As Operational Technology (OT) devices become more integrated into enterprise networks, the risks associated with their exposure to the internet also grows significantly.
Recent insights from Forescout Technologies head of security research, Daniel dos Santos, reveals hackers are now using easily accessible tools to exploit these weaknesses, leading to disruptions such as unauthorised network access, denial of service, and tampering with device settings.
Santos shares with iTNews Asia best practices to combat risks and collaboration measures with system integrators to address security blind spots and enhance overall network security.
iTNews Asia: What are the risks associated with OT device exposure in today’s network environments and how are they evolving with the increasing integration of OT devices into enterprise networks?
Santos: Exposing OT devices directly to the internet poses significant risks, as these devices often lack basic security features like password authentication and encryption.
The main risks associated with exposed OT devices include attackers using them to gain network access, launching attacks on other devices or organisations, causing a denial of service by taking the device offline or disrupting its function, and defacing the device or altering its settings.
Historically, interacting with these devices required specialised knowledge, but today, common tools allow nearly anyone to take control of them. This has led to a surge in attacks by hacktivists and opportunistic attackers who exploit these vulnerabilities to deface or compromise the devices, disrupting their intended functions.
iTNews Asia: What are the best practices for securing OT devices against potential vulnerabilities and cyber threats?
Santos: Best practices for securing OT devices include gaining comprehensive visibility into the devices on your network, such as their software versions, connections, and user access. This visibility facilitates risk assessment and helps in implementing security measures like disabling unused ports, network segmentation, and patching vulnerabilities. Continuous monitoring is also crucial to detect and respond to potential attacks that might bypass existing controls.
iTNews Asia: How important is visibility into OT devices for effective risk management, and what tools or strategies can enhance this visibility?
Santos: Visibility is crucial for security, especially in heterogeneous OT environments with diverse devices and protocols. Understanding what assets you have on a network is important to defend those assets.
You need the right type of network visibility to get that inventory for you, and in terms of strategies and how those tools work. Proper network visibility tools are essential to monitor and manage these devices, particularly in remote or distributed locations. These tools use either passive monitoring to analyse network traffic or active methods to directly query devices for detailed information about their software and configurations.
For example, asset inventory and intrusion detection systems are essential tools for managing and securing OT environments. These tools, like Forescout Inspect, provide both passive and active monitoring to create a comprehensive device inventory and detect network attacks. While open-source options exist, commercial solutions often offer more advanced capabilities, including the ability to understand and analyse complex, proprietary protocols used by OT devices.
iTNews Asia: How do varying regulatory and compliance requirements across APAC countries influence network security strategies?
Santos: Regulations and compliance requirements vary globally, with local laws differing by region. However, most compliance audits rely heavily on having a comprehensive asset inventory.
Tools that track device details, such as software versions and vulnerabilities, are crucial for demonstrating adherence to regulations. Although specific requirements may differ, maintaining accurate and detailed asset information helps ensure compliance with various local regulations.
iTNews Asia: How does Forescout’s research contribute to the broader cybersecurity community, particularly in the context of OT and industrial control systems? Can you share any recent research findings that have had a significant impact on understanding or mitigating specific security threats?
Santos: We produce two main types of content for the cybersecurity community: research reports and machine-readable threat intelligence. Our research reports analyse threats, vulnerabilities, and trends, helping organisations anticipate and defend against attacks. Machine-readable threat intelligence, such as threat feeds, provides automatic detection tools with indicators of compromise and lists of exploited vulnerabilities.
An example is the OT:ICEFALL project, where we identified and worked with vendors to fix 61 new vulnerabilities affecting more than 100 device models from 13 device manufacturers and prevented potential future exploits.
Our research includes both vendor and customer perspectives. While we focus on vulnerabilities and security issues found in devices, we also consider configurations and risks introduced by end users and system integrators.
iTNews Asia: What are some common security blind spots created by system integrators when deploying and integrating new systems or devices and examples if they have led to significant breaches?
Santos:
Common security blind spots include improper configurations, weak or default credentials, and insecure remote access. These issues can leave the asset owner unaware of vulnerabilities and risks in their network.
- Daniel dos Santos, head of security research, Forescout Technologies
I don't have a specific breach example at the moment, but we recently released a report called "Better Safe Than Sorry." Forescout examined data gathered in 2017-2024 about internet-exposed OT devices around the world.
We found that there was a decrease of less than 10 percent in the total number of exposed devices, but some countries managed to decrease much more than that (such as 47 percent in the US and 45 percent in Canada), whereas other countries increased the amount of exposed OT significantly.
Most exposed devices are used for industrial automation - especially using the Modbus protocol (29 percent) - and building automation - using the KNX, BACnet and Fox protocols for a combined 32 percent. Modbus exposure continues to increase (48 percent in the period), while Fox, for instance, decreased by 70 percent.
It also highlights a wave of attacks last year where hackers targeted PLCs from an Israeli brand called Unitronics.
After these attacks, many asset owners took these devices offline. However, some remained exposed, likely due to system integrators' deployments, leaving the asset owners unaware of the continued risk. The report suggests that similar deployment issues might have contributed to vulnerabilities, but we can't confirm specific breaches from these cases.
iTNews Asia: How can organisations work with system integrators to identify and address these blind spots proactively?
Santos: To ensure network security, asset owners must define clear requirements for deploying systems, ensuring that all devices meet security standards. This includes validating the deployment by a system integrator and maintaining continuous monitoring of the network. Even after initial validation, ongoing checks are necessary to ensure configurations remain secure and compliant with internal policies and regulations throughout the device's lifecycle.
We need to wait to automatically ensure that configuration is still adhering to your own internal policy and other regulatory compliance frameworks.
iTNews Asia: How can organisations leverage technologies like AI, machine learning, or advanced analytics to enhance their security posture?
Santos: AI is being integrated into security products to enhance threat detection and response. When an alert is triggered, AI can generate a narrative explanation, that explains the details like which IP address attacked and with what technique, making it easier for users to understand. This narrative also links to threat intelligence, showing if that IP has been involved in similar attacks elsewhere.
We are able to find out what happened and connect it with threat intelligence. This approach not only clarifies the nature of attacks but also offers recommended actions to address vulnerabilities and issues, complementing existing security solutions with more user-friendly insights.
The goal is not to replace existing solutions but to complement them with user-friendly explanations and actionable insights, helping users understand and address vulnerabilities more effectively.
