Intellectual property theft in OT environments

Even if well guarded in IT networks, intellectual property is also encoded into OT processes, making it possible for adversaries to steal it by OT network infiltration.

Intellectual property (IP) theft as a component of broader adversary information operations is an enduring and acknowledged risk, but one which is more often referenced in relation to enterprise IT environments than operational technology (OT) networks. This does not mean that OT networks are somehow immune from this threat — in fact, given that in many cases IP information is hardcoded into the processes OT networks manage, they should be prioritised for protection from the risk of IP theft.

IT and OT networks are increasingly interconnected, and efforts to support digital transformations continue to blur the boundaries between these previously distinct network domains. The imperatives for remote work and remote access imposed by the COVID-19 pandemic only served to accelerate this new paradigm of interconnectivity.

Increasing interconnectivity between IT and OT networks creates opportunities and incentives for adversaries to pursue their IP theft objectives within OT network environments, particularly if the adversary cannot meet their objectives through enterprise IT network compromise alone. For network defenders, it is important to consider the risk of IP theft in OT environments within the wider context of industrial espionage.

The US consulting firm Deloitte has studied and attempted to quantify the risks to a business of IP theft through cyber espionage, concluding that “IP theft has ramifications that are harder to grasp: fewer up-front, direct costs but potential impacts that might metastasize over months and years. Theft of personally identifiable information (PII) might quickly cost customers, credit ratings and brand reputation; losing IP could mean forfeiture of first-to-market advantage, loss of profitability or — in the worst case — losing entire lines of business to competitors or counterfeiters.”¹

Given the potentially high returns on time and effort invested for those adversaries focused on IP theft, it’s not surprising that the security community has observed multiple groups targeting networks in pursuit of protected IP for over a decade. While many of these incidents have historically been detected in enterprise IT environments, this disproportion is also influenced by disparities in visibility and monitoring between the two network types. The scope of the incidents is indicative of the extent of the potential threat and OT networks themselves have not been excluded from adversary targeting and operations.

Adversaries are most likely to pursue IP theft in OT environments as part of a broad campaign and the sensitive information an adversary can acquire from an OT network may not be available in other parts of a company’s network. Within enterprise IT network segments, sensitive IP is increasingly stored offline or within closely guarded network enclaves. In contrast, on the OT side of the network, this IP is likely to be embedded into the processes the OT network manages and may be impossible to separate from the OT network’s operation.

This potential disparity in information availability and protection could drive an adversary to pursue information from an OT network that they cannot access in other parts of a company’s networks.

Manufacturing process influence on information availability

The type and value of information that can be extracted from an OT network by a motivated adversary will depend in part on what type of manufacturing process the targeted network manages, whether it be a batch, continuous or discrete process.

The differences between the three types of process influence the type of information an adversary would hope to obtain when targeting IP in an OT network environment, as well as additional data an adversary might pursue from other networks and sources. This also influences how damaging the loss of proprietary information from an OT network could be, depending on the sensitivity of the information in question.

Batch manufacturing

Batch manufacturing processes are likely to be lucrative for an adversary from the perspective of IP theft. The step-by-step nature of batch processing, and the fact that each step must be completed in its entirety before moving to the next step in the process, could provide an adversary an opportunity to extract the amounts of each input into the process and the set points from the controllers for the equipment involved in the process.

This would require the adversary to observe the batch process from start to finish as the raw materials and ultimately product moved through each of the distinct steps. The total time to completion for a batch process may influence the amount of time an adversary would need to be in the OT network and observing the process to be able to potentially reverse engineer the totality of the process.

A data historian overseeing and recording data on a network’s operation can be a logical initial target for an adversary attempting to gather IP information out of an OT network overseeing a batch manufacturing process, as these devices aggregate and store data over a longer time horizon. That said, in some cases the information held by the historian may be raw sensor data lacking the necessary context. This lack of context can sometimes be a purposeful design decision in networks overseeing processes derived from sensitive IP. In these cases, HMIs or SCADA devices can also be important targets, as their data is meant for operator consumption and therefore unit-scaled with full context.

Recipes are the most sensitive category of IP for many companies in the pharmaceutical, chemical, and food and beverage industries. In some instances, this category of IP can represent billions of dollars in research and development for new pharmaceuticals and chemicals, and its loss or theft by an adversary could have significant repercussions for the competitiveness and profitability of the company targeted by an adversary.

Continuous manufacturing

Continuous manufacturing processes share many similarities with batch manufacturing in that predetermined amounts of raw ingredients are combined and modified by equipment to produce expected quantities of a finished product. The main difference is that the materials in continuous manufacturing move seamlessly through the steps of the process without pause. The product is tested throughout the process for adherence to expected quality levels.

The set point values for the controllers managing a continuous process are always active, and a properly functioning continuous process should not vary over time under normal circumstances. If an adversary can capture a snapshot of the set point values for a continuous process even over a relatively short time horizon (measured in minutes, not hours), and if that data is sufficiently rich in context, the adversary may have all the information they need to reverse engineer the process in question.

