Threat modeling, from its very inception, was envisioned as a solution to information technology (IT) threats. After all, IT is where the data is, which is nominally the fastest and surest path to a ransom for bad actors.
Sometimes, bad actors want something other than money. They want to disrupt (at best) or bring down (at worst) and organization. And while that can certainly be done by “attacking” a company’s data, for some companies, it can also be done by attacking their operations.
The OT Security Problem
What is OT? From RedHat, “OT, or operational technology, is the practice of using hardware and software to control industrial equipment, and it primarily interacts with the physical world. OT includes industrial control systems (ICSs) like programmable logic controllers (PLCs), distributed control systems (DCSs), and supervisory control and data acquisition (SCADA) systems.”
What is the OT security problem? Legacy OT hardware and software was never designed to protect itself from threats once thought to only affect IT. And that makes the OT world extremely vulnerable. How vulnerable?
OT security company Waterfall Security Solutions reported 57 OT-related cyberattacks on industrial systems out of 218 incidents in 2022, which caused physical consequences in the real world. Over the past year, there has been a 140 percent increase in the number of cyber-attacks with over 150 industrial operations affected. According to company projections, if this growth rate continues, there could be up to 15,000 industrial sites shut down due to cyber-attacks within the next five years. That’s how vulnerable.
Not just operations, but the operations of critical infrastructure: dams, power generation stations, water treatment plants. If you think losing data is bad, try going without water and electricity for a while. And since the cost of prior breaches has ranged from $10 million to $300 million, no expense should be spared to harden OT. What are the options?
The OT Security Solution?
Where do we look for solutions to the OT security problem? Best practices. There are plenty out there, but the ones that seem most representative are from SCADAfence:
Automatic discovery and full visibility and management of OT asset inventory
Proactive actionable warnings regarding risks and vulnerabilities in the OT network
Network mapping and connectivity analysis
Detection of suspicious activities, exposures, and malware attacks
Full, deep-packet analysis of the network & industrial equipment activities
If you’re at all familiar with threat modeling, you’ll recognize that the first three items in the list above are essentially the three main pillars of modern threat modeling: automatic discovery of asses, map the connectivity and proactively mitigate vulnerabilities.
So, the answer to the question posed in the title above is yes. At least part of the solution to OT security, especially from legacy systems, is threat modeling.
If you are intimidated by the thought of thread modeling your OT infrastructure or think it requires some hard-to-find security expertise, thing again. ThreatModeler was designed from the beginning to be a self-service tool which does not require any special security experience. It is true one-click threat modeling for many use cases, including locking down your operations.