Preserving Integrity in OT Systems to Defend Against Living off the Land Techniques

Living-off-the-land (LotL) techniques may reduce the time and resources required to exploit or corrupt systems – abusing stolen credentials, protocol use, scripts, vendor software, and trusted network traffic – but there are many ways to fortify the integrity of data from these techniques. Despite an acute awareness of attacks that leverage certain common tactics, and target specific workstations or components, LotL techniques continue to morph to suit attackers’ objectives.

Where data security is concerned with protecting against unauthorized access and manipulation, data integrity is focused on trustworthiness. When availability is paramount in industrial settings, integrity should always be the primary focus. It has become obvious that data accuracy in OT/ICS is more important than security alone. Focusing on integrity allows OT/ICS personnel to align priorities to IT security while accounting for OT/ICS considerations. Simultaneously, it offers a holistic approach that any standard or compliance framework can fit.

Perform Risk-Based Validation

Master planning can incorporate many different frameworks with operational technology in scope – ISA/IEC 62443, the NIST Cybersecurity Framework, the CISA Cyber Performance Goals, etc. Sectors that enforce cybersecurity compliance are theoretically ahead of others, although there is no one-size-fits-all approach for every asset owner. The 62443 concepts of zones and conduits help prioritize data integrity in OT/ICS networks. Zones and conduits consist of primary equipment assets or systems vs. communications-dedicated assets or systems that share the same security requirements. Integrity does not stop at this delineation, and each organization must further assess internal and external threats based on vulnerabilities, threat intelligence, and active campaigns.

A broader approach may be the extension of the NIST Cybersecurity Framework to OT and ICS systems. According to the NIST Special Publication 800-82, Rev. 3 Guide to Operational Technology (OT) Security, the five NIST CSF functions (prior to its update: Identify, Protect, Detect, Respond, Recover) “provide a high-level, strategic view for cybersecurity risk management.” Each function comes with subcategory references for complementary standards and guidelines, and the SP 800-82 document includes additional OT-specific considerations that are not included in the CSF.

Select Appropriate Systems & Service Providers

Security vendors and OEMs should know how their products enable your compliance and regulation needs better than you do, especially when systems are tailored for your industry or process. 62443-2-5 provides guidance on what is required to operate an effective IACS cyber-security management system. The intended audience includes end users and asset owners who have responsibility for the operation of such a program. This list also offers a way to assess and vet vendors and systems ahead of adoption and procurement. To the extent possible, asset owners should identify and map each system by:

• Name and/or unique identifier
• Accountable organization(s)
• Definition of logical boundary
• Definition of physical boundary, if applicable
• Safety designation
• List of all logical access points
• List of all physical access points
• List of data flows associated with each access point
• Connected zones and conduits
• List of assets and their classification, criticality, and business value
• Applicable security requirements

Audit your Audit Trails

Recent Volt Typhoon activity, while not targeting industrial processes, is exploiting relevant systems that ICS components rely on, like Windows Management Instrumentation to query local drives before attacking active directory databases. In some cases, the threat actor went so far as to disable logging on routers. Even after introducing security tools and providers, asset owners must audit the level of access provided to all vendors, and how they leverage your data.

Forensic root cause analysis requires ample amounts of data. Discrete event logs, history files, database queries, reports, or other mechanisms that display time-series events related to the system, electronic records, or raw data contained within the record are all useful for understanding legitimate operations. This forensic data is typically the primary way LotL techniques are analyzed (in the tripping of substation circuit breakers in Ukraine, TRISIS, INCONTROLLER, and more).

Enforce Change Control

New products and solutions are often introduced in departmental siloes, creating egregious security gaps where change control is missing or lacking sufficient detail. While the industry is getting better at identifying security challenges before introducing new technology, cyber risk is still considered a secondary concern and typically solved after the fact. Often, the simplest control is chosen – a separate VLAN or new firewall configuration – without considering the business impact or criticality of assets affected by new technologies in the network.

As organizations strive to become better, more efficient, and more resilient, it’s important to select systems that are easy to update. It is equally important to document how systems are integrated, updated, and maintained. Change control for OT/ICS must include configuration management. Configuration management helps ensure state consistency – which also creates the ability to discern between a potential attack and a negligent error from misconfiguration or accidental changes made in IT or OT networks and adds to the integrity of available data at any given moment.

