based OT assets is already effective, adversaries may not anticipate the return on investment to be worth the cost of learning an entirely new context to pursue attacks on dedicated OT assets[xi]. Having compromised the Windows assets, adversaries may lack the requisite knowledge to further attack the specific OT devices or, as we saw with Cl0p’s statement after their attack on South Staffordshire Water, some adversaries may have a conscience and therefore not have the appetite to impact human safety.

In a similar vein, even if adversaries were reaching the OT and had the requisite knowledge to deliberately target it, it’s still not trivial to perform high-precision, complex attacks. Unlike landing in an IT environment with assets that are typically resilient to unexpected network traffic, an OT environment is full of assets that may fall over at the mere sight of a single unexpected packet. Even if the assets don’t fall over, the same reconnaissance and enumeration techniques used for IT systems will provide an adversary with little or no information about the physical process and environment that is required to perform a complex attack; instead, a further tactic called ‘process comprehension’[xii] is required to gather and synthesise that information. To gather an adequate amount of information, process comprehension may require human intelligence and physically infiltrating the target facility, exfiltrating piping and instrumentation diagrams and other pertinent documentation, and compromising HMIs to inspect their interfaces, all of which is likely to be too impractical or high-risk for most adversaries’ appetites. Furthermore, once the adversary has gathered enough information to understand the physical process, they then must design and implement an attack that causes the desired impact, which could require physically reimplementing the target environment for testing purposes[xiii]. Once the attack has been developed and is ready to be launched, it still needs to circumvent safety processes, which may be physical implementations rather than digital, adding further complexity.

Finally, (and if you’re cynical you may consider this the least likely of the reasons discussed in this post) it is possible that the existing best practice of defence in depth, with a focus on network segregation and a strong perimeter, is working to prevent the propagation of adversaries and malware into the OT. However, with the emergence of Industry 4.0 and the Industrial Internet of Things, the lines of that perimeter are beginning to blur. In many organisations, level 3.5, the artist formerly known as airgap, is fast becoming obsolete due to Internet connectivity direct to the OT assets themselves – something which would have been considered sacrilege not too long ago.

Let’s continue working to the assumption that OT-targeted attacks would indeed be newsworthy, and because we aren’t inundated with those news reports, we simply aren’t seeing many attacks directed at OT. Surely this then presents a nascent, yet lucrative, target for adversaries to exploit.

Organisations that utilise OT processes will typically have mature metrics to quantify any plant downtime in a monetary value per time period (e.g., $/hour or £/day), which means the impact of adversary-induced downtime (such as Cy-X specifically halting the OT process) will be immediately clear. Other tactics by financially motivated adversaries could include (credible) threats to damage or manipulate the physical process or stealing plant configs, which could include commercially sensitive intellectual property. When it comes to non-financially motivated OT attacks, another intended impact we’ve witnessed historically is subtle process degradation, which reduces the efficiency of a process and damages equipment, among other less clear goals known only to the adversary conducting an attack.

Regardless of the adversary’s motivation, high-precision, complex attacks that target OT are currently (and fortunately) relatively uncommon. However, the barriers to entry are lowering and we should expect to see OT being disrupted through methods that are increasingly more measured and deliberate, with impacts that reflect that.

An increased awareness of OT security is prompting an increase in OT security research meaning that, along with defensive capabilities, we are also seeing advances in offensive attack-oriented research. For example, process comprehension at a distance (PCaaD)[xiv] reduces the difficulty and potential physical proximity required for conducting process comprehension, greatly facilitating high-precision, complex attacks on OT. Figure 5 utilises a Wardley map to illustrate the effect of a tool, such as PCaaD, that improves upon the technical aspects of process comprehension. The green nodes represent the high-level requirements for an OT attack, linked by the black edges, while the red nodes shifted directly to the right by dashed lines depict the evolution in capability towards being more achievable. It can be seen, therefore, that improving OT device code extraction and analysis cascades into improving process comprehension capability, which in turn improves the adversary’s capability for conducting a high-precision, complex OT attack.

Along with an increase in OT security research, dissemination of that research is increasing in the form of more varied OT security educational content. Whether this content is delivered through academic courses, commercial certification schemes, YouTube videos, or conference talks, OT security education is being consumed by cyber security practitioners and adversaries alike. The collective body of knowledge improving for any topic will inevitably reduce the barriers to entry, with previously dispersed information amalgamated into courses, books, and videos.

Another barrier to entry which may begin to erode in the face of current research is the financial cost of performing high-precision, complex OT attacks. It has been widely speculated that in historical attacks, adversaries have tried to ensure success by building a replica of the facility that they are targeting for testing purposes. Advances in OT digital twins could reduce the requirement for costly physical assets to test attacks.

Finally, historical cyber-attacks against OT assets have resulted in malware frameworks that can facilitate OT-specific attack techniques, affording the adversary that technical capability without the necessity to fully understand the underlying context knowledge. OT malware frameworks are generally thought to be developed by state-level actors for specific purposes - recent examples include Triton[xv], Industroyer[xvi], and Pipedream[xvii] - however, it isn’t in the realm of science fiction to imagine that these types of frameworks will eventually be built out into more comprehensive, commercial toolkits.

What’s next?

This post introduced several ideas about the OT cyber security space and the attacks it is currently enduring. While the future is unclear, it does appear that less advanced adversaries are entering into the arena due to lowering barriers to entry. It’s a topic ripe for investigation, and we hope to continue investigating the future of OT security in future blog posts that look at the criminological aspects and potential Cy-X (ransomware) tactics that adversaries may employ to hold entire OT environments to ransom.