The integration of IT and OT networks has brought significant benefits to industrial processes, including increased efficiency, real-time data access, and improved decision-making. However, this integration also brings serious security challenges that could threaten equipment availability and the integrity of factory data. Manufacturers rely on data to make critical business decisions, which can cause production delays, equipment failures, and even safety hazards if the data is compromised.
This blog post reviews and analyzes a potential cyber attack on a production factory and demonstrates how it could be detected using GREYCORTEX Mendel. It serves as an example of how network detection and response solutions can effectively protect against massive cyber attacks.
Traditional security approaches, such as air-gapping or DMZ, are no longer effective in protecting OT networks. Although existing security solutions are attempting to close the gap between IT and OT infrastructures, unfortunately, it is highly problematic to achieve. Industrial equipment is more outdated as its lifecycle is much longer than that of IT devices (which, in some cases, can be 20 years or more). Furthermore, IT professionals are responsible for network security in both IT and OT, whereas OT professionals are more concerned with maintaining smooth operations and data integrity than cybersecurity. And the lastly, IT and OT professionals have difficulty communicating and understanding each other due to the use of different terminologies, technologies, and educational orientations.
About the Factory
For this scenario, we will imagine that GREYCORTEX Mendel has been installed in a bakery consisting of three separate locations: the main office building, the storage and production building, and the packaging and logistics building. Although separate, the IT and OT networks of these locations are interconnected.
The cyber attack took place over the weekend. The attackers, who may have been amateurs, cybercriminals, or hackers hired by a competitor, were able to connect to a device that had an outdated operating system on the private office network via public Wi-Fi. Using the infected device, they launched a network scan and discovered production machines in remote facilities. The attackers gained control over the oven and packing line and made changes to their configuration.
Detection in GREYCORTEX Mendel
The first thing that IT or OT specialists would see in GREYCORTEX Mendel is a representation of the industry standard MITRE ATT&CK® Security Framework. It is a dashboard designed to be a connection point for IT and OT specialists as it uses terminology that is understandable for both sides. Here, they can detect security alerts concerning industrial equipment.
By going to the event section in Mendel, the analysts can filter all events related to the OT network and this cyberattack. Here, they detect that the attacks were able to infiltrate the internal network and, upon scanning, discover both IT and OT infrastructures. The cybercriminals found devices that were open and could be used to initiate a connection.
Security Alert: Temperature Change in the Oven
The attackers tested their ability to make changes to the machine settings. They connected to a device controlling the oven and altered the temperature.
Continuing in the incident investigation, the analysts observe that Mendel detected the change in the oven temperature. Upon analyzing this event, they discover that there was a connection from the engineering workstation from the IT network to a machine in the Storage and Preparation network over the MODBUS protocol. In the application layer, they detect that the attackers set a high temperature, which could result in the cookies coming out burnt.
Security Alert: Change in Packaging Settings
Similar to the oven, the attackers in this example attempted to connect to the packaging line and change its configuration.
Mendel also detected that the cybercriminals changed the default number of pieces per package. They connected to a system within the Packaging and Logistics network via the MODBUS protocol, and upon analyzing the application layer, it was discovered that only eight pieces would be placed in one box instead of the usual ten.
Mendel alerted the analysts to these changes because the default values for the oven were set to 200 degrees Celsius and ten pieces for a single package. Thus, Mendel is capable of detecting any changes that occur in the OT network.
Empower Your IT and OT Security
Industrial networks need to operate continuously without unscheduled interruption, making security a secondary concern. However, failing to secure industrial networks can lead to devastating consequences, including production downtime, equipment damage, and even physical harm. The reason why cyber attacks can happen in the first place is that OT protocols are not designed with security in mind, making them vulnerable to cyberattacks.
We have described just two examples of what potential attackers could do, but they could take multiple actions, such as infiltrating the system and testing their abilities to make minor changes in the configuration. Such changes may be unnoticeable for analysts and OT professionals. The attackers could then wait until the right moment, such as the launch of a new product, to cause significant damage.
Thanks to the ICS module, the advanced industrial intrusion detection system (IDS), GREYCORTEX Mendel is able to detect such an attack. Mendel alerts manufacturers to potential security threats in the early stages, providing valuable time to prevent attacks. To narrow the gap between IT and OT worlds, the detection dashboard based on the MITRE ATT&CK® framework was created, which uses unified terminology understandable for both IT and OT professionals.