Qualify & Validate OT Systems

Components developed to be fit for their intended use can meet specified requirements that ensure the system’s fitness state is maintained throughout each point in the system’s life cycle. While it could take decades to truly benefit from more secure by-design hardware and software systems from original equipment manufacturers in the control systems and industrial devices arena, the steps taken today ensure a more secure future tomorrow. The future integrity of data from the security development lifecycle (SDL) can promote data integrity to the degree that no threat actor can challenge.

Today, 62443-4-1 includes requirements that are applicable to the development of products. The principal audience includes suppliers of control systems products and of components included in control systems solutions. 62443-4-2 includes sets of derived requirements that provide a detailed mapping of the system requirements to subsystems and components of the system under consideration. These OEMs are increasingly competing on cybersecurity, certifying products to standards like 62443 and consistently enhancing security by design principles to combat LotL techniques.

Plan for Business Continuity

Many frameworks and best practices suggest or require a disaster recovery plan and/or business continuity plan to prepare the organization to respond to disruptions in their operations due to the cybersecurity incident. OT/ICS-specific planning further suggests specifying immediate response plans if physical safety is jeopardized. According to NIST, “OT security objectives typically prioritize integrity and availability, followed by confidentiality, but also must consider safety as an overarching priority.” Business continuity requires data, and redundant systems require integrity.

As stated above, understanding asset level criticality and business value is a prerequisite for mature security. Identifying which processes and functions are most important for business continuity involves a process referred to as “crown jewel analysis” to identify critical assets contributing to operations uptime and revenue. Identifying these assets allows security teams and their executive leaders to prioritize which systems, including OT and IoT, require unique security protections and detections.

Verify and Archive Regularly

Cybersecurity conversations are stuck in a limited cycle of buying a product, running a tabletop exercise, and checking compliance boxes, often skipping key steps for the organization, failing to exercise function-specific responsibilities, and rarely exercising a failure like a real emergency might require. Verify system inputs, e.g., an environmental monitoring system requires regularly calibrated sensors. Security sensors also require tuning, where systems and monitoring solutions should alert on known indicators of compromise as well as deviations from normal network behavior – as verified by correctly tuned inputs to ideal alerts.

Back up and save electronic data on a pre-set schedule and to a secure location, including process states, program and configuration files, and any available metadata. Verify the retrieval of all of the data during internal audits. When was the last time you checked that your backup included everything you thought it did? Going back to verifying system inputs, even if this portion of your program is outsourced, the onus is on you to verify and validate existing backups, including the logic and configurations of process control systems.

Conclusion

LotL techniques involve the use of legitimate, built-in network administration tools to evade detection (wmic, ntdsutil, netsh, PowerShell, etc.), and the misuse of legitimate software and ICS protocols within OT/ICS networks (Modbus, OPC-UA, Profinet, IEC 61850, and more). Rather than protecting the confidentiality of data, OT and ICS require the protection of integrity over command and control of physical processes and controls. The above considerations for maintaining data integrity for computerized systems are tailored to OT/ICS.

Operational technology (OT) and industrial control systems (ICS) are mission motivated and objective oriented. However, advancements in automation have uncovered new challenges for data integrity. Many best practices for OT/ICS jump directly into the specific considerations for OT/ICS protocol use, asset management, redundancy, and incident response planning. Or they simply focus on available threat intelligence and vulnerability data that has no specific context for any asset owner. As living-off-the-land attack techniques grow in industrial environments, it is increasingly important to prioritize data integrity in process control environments to develop a holistic security program.

Danielle Jablanski

Danielle Jablanski is an OT Cybersecurity Strategist at Nozomi Networks, responsible for researching global cybersecurity topics and promoting OT and ICS cybersecurity awareness throughout the industry. She also leads industry cooperation initiatives and participation in government relations for Nozomi Networks, and the ETHOS nonprofit organization. In 2022 she joined the Atlantic Council as a non-resident fellow with the Digital Forensic Research Lab, developing a cross-sector methodology for ranking operational technology cyber scenarios and critical entities. Danielle recently developed a course for Dallas College introducing students to industrial control systems cybersecurity. Jablanski has been responsible for conducting academic and market research on emerging technologies throughout her career. She has independently consulted for the US government, novel technology applications for the military, Department of Defense, and commercial sectors. She began her career with the Stanley Center for Peace and Security evaluating cyber technology impacts to nuclear weapons policy and use worldwide.