Operating technology includes supervisory control and data acquisition (SCADA), industrial control systems (ICS), and control systems (DCS). OT can be combined in complex ways that, if broken, can have serious consequences, including death. Water plants, power distribution, transportation, and other critical infrastructure rely on modern operating systems to operate efficiently.
The increase in OT devices used in these industries and others such as healthcare and life sciences has made cyber security a priority. According to Gartner, at 80% of organizations have used OT technology, while 20% have identified threats related to OT security within the last three years. According to the 2019 Ponemon Cyber Security in Operational Technology Report, at 60% of respondents mentioned OT attacks.
Operational Technology Security Problems
Outside of B2B and B2C applications, APIs are widely used in OT, working as a glue to explain specific data expressions such as vibration, or pressure between devices and control programs. For example, in an OT scenario, a predictive maintenance service, as part of a SCADA system, which is used on equipment under the factory, can open a secure HTTPS connection to the server, requesting the data of the driving time. Using the API, the factory tools know exactly how to connect to the server, get the list of available objects, and read and write the values of those objects. The server also responds to the pre-planning function by predicting the driving time and thus indicating the next planning process. Therefore, if the API involved in these messages is used, data theft and interference may result.
The OT security problem doesn’t really manifest itself on offline or wireless systems but when everything is online. As more and more sites depend on each other as part of the overall production process, the attack site becomes more interesting and sophisticated. Unfortunately, there is plenty of documentation, publicly available python libraries, and online tools to get the attacker up and running quickly.
These machines are not limited to manufacturing, power generation, consumption, transportation, and manufacturing industries use similar methods and methods. Essentials are tools that connect, collect data, make decisions, take action and allow people to change. Often these systems feed into each other through a SaaS “director” and can have many such systems connected together. Since manufacturing often requires optimization there are various areas where human machine interface (HMI) principles exist. This can be something as simple as a few extra buttons or as advanced as a system-wide general manager.
Any point along with the system can be attacked. Similar to the attacks seen against web applications and APIs, attacking the middle ground of the human interface is likely to be more effective. When you look at the displays online, is the tank still full? What if the product is important in production and when the product is finished, something breaks? If we increased the saltiness of the potato chips, it would fail the whole group in QA. These types of communications can be tampered with, modified, or altered if not properly secured.
Using OWASP API Security Top 10 in Operational Technology
When you are looking to have the technology to work or other types of controlled environments that are compatible with SCADA systems, the communication is more and more standard TCP / IP and is no longer on proprietary protocols but, on the contrary, on the HTTP API. Add to this rapid development and adoption of old technologies that were not designed with safety in mind and we could be heading for serious problems in these types of environments. Most of these systems were not built at the same time, often old technology is stuck. As our previous SCADA research has taught us, the re-use of legitimate applications is constant at the factory floor and many of these systems have a root or admin vulnerability. The password must be the same for every machine installed by the same company.
The CQ Prime Threat Research Team recently wrote about API Security Trinity where attackers used several of the OWASP API Security Top 10 to achieve their malicious goals. In the OT world, the same threats apply.
- Invalid Authentication (OWASP API 2): This error allows access to or access to credentials. When used in OT, authentication is important and should not be shared information.
- Data Overhaul (OWASP API 3): A data transfer API that doesn’t need to be loaded often that ingests data through the analysis of http responses. In the OT world, the assumption would be that communications would not be exposed so masking and encryption were not considered.
- Finally, we note that many of the APIs used are not recognized by the organization, called Improper Assets Management (OWASP API 9). This is 3rd third party APIs, SCADA or DCS APIs published outside of the written process with little or no supervision.
These are not the only API errors that are regularly abused but they are even worse when they are together. We also see business API abuse outside of OWASP groups, which creates a need to monitor the threat landscape, looking beyond the threats defined by OWASP.
Addressing API Security Challenges for Operational Technologies
So, what can be done? The same thing can happen with APIs for web applications. Tools and understanding what you have are important. Using HMIs will allow you to see what’s going on, collect data, and enable alerts or enforcement in the event of a problem.
If you want to check what your APIs on OT, SCADA, and ICS are doing, the tool will allow you to see what is happening, what data is available and whether the activity is critical. Having additional data centers and having gateways that don’t need to be crossed will allow your site to run smoothly.
Shadow operation needs to be exposed before an attacker can use it. This includes APIs that help your OT, SCADA, and ICS run smoothly. Knowing the unknowns about all the hundreds of APIs used by your team is important.
We can help. You can find out what APIs are in your OT, SCADA, and ICS using API Spyder.
The post API Security in Your Operational Technology (OT) appeared first on Sequence Security.
*** This is a Security Bloggers Network blog from Cequence Security written by Jason Kent. Read the original article at: https://www.cequence.ai/blog/api-security/api-security-in-your-operational-technology-ot/