What impact does the Log4j vulnerability have on operational technology (OT) networks?

Andrew Ginter, vice president of industry security at Waterfall Security Solutions, a cybersecurity technology company, recently pointed out that operational technology (OT) networks are currently facing risks posed by the Apache Log4j (CVE-2021-44228) vulnerability.

The vulnerability affects millions of web servers worldwide, allowing cyber attackers to inject arbitrary code into vulnerable Java applications on the Internet. This flaw is being widely exploited by cyber attackers. This is the main reason why security teams around the world are scrambling to identify which web applications may have Log4j vulnerabilities and then working to rebuild or upgrade these systems.

Companies that use OT applications over the internet that control pipelines, power systems or rail networks typically have cybersecurity knowledge. So why are so many OT companies so concerned about Log4j vulnerabilities?

Industrial Internet

Some critical infrastructure and manufacturers connect their production facilities to the Industrial Internet, which are often encrypted connections to web services and cloud services. These connections penetrate or bypass the six-layer firewall deployed between the Internet and most automation systems. This is the problem, even though these companies may have completed all the supply chain due diligence.

Enterprises usually trust their software and cloud computing service providers. But even if they trust these providers, should they trust their websites? Web services on supplier websites can be compromised. And industrial Internet devices in OT networks are already connected to these risky cloud services.

Worse still, once sophisticated ransomware groups or other cyber attackers have compromised an industrial supplier’s web services, it will be difficult for these enterprises to discover or clean up the Log4j vulnerability, while the cyber attackers will continue to embed themselves in the cloud services to which the OT network is connected.

Once these cyber attackers have time to look at and figure out how to exploit OT systems’ trust in these cloud services, they will be able to use these cloud services to push their cyber attacks deep into the industrial infrastructure. This attack has the potential to compromise thousands of industrial sites simultaneously.

Cloud-based OT ransomware

Waterfall Security Solutions predicted OT supply chain and cloud-based attacks in the OT/ICS ransomware supply chain report. Unfortunately, recent cybersecurity incidents have proven these predictions true. Ransomware incidents at Colonial Pipeline and meat packer JBS have shown that critical infrastructure service providers that have been shut down or damaged by ransomware are more likely to pay a ransom of millions of dollars. This makes critical infrastructure more likely to be targeted by ransomware attackers in the future.

The security breach at remote IT management software vendor Kaseya clearly demonstrated the ability of ransomware groups to exploit vulnerable cloud computing infrastructure to launch attacks against thousands of targets simultaneously. Compromised cloud services from industrial vendors pose a huge threat to industrial operations around the world, hence the concern about the Log4j vulnerability.

Securing OT Networks

The instinct of most security practitioners is to apply security tools and techniques traditionally used to protect IT networks from ransomware to OT networks, but it doesn’t work. Why is that? Because addressing ransomware threats on IT networks is a pillar of the National Institute of Standards and Technology (NIST) “detection, response, and recovery”, which means identifying affected machines, isolating them, wiping them, restoring them from backup, and repeating.

The problem with this approach in OT networks is that cyberattacks and uncontrolled shutdown measures can bring physical dangers and damage. For example, a turbine weighing hundreds of tons is running at 1,200 rpm in a power plant; a six-story catalytic cracking furnace in a refinery is filled with high-temperature and high-pressure hydrocarbons. If these production facilities are destroyed, the consequences will be disastrous. Even an escalator in a large building that suddenly shuts down can cause harm to the people on the escalator. A major problem with relying on "detection, response and recovery" measures is the inability to restore life, damaged equipment and production losses from backups. OT networks usually have incident response capabilities, but these capabilities only reduce the consequences of cyberattacks and vulnerabilities to a certain extent-preventing vulnerabilities and cyberattacks is the primary task of OT networks.

To this end, the OT security solution that industrial sites apply to this problem is a unidirectional gateway. A unidirectional gateway consists of hardware that can physically push information in only one direction - from the critical OT network to the Internet. The gateway is deployed between the Internet and the Industrial Internet devices of the vulnerable OT network. The gateway is effective because all ransomware and other cyber-destruction attacks are information - that's what "cyber" means.

Therefore, when the gateway is physically able to push information to an industrial supplier’s cloud service on the Internet and cannot let any information back, then a compromised cloud service no longer poses a threat to safe or secure industrial operations.

Such vulnerabilities may still pose a threat to efficient operations, as industrial sites use industrial cloud services to improve efficiency. However, a temporary reduction in efficiency is usually a tolerable risk, while threats to employee safety, public safety, and environmental safety are usually unacceptable.

How to deal with Log4j vulnerabilities

The bottom line is that the Log4j vulnerability is a huge problem. Cloud service providers (especially industrial cloud service providers) need to carefully examine their cloud computing and Internet systems that have been vulnerable. All of these systems and anything connected to them may harbor vulnerabilities that are exploited by cyber attackers and ransomware groups.

Industrial companies need to shift their focus. These companies may be asking each of their software vendors whether their products use Log4j or have this vulnerability. A more important goal is to ask all industrial cloud providers whether their cloud services have been attacked related to the Log4j vulnerability.

Regardless of how these measures work to find or address the Log4j vulnerability, industrial companies that have not yet done so should consider deploying hardware-based, unhackable protections for OT systems, especially those connected to the internet. And the cloud services used by OT systems will inevitably present other vulnerabilities and other compromises.

Remember, the ransomware has compromised 1,500 of Kaseya's customers. We don't want a ransomware group or anyone else to shut down an oil pipeline or cripple a power plant or other infrastructure through a Log4j vulnerability or any cloud system vulnerability.