Managing Risks in Cloud-Managed OT Networks

Digital transformation: Most of us have probably already heard this term, sometime, somewhere. It’s somewhat difficult to miss when everyone is trying to reimagine their business in the digital age. Industrial organizations are no different in this regard, as they gradually incorporate cloud infrastructure to their cyber-physical operations and other processes. Across all sectors, industrial enterprises are looking to improve operations and usability, by making processes in OT networks more efficient and data driven. And so one thing leads to another, and they begin to consider adopting a cloud-based solution. This can deliver many significant advantages, including but not limited to:

1. Better telemetry and analysis of device performance

2. Management of logic and remote device configuration

3. Improved diagnostics and troubleshooting

4. Centralized view of industrial processes

5. Redundancy — critical to business continuity

6. Reducing infrastructure costs

However, when companies begin to manage their operational technology (OT) using cloud-based infrastructure, the tradeoff between user friendliness and security, that great convergence brings with it new risks and challenges. OT networks — once air-gapped — are now connected to the cloud, and therefore have a much larger attack surface exposed. As the number of organizations bringing OT into the cloud grows, threat actors may see an opportunity to target vulnerabilities exposed by said connectivity at scale.

In this blog, we’ll examine the potential threats and risks of OT cloud migration, offering guidance on how to manage and mitigate them effectively.

Cloud Infrastructure in OT Networks

First thing’s first, before we dive into the risks that arise from cloud migration, it’s important to understand what this migration means for OT networks.

In general, migration to cloud-based infrastructure usually means that part of the organization’s infrastructure is hosted on remote servers, managed by third-party cloud providers like Google, Amazon, and Microsoft. Said infrastructure includes a cloud-based management platform that supports the different users of the organization’s services, for example admins or engineers. User and role policies define which functions each user may execute and its privileges.

When referring to cloud-managed OT networks, these concepts remain the same. Using the management platform, operators and administrators can deploy settings changes, edit configurations, and manage the plant’s technology network across the Extended Internet of Things (XIoT). These site leaders can also manage the logic that needs to be executed by the PLCs to control Level 0 devices (sensors, actuators, etc.), and configure which data will be collected and sent to the management platform.

Cloud providers offer numerous possible services and infrastructure setups, all available for industrial control systems (ICS), as well as IT. One example is a multi-tenant cloud environment, where each customer is given a separate, secure space for data and project storage. Each customer can only access its own stored data, and the cloud provider enforces a permissions and security policy to prevent access to other customers.

The architecture, illustrated below, is a typical example of ICS managed via a cloud-based platform. It creates a single point of control that essentially becomes a single point of failure. This leads us to talk about security risks…

When IT Security Challenges Become an Issue for OT Security

In a typical air-gapped OT network, attackers looking to compromise an entire operation will need to gain access to each targeted site separately if they wish to gain control of the managed PLCs. But now, as the cloud-management platform has become a single point of failure, one simple vulnerability could be enough for an attacker to take over the management platform that provides access to all managed devices. Vulnerabilities that are usually a problem in IT security — such as web-based vulnerabilities and data exfiltration — can now become a challenge to OT security as well.

Creating a single point of failure is not necessarily limited to one user or customer, but rather to other customers as well. For example, let’s take a case of multi-tenant hosts, as explained above. An attacker, with access to the host system managed by a service provider, would theoretically be able to target any of the virtual instances on that host, and potentially every customer sharing the host system provided by the cloud provider.

Pivoting Into Industrial Control Systems (ICS)

Executing code on ICS devices (e.g. PLCs) or enforcing a denial-of-service will interrupt operations and could cause significant damage, not only to the ICS company, but to the public as well. Which is why accessing the internal OT networks that control the process is the end goal of attackers. Movement of ICS services, such as HMIs or Historians, into the cloud-management platform further exposes the internal OT networks to threats and increases the attack surface.

As mentioned earlier, the migration to cloud includes a tradeoff between usability and security. One example of that tradeoff is a vendor’s ability to execute code on managed devices using the cloud-management platform. This capability is usually meant to make management and diagnosis easier, instead of restricting it to on-site support only. However, this can be risky if said capability was not designed and implemented properly by the vendors. When not done properly, it could be exploited by attackers to access internal networks of organizations and control critical devices.

The security of third-party partners — such as vendors and suppliers — must also be managed. A compromised vendor with access to sensitive systems could allow attackers access to cloud-managed systems.

