Blog

API Security in Your Operational Technology (OT)

January 19, 2023 | 6 MIN READ

by Jason Kent

Operational Tech

Operational technology encompasses supervisory control and data acquisition (SCADA), industrial control systems (ICS), and distributed control systems (DCS). OT can be involved in critical processes that, if breached, could have catastrophic consequences, including loss of life. Water treatment plants, power distribution, traffic management, and other critical infrastructure rely on operational technology solutions to properly function.

The increase of OT devices used in these industries and others such as healthcare and life sciences has made cybersecurity more important. According to Gartner, over 80% of organizations have implemented OT technology, while 20% have detected OT-related security attacks within the last three years. According to the 2019 Ponemon Cyber Security in Operational Technology Report, over 60% of respondents mention concern about an attack against OT.

Operational Technology Security Challenges 

Outside of B2B and B2C software, APIs are used heavily in OT, acting as the glue to communicate specialized data descriptions such as vibration, or pressure between equipment and control software. For example, in an OT scenario, a predictive maintenance application, as part of a SCADA system, running in equipment on a factory floor, could open a secure HTTPS connection to a server, requesting motor runtime data. Using an API, the factory equipment knows exactly how to connect to the server, obtain a list of available data resources, and read and write the values of those resources. The server would respond back to the predictive maintenance application with the motor’s run time and thus an indication of the next preventive maintenance schedule. Thus, if an API involved in these communications is exploited, data theft and disruption can result.

The OT security challenge doesn’t really present itself in disconnected or air-gapped systems but when all of it becomes available to the public internet. As more and more facilities rely on one another as part of the overall manufacturing process, the playing field for attackers becomes more interesting and sophisticated. Unfortunately, there is plenty of documentation, publicly available python libraries, and online tools to get an attacker up to speed in no time.

These systems aren’t all focused on manufacturing, the power generation, utility, transportation, and logistics companies utilize similar systems and similar methods. The basics are devices that communicate, gather data, make decisions, take action and allow for humans to make changes. Often these systems feed one another via some SaaS based overall “director” and can have many such systems tied together. Since production often requires fine tuning there are various places where there are human machine interface (HMI) points. These can be simple things like buttons to add a tiny bit more of an ingredient or as sophisticated as the primary director for the overall system. 

Each point along the system can be attacked. Much like the attacks seen against web applications and APIs, attacking the central points of human interface is probably going to be the most impactful. When looking at web displays, is that tank really still full? What if that is a needed ingredient in the production process and when that item runs out, something breaks? If we bump up the saltiness of a whole run of potato chips, it might fail the whole batch in QA. Those kinds of communication signals can be disrupted, changed, or even manipulated when not protected properly. 

Applying the OWASP API Security Top 10 to Operational Technology

When looking to make improvements to an operational technology or other types of controlled environments that engage with SCADA systems, more and more of the communication is standard TCP/IP and no longer on proprietary protocols but, rather, on standard HTTP API channels. Compounding rapid development and adoption of older technologies that weren’t designed with security in mind and we might be heading toward serious problems in these types of environments. Many of these systems weren’t built all at once, often older technology has been layered in. As our previous SCADA research taught us, credential reuse is constant on the factory floor and many of these systems have a weak point of a root or admin password being the same for every system installed by the same company.

The CQ Prime Threat Research Team recently posted about the API Security Unholy Trinity where attackers used multiple OWASP API Security Top 10 exploits to achieve their malicious end-goal. In the world of OT, the same threats are applicable.

  • Improper Authentication (OWASP API 2): This flaw allows access or permitted credential stuffing. When applied to OT, authentication is critical and shouldn’t be a shared credential. 
  • Excessive Data Exposure (OWASP API 3): APIs communicating data they shouldn’t transport often leaking data through standard http response analysis. In the OT world, the assumption may have been that the communications would never be exposed so masking and encryption were not considered. 
  • Finally, we are seeing that many API endpoints in use aren’t well known to the organization, known as Improper Assets Management (OWASP API 9). These are 3rd party APIs, SCADA or DCS APIs published outside of a documented process with little or no oversight. 

These aren’t the only API flaws that get regularly abused but definitely are the worst if they exist together. We do see API business logic abuse outside of OWASP categories as well, making it critical to cast a broad view of threat landscape, looking beyond just those threats defined by OWASP. 

Addressing API Security Challenges for Operational Technologies 

So, what can be done? The same thing that can be done on APIs for web applications. Instrumentation and understanding what you have is important. Instrumenting the HMIs will allow for you to see the transactions, data gathering, and allow for alerting or taking enforcement on anomalies.

If you are interested in looking at what your APIs on OT, SCADA, and ICS are doing, instrumentation will allow you to see what transactions are taking place, what data is out there and if the transactions are problematic. Having an additional point of data and having thresholds that shouldn’t be crossed will allow for your environment to operate safely. 

Shadow functionality needs to be uncovered before it is exploited by an attacker. This includes APIs that help your OT, SCADA, and ICS run smoothly. Knowing the unknown with regards to all those hundreds of APIs used by your organization is critical.

We can help. You can find out what APIs are in your OT, SCADA, and ICS using API Spyder. 

Schedule Your Free API Security Assessment

Jason Kent

Author

Jason Kent

Hacker in Residence

Jason Kent is Cequence's Hacker-in-Residence with over 20 years of experience securing client behavior, wireless networks, web applications, APIs, and cloud systems. At Cequence, Jason focuses on defending against automated attacks on web applications and APIs.

Related Articles