“there is no 100% security, and adversaries are always a few steps ahead”
This interview was conducted and first published by Cybernews and edited for this website.
With cyberattacks that could shut off electricity, the awareness of such huge risks is now more acute than ever. But despite the raised suspicions and diligent IT guidelines, there still are some things that escape the eye.
Most industrial systems, both digital and physical, are designed with functionality instead of security in mind, and failing to recognize that can lead to disastrous events. However, many businesses still tend to forget to check and implement security measures and monitoring into their operational technology, leaving gaps for adversaries to slip through.
To talk about the importance of securing and having access to the core technology, Cybernews reached out to Klaus Mochalski, CEO of Rhebo, a company which specializes in providing security and monitoring solutions for operational technology and IoT.
Why is continuous monitoring with threat and intrusion detection within the OT network essential for OT security?
To use the metaphor of a fortress or city-state: firewalls, authentication measures, security policies, and data diodes form the city wall and the gatekeepers. They are the border control which prevents the intrusion of obvious, easily identifiable, and defined enemies. However, breaches are possible in any fortress, whether through clever obfuscation (e.g., identity forgery via phishing campaigns), forced entry (brute force), bribery (inside perpetrators), 3rd party associates (supply chain compromise), or secret passages (backdoors and software vulnerabilities). That's why in every fortress and city-state you have the police force and federal secret service for internal security.
Rhebo OT monitoring with threat and intrusion detection builds that internal security. It keeps an eye on the inside of the fortress and continuously examines the behavior of actors inside its borders for irregular or suspicious behavior. It thus detects anomalies within the OT, documents them in detail, and reports them to the executive in real-time. It doesn't matter whether this anomalous behavior originates from a "stranger" (i.e., a new network member) or a regular inhabitant of the fortress (e.g., administrator). If it doesn't fit the expected and authorized behavior it gets detected and reported. Covert operations, novel attack techniques, and complex maneuvers used in professional attacks are thus detected at an early stage and can be localized and defended against immediately.
What would you consider to be the most serious problems that Industrial IoT & OT environments face nowadays?
In the OT and IoT, we face three problems. First, there is the “Insecure by Design” aspect of industrial components. Industrial devices and systems hardly have any security measures. And even when something like encryption of protocols is available – like measures for MMS protocols defined by the standard IEC 62351-4 – it's hardly ever implemented due to conflicts with process stability and timing.
The second is the lack of visibility into Operational Technology (OT). For most operators and security engineers we speak to, OT is a black box. They don’t know what’s in it. They don’t know what’s happening there. And they certainly don’t know its risk exposure or security gaps. In fact, when we conduct an OT risk and vulnerability assessment and start OT monitoring for our customers, it’s generally the very first time they get visibility of their OT.
Third, there's the risk of supply chain compromise. Automated industrial networks are composed of a myriad of systems and devices from several dozen different vendors. So OT has become amazingly complex. Taking into account the problems “insecure by design” and “lack of visibility”, it's very likely that an attack or compromise will come via a supplying vendor or a subcontractor responsible for maintenance. That’s why it’s paramount to closely monitor any activity happening in the OT.
How did the recent global events affect your field of work? Have you noticed any new security issues arise as a result?
Our main customer group operates critical infrastructure like energy and water supply. Of course, they are at the front line of crises, be it through the shortening of staff by the pandemic or the cyber risk exposure created by war and state-sponsored adversaries. But it's less a new security issue arising than heightened awareness and fear of being caught in the crossfire. So what has changed is that the cybersecurity of critical infrastructure – and in particular its Operational Technology – has become a major concern for many customers.
Also, the awareness of operators and security engineers has grown so much that they can’t be sure of 100% security because the main security gaps lie outside of their jurisdiction. Log4Shell and the growing number of disclosed vulnerabilities in industrial components have shown that no matter what a security engineer does to ensure cybersecurity, there is always a hidden gap they don’t even know of yet. It’s an awareness of not knowing and not being able to know. Which, in a way, is good, because this awareness is the first step to start the process of evaluating their risk and looking for a solution that creates visibility into the black box and tackles the problem of unknown and novel attack vectors. And that’s where Rhebo comes in.
What security tools should organizations and individuals have in place to combat these new threats?
Overall, it’s about building a defense-in-depth framework. The common security tools like firewalls, SIEM, security policies, training, and segmentation are still absolutely crucial and valid. They still have their purpose to prevent the majority of attacks that follow known trajectories. They form the city wall and gatekeepers, to come back to my metaphor of a fortress or city-state. Additionally – and this is different from the past – companies also need tools that form this second line of defense. Because we know that there is no 100% security and that (in particular state-sponsored) adversaries are always a few steps ahead, organizations must be prepared for compromise. Since they cannot guarantee to prevent all attacks, they must enable their cybersecurity team to identify successful intruders as fast as possible. OT monitoring with threat and intrusion detection forms this second line of defense for internal security by creating full visibility inside the OT and by reporting any suspicious activity in real-time.
What misconceptions surrounding the IoT landscape do you notice most often?
There are a few misconceptions. First, there is the idea that others will take care of cybersecurity. There is the hope that a vendor of a device will have installed some sort of security or at least will have designed it with as few flaws as possible. Unfortunately, quite the opposite is often true for industrial devices and systems because the focus generally lies on the operation and industrial functionality.
The second typical misconception I hear very often is, "so far nothing has happened to us, we seem to be safe enough". Though with Log4Shell, all the phishing campaigns, and worldwide upheaval there is actually a good chance that their IT and OT is already compromised. They just don’t know about it because they don’t have visibility, and they still think compromise leads to immediate disruption. Which might be true for typical ransomware attacks but certainly not for targeted attacks like the ones we have seen with CRASHOVERRIDE at the Ukrainian energy provider Ukrenergo in 2016. The attackers stayed for about 11 months inside the IT and OT to get a foothold, evade detection, and place the payloads before they brought down a 330 kV substation that left 250,000 people without electricity.
Why do you think it takes months for certain companies to uncover threats that were hiding in their own networks?
As I already mentioned, it’s the lack of visibility as well as the missing ability to look beyond signature-based attack patterns. You can’t protect what you don’t see. And you can’t fight what you don’t recognize. So you need a solution that creates visibility and is able to detect anomalies in the behavior of OT devices and systems, no matter if these anomalies follow known signatures or completely novel patterns.
In your opinion, what industries should be especially concerned about securing their IoT devices?
There is no simple answer to this. Of course, critical infrastructure industries are the ones that have the highest risk exposure. But since everything is interconnected and interdependent, the focus needs to widen. With supply chain compromises, subcontractors and vendors need to get involved too. The SolarWinds case in 2020 was a warning. Log4Shell made millions of companies vulnerable overnight. And the disruption of the Viasat KA-SATCOM satellite infrastructure, which is allegedly linked to the Russian invasion of Ukraine, just proves how effective it is to disrupt industries by targeting service providers up the supply chain. In particular, since those service providers not only serve the industry that might be the initial target (i.e. the Ukrainian military that uses the KA-SATCOM infrastructure) but a myriad of other industries. Those other industries might not be the target but also fall victim as collateral damage. For example, Enercon in Germany also uses Viasat’s services to control and remotely maintain their wind parks. After Viasat was hit, Enercon lost control of several thousand wind turbines. And all of a sudden, the war between Russia and Ukraine sent ripples to the German energy supply.