Operational Technology - Large manufacturing facility in Germany
Discover how we helped a prominent engineering company in Southern Germany regain trust in their manufacturing processes through a comprehensive infrastructure penetration test. Join us as we delve into this critical project and uncover the journey towards our client's renewed confidence and security.
Introduction
Operational Technology (OT) is responsible for controlling and monitoring the world around us, including process control, industrial automation, monitoring, supervision, safety, and security.
As part of national infrastructure, OT controls and monitors our energy production and distribution, the treatment of our drinking water, and our transport and logistics. It should therefore come as no surprise that securing OT is of paramount importance. After all, if you are not in control of your OT environment, then maybe somebody else is.
There is certainly more awareness around OT in recent years as we have seen the rapid integration of digital technologies into industrial systems. The trend for these once isolated systems to be converged with Information Technology (IT) presents new security challenges, in some cases exposing vulnerabilities that have existed for more than a decade.
It is essential that security consultants are experienced with OT as techniques that would be suitable for an IT environment could result in catastrophic consequences, such as those the security assessment seeks to prevent. A cyber-attack (or badly performed penetration test) on an OT environment could lead to production downtime, environmental issues, damage to machinery and in worst cases loss of life.
In this case study, we assess the Operational Technology for a manufacturing facility in Germany.
Methodology
A&O IT Group used their methodology for Operational Technology for both the OT and IT environments. The reason for this was simply that before the assessment, it was not possible to know how the two environments were segregated and consultants would not risk using techniques for IT that presented a risk to the OT environment.
At the beginning of the assessment, consultants would identify assets and categorise these. Where an asset was believed to be part of the OT environment, consultants would attempt to identify its role, discussing this with the client where necessary. This helps to build a better understanding of the environment before more in-depth assessment is carried out, considerably reducing risk.
Assessing OT assets is a largely manual process where each action from the consultant is carefully considered and often performed one step at a time. This contrasts IT assets, where automated scanners may run multiple tasks in parallel, providing information for the consultant’s manual assessment which follows.
Key findings
Default credentials
OT assets were identified on the network with default credentials, these included uninterruptible power supplies (UPS) and engineering hardware including computer numerical control (CNC) machines and other industrial controllers.
It would have been possible for an attacker gaining access to the network to disrupt power and take control of the manufacturing processes, including causing physical damage and all without any authentication or authorisation requirement.
Lack of segregation
The organisation had a flat network topology with no segregation between Information Technology and Operational Technology. This resulted in a mixture of computers, printers, phones, presentation devices, uninterruptible power supplies, programmable logic controllers and CNC manufacturing hardware all within one environment.
When coupled with other vulnerabilities identified, such as assets with default credentials as discussed above, this presented a significant risk.
Vulnerable firmware
Vulnerable firmware was identified that had not been upgraded despite multiple later versions being available. This is often seen in OT environments where organisations are concerned that updating a device that they consider to be working without issue presents unnecessary risk.
Whilst organisations should of course be cautious when performing any upgrades to critical technology, leaving a device without updates that include security patches as in this case is ill-advised.
Recommendations
Credential enhancement
All default credentials should be disabled and replaced with strong and unique passwords. Where there is automation involved it will be necessary to identify other systems that may be impacted by this change and take steps to ensure that no or minimal downtime is required.
Network segregation
Both the IT and OT environments should be segregated as separate networks or VLANs. Whilst it is perfectly acceptable for IT and OT to converge where there is a clear business need, the two environments should remain separate with purposeful access controls defined to allow only required traffic to flow between IT and OT, and vice versa.
The organisation should at least separate IT and OT although they should consider further segmentation within these environments to improve the overall security posture.
Firmware updates
Where assets have available firmware updates that contain security patches, the organisation should formulate a plan to upgrade as soon as is practical. This may include discussions with the vendor on how to reduce the risk and how the upgrade may be rolled back successfully should issues be identified as well as having and updating a maintenance plan regularly.
For assets where the firmware only contains functional changes that are not required by the organisation, then the update may be delayed but it should be considered that in some cases, this may complicate updating in the future.
Conclusion
The infrastructure penetration test on the organisation’s OT environment uncovered high risk vulnerabilities, not solely due to the opportunities they presented to an attacker but the potential for accidental impact because of the flat network and lack of appropriate access controls. This was partially mitigated by strong physical security for the site and a trusted workforce.
The discoveries mirrored common trends in OT environments, notably the absence of later firmware updates, especially in engineering settings like this one, where they might be using their first-generation of CNC machines alongside older manually operated ones that haven't needed such updates.
There are essential improvements to be made to bring the security posture of the OT environment to an acceptable level. The recommendations from this assessment should provide a clear path to remediate the issues identified.
Looking for bespoke guidance on your OT environment?
Get in touch with our experts today for an initial discussion.
+44 01344 948 888
