The risks of outdated systems in IoT and industrial environments [Q&A]
With Windows 7 now at its end-of-life, the need to update outdated systems is of the utmost importance. This is especially true for Internet of Things (IoT) and Industrial Control System (ICS) environments, as vulnerabilities in these older systems can lead to attacks that result in costly downtime, catastrophic safety and environmental incidents, and theft of sensitive intellectual property.
We spoke to Phil Neray, vice president of industrial cybersecurity at CyberX, to find out more about why updating these systems is so imperative and to hear some recommendations about how organizations can go about doing so.
BN: Why are outdated systems like Windows 7 especially concerning in IoT and ICS environments?
PN: Running Windows 7 after its end-of-life means that it will no longer be supported by Microsoft and therefore users won't have access to things like bug fixes for issues that are discovered, security fixes for newly found vulnerabilities, or technical support.
While running outdated systems can open up risk to any organization, it's even more dangerous in IoT and ICS environments, like Operational Technology (OT) sites within a manufacturing plant or utilities provider plant. If systems are compromised, it can lead to costly downtime or loss of data -- and even more serious events that could put human lives at risk. Examples of recent attacks where the results were -- or could have been -- disastrous include the 2015 Ukrainian grid attacks, the 2017 TRITON attack on safety systems in a petrochemical facility, and the 2019 Norsk Hydro attacks caused by the NotPetya ransomware.
BN: How prevalent is this issue? Is there any data available to show how many organizations have outdated systems?
PN: The number of businesses using outdated systems is quite staggering – especially considering that even the NSA has gotten involved in the conversation, warning against the use of these outdated systems. We recently looked into real-word IoT and ICS environments with CyberX's 2020 Global IoT/ICS Risk report to identify insecure networks and unmanaged devices observed in 1,800+ production networks worldwide and uncovered some alarming findings. According to the report, 62 percent of sites analyzed have unsupported Microsoft Windows boxes such as Windows XP and Windows 2000 that no longer receive regular security patches from Microsoft. The figure rises to 71 percent with Windows 7 included.
BN: Why are most of the major antivirus vendors agreeing to continue support for any products running on Windows 7 until 2022? What benefits will this bring?
PN: While Microsoft is providing Windows 7 security updates through its Extended Security Updates (ESU) program until 2023, it is only available for select businesses and comes with a pretty hefty price tag. That is why the majority of anti-virus vendors have confirmed that their products will continue to run on Windows 7 systems until at least 2022. It will help provide users with security products to protect their systems.
BN: Will this continued support be enough to protect systems in IoT and ICS environments?
PN: Extended anti-virus support will not be enough for long-term defense against cyber threats. Today's security adversaries -- including nation-states, cybercriminals, and hacktivists -- are highly motivated, determined, and capable of causing disruption and destruction. Even with anti-virus systems in place, these adversaries will take advantage of older systems like Windows 7 and try to exploit new bugs as much as they can.
This is because anti-virus systems are just one aspect in a multilayer Defense in Depth strategy. In addition to endpoint security, you also need to implement agentless network security monitoring to identify threats as they traverse through networks. Another added option for endpoint security is application whitelisting.
BN: Do you have any recommendations on how to update systems? What about ways to mitigate the risk if a full upgrade is not possible right away?
PN: It can be challenging to patch IoT and ICS environments due to the fact that OT sites often run 24/7, with limited maintenance windows to perform upgrades. In addition, many of the devices in OT environments are embedded IoT devices -- which means they are completely unmanaged because they're unable to run endpoint security software due to limited CPU and memory resources.
While experts agree that organizations can't fully prevent determined attackers from compromising their networks, there are a number of steps they can take to mitigate this risk:
- Minimize digital pathways into the OT network to reduce the attack surface. For example, all remote VPN access connections should pass through VPN gateways with multi-factor authentication (MFA) enabled. Make sure you're segmenting IT networks from OT networks and don't have a 'Swiss cheese' of ad hoc connections between IT and OT. Finally, minimize direct connections from OT to the internet. In CyberX's 2020 risk report mentioned earlier, they found that nearly 1 in 4 sites had direct connections to the internet, even though many OT personnel still claim that their OT networks are 'air-gapped' from the internet -- a claim that is becoming even less realistic given the massive number of IoT devices such as sensors that are now being connected to OT networks.
- Use a risk-based approach to prioritize mitigation of vulnerable systems. Since you can't patch everything all the time, use automated ICS threat modeling to predict the most likely paths of targeted ICS attacks on your most critical 'crown jewel' assets -- the ones that generate the most revenue in the plant, or the ones that would cause everyone to run out of the plant screaming when things go haywire.
- Gartner predicts that executives will increasingly be held liable if they fail to create safety-and security-first enterprises, especially where cyber physical systems (CPS) are concerned. If you're unable to patch, implement compensating controls such as OT-aware network security monitoring and behavioral anomaly detection (BAD) -- so you can immediately spot suspicious or unauthorized activity in the OT network before adversaries can shut down or blow up your plants. In the TRITON attack on the safety systems in a petrochemical facility, for example, the adversary was in the OT network for years without being spotted by network defenders.