{"id":36516,"date":"2022-05-31T06:00:00","date_gmt":"2022-05-31T06:00:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36516"},"modified":"2022-05-31T06:00:00","modified_gmt":"2022-05-31T06:00:00","slug":"industrial-systems-not-safe-for-the-future-say-dutch-ethical-hackers","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36516","title":{"rendered":"Industrial systems not safe for the future, say Dutch ethical hackers"},"content":{"rendered":"
<\/div>\n

The strict separation between IT and operational technology (OT) networks in industrial environments is not sustainable for the future, according to two Dutch ethical hackers. <\/span> <\/span><\/p>\n

Daan Keuper<\/span><\/a> and <\/span>Thijs Alkemade<\/span><\/a> recently won the international hacker contest because of the serious vulnerabilities they found in various systems used in industrial environments.<\/span> <\/span><\/p>\n

The theme of this year\u2019s <\/span>Pwn2Own international hacker<\/span><\/a> contest in Miami was industrial control systems. Due to the increasing digitisation in the manufacturing industry, hackers were invited to search for vulnerabilities in various categories of industrial software and systems. <\/span> <\/span><\/p>\n

Alkemade and Keuper jointly run the Sector 7 research department at Dutch consultancy firm Computest, where they dive into the security of the digital world with a focus on vulnerabilities with social impact. \u201cWe noticed that in the daily operation of Computest, there is not always enough time and priority for researching vulnerabilities that make a social difference,\u201d said Keuper. \u201cThat is why we set up our own department where we can do this, without deadlines from customers and our own research agenda.\u201d  <\/span><\/span><\/p>\n

Alkemade and Keuper also won last year\u2019s hacker competition, with the vulnerabilities they found in teleconferencing platform Zoom. \u201cFor our research, we look at current developments in the world and the Netherlands alike,\u201d said Keuper. \u201cWhen everyone suddenly started working with Zoom during the lockdowns, we researched the security of that programme.\u201d <\/span><\/p>\n

They also critically checked the <\/span>Coronacheck app<\/span><\/a>, which Dutch people use to turn their vaccination and recovery certificate into a QR code for a national or international entry ticket. <\/span> <\/span><\/p>\n

\u201cWe had also wanted to work with industrial systems for some time,\u201d said Keuper. \u201cWe get fairly regular requests from customers to test their factory floors. But with OT systems, availability is top priority. The moment we mentioned that we, as ethical hackers, would be sending suspicious traffic to their systems that could result in systems failing, the conversations with customers immediately came to a halt, because downtime is unacceptable for the manufacturing industry. That makes it difficult to actually look at the security of those environments.\u201d<\/span> <\/span><\/p>\n

The competition in Miami was a welcome opportunity for Keuper and Alkemade to delve into the vulnerability of industrial automation without a client assignment \u2013 and they found five vulnerabilities. Alkemade said: \u201cI can\u2019t go into details yet, because not all of them have been solved by the supplier. But they were vulnerabilities in applications that are used to manage systems or to control communication. Not in the machines on the factory floor themselves, more the rights control system on top.\u201d  <\/span>
<\/span><\/p>\n

Keuper added: \u201cWe see manufacturing companies doing everything they can to keep attackers off the OT network. There is a strict separation between the OT network and the IT network in almost all industrial organisations, but with the knowledge we have gained, I think this model is not sustainable into the future.\u201d  <\/span>
<\/span><\/p>\n

\n

<\/i>Everything will be connected <\/h3>\n

The industrial sector is getting smarter \u2013 the fourth industrial revolution is digital. Virtually all machines and equipment are connected to the internet, or will be in the near future. Connectivity is key, and that\u2019s not surprising, because it is much cheaper to control 30 bridges from one central location than it is to employ 30 bridge operators. <\/span><\/p>\n

\u201cThis increasing connectivity means that people also look for more analysis and insight,\u201d said Keuper. \u201cThis inevitably means that IT and OT are becoming increasingly intertwined. This requires a new strategy for your security.\u201d <\/span><\/p>\n

Many of the machines and other equipment that are used in factories are old or outdated and were never designed to be connected to the internet or to cope with current security measures. The primary security is therefore on the IT network and this network forms an additional buffer for the OT network in most industrial environments. <\/span> <\/span><\/p>\n

\u201cWe see that many industrial companies have shielded their IT network very well,\u201d said Alkemade. \u201cThe vulnerabilities that we have found are therefore not easy to abuse. You really have to gain access to the network first, and that is often not easy. But if you do, these vulnerabilities make it relatively easy to take over machines, modify processes or bring the whole thing to a standstill \u2013 with far-reaching consequences.\u201d  <\/span><\/p>\n

The current strategy of separated IT and OT networks is therefore not future-proof, said Keuper. \u201cIt\u2019s like having an old castle, with a city wall, gates and a moat to make sure no attackers can get to your castle. That works really well if you only have one or two drawbridges, because you can guard them well. But in today\u2019s digital networks, you have like a thousand drawbridges. That\u2019s impossible to monitor or secure.\u201d  <\/span>
<\/span><\/p>\n

Where security of the OT and IT networks is now mostly in the hands of different people, Keuper advocates bringing this together. \u201cIf you want to make a difference, you have to work together,\u201d he said. \u201cIT and OT security are still two very different worlds. When I meet someone at an IT security conference and ask whether they will be visiting an upcoming OT security conference, the answer is almost always no. <\/span><\/p>\n

\u201cMost of the time, the security of the IT network is one person\u2019s responsibility while the OT security is another person\u2019s. They probably do talk to each other, but they have very different interests. In order to actually raise the security of an industrial environment to a higher level, it is necessary that those two people become responsible for the whole network together, rather than each advocating their own piece.\u201d<\/span>
<\/span><\/p>\n<\/section>\n

\n

<\/i>Challenge for the future <\/h3>\n

This is not specifically a Dutch problem, said the ethical hackers \u2013 industrial organisations all over the world are struggling with it. \u201cA culture change is needed to bring IT and OT together,\u201d said Keuper. \u201cIt\u2019s such a complex problem, it\u2019s not easy and quick to solve. The interests are very different. Whereas for OT it\u2019s all about availability, for IT, confidentiality and integrity are of the utmost importance.\u201d  <\/span>
<\/span><\/p>\n

Alkemade added: \u201cI think this challenge can only be completely solved in new installations. When you build a factory from scratch, you can weave IT and OT into your infrastructure and set up the network on the assumption that everything will be connected to the internet.\u201d <\/span><\/p>\n

For existing factories and other industrial environments, this is a lot trickier, because changes directly impact availability. Alkemade and Keuper hope to have demonstrated their expertise in this field and are keen to help industrial organisations make networks and installations more secure. <\/span><\/p>\n

\u201cWe have shown that industrial applications are very vulnerable, but the vulnerabilities we found were low-hanging fruit,\u201d they added. \u201cThey were rather easy to find and abuse. So there is still a world to be won there.\u201d<\/span>
<\/span><\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

The strict separation between IT and operational technology (OT) networks in industrial environments is not sustainable for the future, according to two Dutch ethical hackers.   Daan Keuper and Thijs Alkemade recently won the international hacker contest because of the serious vulnerabilities they found in various systems used in industrial environments.  The theme of this year\u2019s […]<\/p>\n","protected":false},"author":1,"featured_media":36517,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36516","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36516"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36516\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36517"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}