While data historians remain a logical initial target for an adversary targeting IP contained within a continuous manufacturing environment, the same caveats from batch manufacturing environments surrounding the level of context contained within the historian’s data still apply. If this data lacks context based on purposeful or incidental design, an adversary may need to seek additional context from unit-scaled data in an HMI, SCADA or similar operator-focused device.

Discrete manufacturing

Given the fixed inputs that characterise discrete manufacturing, there is generally less information of relevance from an IP theft perspective for an adversary to extract from an OT network overseeing a discrete manufacturing process. That said, there is some information of interest or value for adversaries contained within these networks.

In the case of discrete manufacturing, rather than being interested in the components and inputs that result in a finished product (much of which could be determined through examination of a bill of materials or disassembly and reverse engineering), an adversary would instead be seeking information on the manufacturing process itself. Information on manufacturing processes can be significant, as efficiencies in these processes can allow a company to produce a certain product more quickly and at a lower cost, which in turn enables the company to offer the product to consumers at a lower price while maintaining an acceptable profit margin.

These types of processing efficiencies can be vital in maintaining a company’s competitive edge, particularly in industries and products where the main differentiating factor from competitors’ offerings is price. In these instances, information gleaned from an OT network on the layout, functionality and configuration of the network’s components could be of value from the perspective of an adversary, especially if combined with additional information on engineering and design from other networks and sources — for example, network and engineering diagrams from an OT systems integrator.

Implications beyond information loss

While adversaries may target an OT network with the goal of extracting specific information relevant to a company’s closely held IP, the loss of this information may not be the extent of their impact on a company’s operations. The general fragility of OT networks and the necessity of uninterrupted availability in most instances mean that even skilled adversaries run the risk of having a negative impact on the operations of an OT network they do not fully understand, particularly from a process perspective.

This risk could be amplified in instances where an adversary whose primary responsibility is targeting IP on enterprise IT networks pursues IP within an OT environment. An adversary ‘learning’ about ICS and industrial processes within an OT network is at high risk of causing unintentional disruptions and network failures. As an example, an adversary actively scanning with a tool like Nmap, which adversaries commonly deploy in the discovery phase of MITRE’s enterprise ATT&CK matrix, is at high risk of placing industrial devices into a denial-of-service state and taking down an OT network when the adversary runs the same tool in an industrial environment.

Even in the case of skilled adversaries, who understand the functionality of OT networks and the constraints necessary to interact with the networks with minimal risk of disruption, there can be tension between the pursuit of IP and the preservation of network availability. This can be further influenced by the level of the network where adversaries are seeking information.

The manipulation or exploitation, deliberate or unintentional, of HMI, SCADA or historians at Levels 2 or 3 could eventually cause malfunction or disruption of physical processes and machinery at Levels 0 and 1. Furthermore, an adversary attempting to extract settings and configurations directly from Level 1 devices, such as PLCs, safety instrumented systems or RTUs, is at even higher risk of causing network disruptions or malfunctions, given the closer proximity and criticality of these devices to the physical processes being controlled by the OT network.

Five critical controls for OT cyber defence

To protect against these risks and related threats, the five critical controls for world-class OT cybersecurity identified by the SANS institute² are recommended. They present a framework for implementing a world-class OT cybersecurity program to defend against adversary activity directed against OT networks, be it IP theft, ransomware or targeted cyber-physical effects.

Figure 1: Five critical controls for OT cybersecurity.

A first step in implementing these controls is achieving executive alignment on the role and importance of OT cybersecurity and the specific risks an OT cybersecurity program is meant to defend against. In this case, the risk of IP loss or OT network disruption as a result of adversary efforts to steal sensitive IP from an OT network. One potential way to achieve this organisational alignment is to tie the effort back to real-world scenarios and previous incidents. Research previous attacks and understand their relevance to your business. Extrapolate previous incidents into relevant scenarios that incorporate the unique aspects of your environment and capture how a similar loss of valuable IP or disruption would impact your company and its operations.

Conclusion

IT and OT networks are increasingly interconnected, a dynamic driven by diverse forces spanning from unprecedented global pandemics to support for broader digital transformations. This increasing interconnectivity continues to blur the boundaries between these two previously distinct network domains and has been accompanied by a spillover of threats more generally associated with IT into the OT network space.

IP theft through cyber means is no different, and increasingly robust protections for sensitive information in the enterprise IT realm can create a disparity in information availability and protection that could drive an adversary to pursue sensitive information from a company’s OT network, which they are unable to access elsewhere.

Given that for many OT networks, valuable IP is hardcoded into the processes and operations the networks oversee, options for mitigating risk are somewhat circumscribed by this central reality. Accordingly, these network segments should be prioritised for incident response planning, increased visibility and robust monitoring.

1. Gelinne JP, Fancher D and Mossburg E 2016, ‘The hidden costs of an IP breach: Cyber theft and the loss of intellectual property’, Deloitte Review, Issue 19, Deloitte, <<https://www2.deloitte.com/us/en/insights/deloitte-review/issue-19/loss-of-intellectual-property-ip-breach.html>>
2. Lee RM and Conway T 2022, The Five ICS Cybersecurity Critical Controls, SANS Institute, <<https://www.sans.org/white-papers/five-ics-cybersecurity-critical-controls/>>

Top image: iStock.com/Ju_Yochi