The strict separation between IT and operational technology (OT) networks in industrial environments is not sustainable for the future, according to two Dutch ethical hackers.
Daan Keuper and Thijs Alkemade recently won the international hacker contest because of the serious vulnerabilities they found in various systems used in industrial environments.
The theme of this year’s Pwn2Own international hacker contest in Miami was industrial control systems. Due to the increasing digitisation in the manufacturing industry, hackers were invited to search for vulnerabilities in various categories of industrial software and systems.
Alkemade and Keuper jointly run the Sector 7 research department at Dutch consultancy firm Computest, where they dive into the security of the digital world with a focus on vulnerabilities with social impact. “We noticed that in the daily operation of Computest, there is not always enough time and priority for researching vulnerabilities that make a social difference,” said Keuper. “That is why we set up our own department where we can do this, without deadlines from customers and our own research agenda.”
Alkemade and Keuper also won last year’s hacker competition, with the vulnerabilities they found in teleconferencing platform Zoom. “For our research, we look at current developments in the world and the Netherlands alike,” said Keuper. “When everyone suddenly started working with Zoom during the lockdowns, we researched the security of that programme.”
They also critically checked the Coronacheck app, which Dutch people use to turn their vaccination and recovery certificate into a QR code for a national or international entry ticket.
“We had also wanted to work with industrial systems for some time,” said Keuper. “We get fairly regular requests from customers to test their factory floors. But with OT systems, availability is top priority. The moment we mentioned that we, as ethical hackers, would be sending suspicious traffic to their systems that could result in systems failing, the conversations with customers immediately came to a halt, because downtime is unacceptable for the manufacturing industry. That makes it difficult to actually look at the security of those environments.”
The competition in Miami was a welcome opportunity for Keuper and Alkemade to delve into the vulnerability of industrial automation without a client assignment – and they found five vulnerabilities. Alkemade said: “I can’t go into details yet, because not all of them have been solved by the supplier. But they were vulnerabilities in applications that are used to manage systems or to control communication. Not in the machines on the factory floor themselves, more the rights control system on top.”
Keuper added: “We see manufacturing companies doing everything they can to keep attackers off the OT network. There is a strict separation between the OT network and the IT network in almost all industrial organisations, but with the knowledge we have gained, I think this model is not sustainable into the future.”
Everything will be connected
The industrial sector is getting smarter – the fourth industrial revolution is digital. Virtually all machines and equipment are connected to the internet, or will be in the near future. Connectivity is key, and that’s not surprising, because it is much cheaper to control 30 bridges from one central location than it is to employ 30 bridge operators.
“This increasing connectivity means that people also look for more analysis and insight,” said Keuper. “This inevitably means that IT and OT are becoming increasingly intertwined. This requires a new strategy for your security.”
Many of the machines and other equipment that are used in factories are old or outdated and were never designed to be connected to the internet or to cope with current security measures. The primary security is therefore on the IT network and this network forms an additional buffer for the OT network in most industrial environments.
“We see that many industrial companies have shielded their IT network very well,” said Alkemade. “The vulnerabilities that we have found are therefore not easy to abuse. You really have to gain access to the network first, and that is often not easy. But if you do, these vulnerabilities make it relatively easy to take over machines, modify processes or bring the whole thing to a standstill – with far-reaching consequences.”
The current strategy of separated IT and OT networks is therefore not future-proof, said Keuper. “It’s like having an old castle, with a city wall, gates and a moat to make sure no attackers can get to your castle. That works really well if you only have one or two drawbridges, because you can guard them well. But in today’s digital networks, you have like a thousand drawbridges. That’s impossible to monitor or secure.”
Where security of the OT and IT networks is now mostly in the hands of different people, Keuper advocates bringing this together. “If you want to make a difference, you have to work together,” he said. “IT and OT security are still two very different worlds. When I meet someone at an IT security conference and ask whether they will be visiting an upcoming OT security conference, the answer is almost always no.
“Most of the time, the security of the IT network is one person’s responsibility while the OT security is another person’s. They probably do talk to each other, but they have very different interests. In order to actually raise the security of an industrial environment to a higher level, it is necessary that those two people become responsible for the whole network together, rather than each advocating their own piece.”
Challenge for the future
This is not specifically a Dutch problem, said the ethical hackers – industrial organisations all over the world are struggling with it. “A culture change is needed to bring IT and OT together,” said Keuper. “It’s such a complex problem, it’s not easy and quick to solve. The interests are very different. Whereas for OT it’s all about availability, for IT, confidentiality and integrity are of the utmost importance.”
Alkemade added: “I think this challenge can only be completely solved in new installations. When you build a factory from scratch, you can weave IT and OT into your infrastructure and set up the network on the assumption that everything will be connected to the internet.”
For existing factories and other industrial environments, this is a lot trickier, because changes directly impact availability. Alkemade and Keuper hope to have demonstrated their expertise in this field and are keen to help industrial organisations make networks and installations more secure.
“We have shown that industrial applications are very vulnerable, but the vulnerabilities we found were low-hanging fruit,” they added. “They were rather easy to find and abuse. So there is still a world to be won there.”
Most Commented Posts