The Essential Need for Real-Time Threat Intelligence in OT Systems

The disruption of fuel supplies due to extended lines at gas stations across the American Southeast in May 2021 served as a critical alert for operators within the field of critical infrastructure. The situation arose when Colonial Pipeline, responsible for the largest pipeline network in the United States, halted its operations due to a ransomware attack orchestrated by the DarkSide group. The attack forced the company to confront a $4.4 million ransom demand, which it ultimately paid to regain access to its systems.

The Colonial Pipeline stretches 5,500 miles from Texas to New Jersey, with operations significantly compromised after hackers exploited a legacy VPN account lacking multifactor authentication. Fortunately, the hackers did not breach the operational technology sector; instead, company executives took proactive measures, withdrawing certain systems from service to mitigate the threat. However, this incident highlighted a growing concern: isolated security methodologies can no longer effectively safeguard operational technology environments.

True isolation of OT environments from corporate networks is exceedingly rare. While OT systems may be secured by firewalls and designated zones, they remain interconnected with business IT platforms for tasks like billing and logistics. This interconnectedness, while enhancing operational agility, simultaneously amplifies security risks. Experts note that real-time, contextual threat intelligence has become indispensable for safeguarding OT platforms. Such intelligence facilitates prompt threat detection, precise response strategies, and collaborative action between IT and OT teams.

Derek Manky, chief security strategist at Fortinet’s FortiGuard Labs, emphasized the importance of real-time threat intelligence in preempting cyber threats before they disrupt industrial activities. Manky referenced a case where an energy provider effectively thwarted a ransomware attack aimed at its industrial control systems by employing real-time intelligence to identify unusual reconnaissance actions associated with known attack patterns. Their security team successfully blocked malicious IPs and enforced stricter access controls, neutralizing the threat before it escalated.

Another insight came from Prateek Singh, leading OT cybersecurity services at Eaton, who described a scenario in a manufacturing setting where real-time intelligence detected abnormal traffic between a human-machine interface and programmable logic controller. This identification, linking the activity to known malware, allowed the Security Operations Center to isolate affected devices and perform threat-hunting measures, averting a potential production halt.

Jan Miller, CTO of threat analysis at Opswat, stressed that the relevance of real-time intelligence needs to resonate across the IT-OT divide. “It is not enough to aggregate data; it must be actionable for both IT and OT personnel,” he stated, advocating for the translation of technical findings into operational terms intelligible to engineers, enhancing the ability to respond without incurring downtime.

Experts suggest that threat intelligence should not only focus on preemptive measures but also support active incident response strategies. Grant Geyer, chief strategy officer at Claroty, highlighted the dual role of threat intelligence in providing early warnings and determining impact severity during an incident. Tailored intelligence specific to an organization enhances the speed and effectiveness of the response, as a one-size-fits-all approach is inadequate for OT environments.

As the digital landscape evolves, the necessity for integrating threat intelligence without disrupting ongoing operations presents a considerable challenge. Manky suggests organizations implement unified threat platforms that collate data across IT and OT sectors, enforce zero-trust access policies, and conduct joint security drills to promote team synergy. Furthermore, Miller advocates for a layered integration approach employing secure data transmission methods such as unidirectional data diodes and advanced content sanitization techniques to ensure operational integrity while utilizing threat intelligence effectively.

The Escalating Threat from Nation-State Actors

Approximately 18 months after Colonial Pipeline’s operational suspension, the European Union Agency for Cybersecurity issued a grave warning regarding the targeting of critical infrastructure by nation-state hacking groups. Reports indicate an increasing number of state-sponsored threats directed at operational technology systems, particularly from a group linked to China called Voltzite.

Advanced persistent threats often exploit unpatched, internet-facing OT and IoT devices to penetrate production environments, reflecting long-term strategic objectives potentially backed by state-sponsored actors. Cybersecurity analysts have documented a notable uptick in attacks within the energy sector, showcasing a range of tactics from the targeted disruption of programmable logic controllers to widespread ransomware incidents.

As the convergence of IT and OT systems becomes more pronounced, the expansion of the attack surface is anticipated to be significant. Geyer warns that without proactive segmentation of OT assets and environments, operational disruptions may occur more frequently. He advises organizations to adopt a dynamic view of threat intelligence, emphasizing the crucial nature of timely and effective responses in OT scenarios.