Bottom-Up vs. Top-Down

There are two main attack scenarios in cloud-managed OT networks:

1. Top-down: The attack starts from the cloud and continues to take over all PLCs.

2. Bottom-up: The attack starts from a single, remote PLC and continues to the cloud platform.

In the top down approach, a compromise of the management console means you exploit a vulnerability in the cloud and have access to all the accounts and devices it manages. Next, an attacker can deploy malicious applications to all connected devices, enabling not only full control of endpoint devices (Level 1 of the Purdue Model), but also lateral network movement. Meaning the attack will move on to compromise other systems within the industrial network.

In the bottom up approach — attackers will target endpoint devices, and then move their way up to the cloud-based management console. Meaning they’ll first try to find OT vulnerabilities to exploit in the PLC. Claroty’s Team82 research team has demonstrated that such an approach is possible by exploiting a vulnerability in a cloud-managed PLC and eventually taking over the cloud-based host account.

These types of top-down, bottom-up attacks are innovative, and have been demonstrated as effective. They threaten process integrity by putting field devices, such as PLCs, at risk. They also threaten data integrity and whether organizations can trust the data uploads devices are sending back to the cloud.

The risks mentioned above are not the only ones to take into account when designing a cloud-managed OT network. Other potential issues and challenges, depending on the situation, may be relevant and should be addressed as well. Leading us to recommendations about managing security risks properly.

Changing The Forecast: What You Need to Know

Data security, once a lesser risk variable for industrial processes, should be elevated as a priority. Particularly in heavily regulated industries, where compliance is unforgiving. Organizations must not only evaluate threats, but also risks, such as a lack of protocol support for encryption and authentication.

1. Know Your Data — Encryption and Secure Communication

Encryption, for example, may blind some tools from gaining full visibility into network assets. In an air-gapped environment, not encrypting data can be considered an acceptable risk, but once an asset is exposed online, it’s a different scenario. Data should be encrypted in transit as a best practice, and it will be imperative as companies begin to put services and applications, such as Historian databases, in the cloud receiving data from Level 1 devices like PLCs.

ICS companies should adhere to the following:

• Verify ICS devices’ support cloud protocols, such as MQTT or HTTPS via Web Client/REST. These are used to exchange data between PLC and cloud

• Use security mechanisms, such as encryption and signing of data and communication with X.509 certificates or hardware-based encryption

2. Know Your Organization — Authentication and Identity Management

The accelerated increase in remote work, due to COVID-19, and numerous incidents(Oldsmar hack) have demonstrated the risks associated with inadequate controls around access to systems and privilege management.

It’s critical to understand that an entire organization, including all its end devices, could be compromised because of lack of strong authentication or a single leak of main credentials. It emphasizes the importance of including authentication and identity management as part of an organization’s defense-in-depth plans for OT in the cloud.

ICS companies should adhere to the following:

• Add and enforce multi-factor authentication

• Strengthen credentials, especially passwords to secure remote connections

• Use granular user & role policy

3. Know Your Responsibilities — Make the Blurred Lines Clear

As process and system management in OT moves to the cloud, OT personnel (perhaps unlike IT people) may need a refresher on their responsibilities. As mentioned earlier, in cloud-managed networks part of the organization infrastructure is hosted on remote servers managed by third-party cloud providers. In many cases that involve third-party providers, whether the product provided is cloud, software, operating system, etc., managing security risks is more complicated. If a vulnerability is found in a third-party product, who is responsible to act, to mitigate, to update? As various third-party vulnerabilities and supply-chain attacks demonstrated — this is a pain point for everyone involved. Take the most recent Log4J vulnerability as an example.

Naturally, third-party providers have their part to play, but ICS vendors’ and ICS companies’ CISOs have responsibility as well. Vendors should maintain a list of third-party components embedded within their products for easier identification of affected products, so they can advise customers how to act. CISOs should also maintain such a list, for easier identification of affected products within their OT network.

But how does it come into play in cloud infrastructure specifically? The cloud-provider is usually responsible for securing the host servers, virtual machines and physical security of data centers. Users/customers are usually responsible for data security (encryption), authentication and identity management, application security, and platform security (configurations/patching). Some responsibilities of the users may change depending on their selected services and terms.

Adhering to a shared responsibility model and defining a line between your responsibilities and the responsibilities of your cloud provider, is critical to reduce the risks in your cloud environment and is the first step to managing security risks in cloud-managed OT networks properly.

Security vs. Usability — Why Not Both?

“Security at the expense of usability comes at the expense of security” —  AviD’s Rule of Usability

As described in this blog, migrating OT networks into the cloud is not without its challenges. Asset owners and managers overseeing cloud-managed OT networks need to assess and manage all these potential risks and more. The tradeoff between usability and security will become a risk management equation that ICS operators and owners will have to face going forward. The key is to make sure one doesn’t come completely at the expense of the other.