OT Insights CenterWhy Understanding OT Attacks Is Important

Why Understanding OT Attacks Is Important

Picture of Andrew Ginter

Andrew Ginter

Blind spots webinar Blog Jan 2025

Understanding how cyber attacks on OT targets work is important, and not just for penetration testers. The obvious: defenders need to understand how attackers are coming after us in order to design defenses that are effective against those attacks. Less obvious: we measure the strength of our defensive postures by the attacks that one posture defeats with a high degree of confidence, and the other does not.

Doing Things the Right Way vs. Doing the Right Things

What I’m saying is that attacks are a way to measure the effectiveness of a security program. This kind of measurement is often called a “metric.” There is a lot of debate about OT security metrics, not least because most “metrics” don’t in fact measure security, they measure process. Common metrics include:

  • How many OT assets we have inventoried re: location, function, version, security update, etc., and how many we estimate are yet un-inventoried,
  • How many unpatched vulnerabilities remain in that inventory,
  • What fraction of the inventory can run any kind of anti-virus and when each of those AV systems was last updated, and
  • What fraction of our systems have offsite backups.

In a real sense, these metrics are all answering the question “Are we doing things the right way?” rather than “Have we done the right things to defeat attacks?”

Nothing is Secure

What does ‘doing the right things to defeat attacks ’mean? Well, the first law of SCADA security is that “Nothing is secure.” The truism is that, given enough time, money, and talent in the hands of our adversaries, any security posture that we invent can be breached. Said another way, no matter how secure we might be, we can always imagine attacks that are so nasty that they will breach our defensive posture and bring about consequences that we need to prevent.

It is these attacks that we need to understand. More specifically, we need to understand the simplest attacks that can breach our current defensive posture and bring about unacceptable consequences. These attacks may be very complex, but no defensive posture is perfect, and so there are always attacks that can still get in.

Figuring out what these attacks are, though, is not easy – but it is doable. To figure out what the simplest attacks that remain as residual risk are, we need a lot of knowledge in the room. We need experts on attacks (pen testers), we need experts on how our automation is set up (automation engineers), we need experts on the defenses we have already deployed and how effective each is against different kinds of attacks (enterprise security), and many more.

Register for the Webinar

Credible Threat & Design-Basis Threat

Those attacks and risks that (always) remain define our “design-basis threat.” This is a term from physical security that describes the most capable threat a defensive posture is designed to defeat with a high degree of confidence.

For example, a nuclear reactor’s containment dome might be required / designed to withstand two successive direct impacts by large passenger jets fully loaded with fuel, without a radiological release. But not three such impacts. We can use the same concept for our cyber defenses – what are the most capable, most consequential attacks that we defeat without suffering unacceptable losses?

Having defined our current design basis threat in terms of attacks we do and do not defeat, we must then ask, do any of these left-over attacks that we do not defeat constitute credible threats? What does that mean?

Well, imagine a small rural water utility. Thirty employees, most of whom spend most of their days with trucks and backhoes digging holes in the ground. Is it possible for a nation-state – say the Russians – to plant a sleeper cell of three cybersecurity gurus in the workforce of the small water utility? And activate the cell four years from now to trigger a catastrophic insider cyber attack on the water utility?

Well yes, it’s possible. The exercise might cost as much as five or six million dollars to pull off, and yes, Russian intelligence agencies or their army do have that much money. Is such an attack reasonable though? Why would the Russians or anyone else bother with such a sophisticated, costly attack on such an inconsequential utility in the middle of nowhere? The threat does not seem credible – it does not seem reasonable to believe that such an attack will ever occur.

What about the same hypothetical attack on the city of Washington, D.C.? Well, that’s another matter. Such an attack on the American capital might well be considered a credible / believable threat.

So, having determined our current design-basis threat level, we can then ask “are any of the attacks ‘above’ the DBT line (i.e. not defeated with a high degree of confidence)? Are any of those attacks credible threats?”

Attack Trends

Attack tools become more sophisticated every year. OT attack tools are increasingly able to bring about truly unacceptable consequences, even if these tools have to date, at least in public reports, not yet brought about such consequences. The capability is there. Increasingly capable attacks are becoming increasingly credible.

When we study the attacks, consequences, and risks that remain in our defensive postures, more and more of us are finding that there are credible threats that are not covered by our DBT – by our current security program. When we discover these, we need to decide: are we going to spend the money and effort to make our defensive programs more capable? Or will we change nothing and simply accept the risk of these new, credible threats? If the latter, who’s going to sign off on this risk that the business is accepting? Generally, someone with budget authority needs to sign off – it is their decision not to spend the money to address the risk.

Understanding Attacks

We can debate whether threats are credible and whether we should spend money and effort addressing credible residual risks, but to debate any of that, we must first understand the attacks.

To dig deeper into the evolving space of OT cyber attacks, and the rationale above, please join my webinar, From Blind Spots to Action: OT Threats Exposed, at 12 PM New York Time on Jan 22.

Register for the Webinar
About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags