3 min

The ransomware gang behind LockBit 3.0 has caused significant economic harm. Japan’s largest port in Nagoya had to suspend operations from Tuesday until this morning because its container management system was taken down. It shows how dangerous a leak in OT security is.

The port of Nagoya accounts for 10 percent of Japan’s total trade value and is crucial to the supply chain of car giant Toyota, among others. On Tuesday, the Nagoya Port Unified Terminal System (NUTS) was compromised. The culprit? The LockBit 3.0 ransomware gang, which communicated its demands to the port authority via a printer. So far, the port authorities have not responded to the ransom request.

Tip: LockBit 3.0, the market leader in ransomware

Ransomware in general and LockBit 3.0 in particular have proven multiple times that they can take down critical infrastructure. Deutsche Post and the British Royal Mail, for example, were affected by this gang. However, the underlying cause is often a software vulnerability or someone being fooled by a phishing email. As a result, personal data is often lost. Less well-known are examples of ports that are taken down or dams that can no longer be controlled. However, this will undoubtedly change if OT security is not taken more seriously.

Outdated systems

Security experts say operational technology (OT) is increasingly an “obstacle to progress” in the fight against cyber risks. OT covers many industrial applications, but includes the hardware and software that drive industry equipment and control mechanisms. This also refers to the aforementioned NUTS at the Port of Nagoya. It ensures that the correct container loads end up on ships so that their payloads arrive at the desired location.

While details are still in short supply about this week’s attack, there are many troubling trends regarding OT security. For example, a BlackBerry poll found that 86% of manufacturing IT decision-makers are still using some form of legacy Windows. For example, a third of this group still uses the antiquated Windows NT that had received its last update in 2004. Later operating systems such as XP, 7 and 8 are also already past their expiration dates in terms of security, but are widely used.

Converging OT and IT

All this would already be undesirable if security around critical infrastructure is otherwise kept in check. The study cites that manufacturers mostly use antivirus, firewalls and secure settings of connected devices. That is not enough. The convergence of OT and IT has accelerated in recent years, with OT becoming increasingly connected to IT systems and the duties of employees in this area overlapping more and more.

This is because the data from OT sensors and appliances can be essential to optimize processes and thus prevent waste. After all, anyone with a good overview of their air conditioning system and can map employee behaviour, can save thousands of dollars by turning it on only when someone needs cooling or heating. For more complex processes such as distributing containers in Nagoya, one would also like to think that the most efficient solution could lead to considerable cost savings.

The tricky part of convergence between OT and IT is that not all processes can be combined. As Mollie Breen of security firm Perygee points out, the risk profile differs each time. For example, she highlights that a compromised ventilation system in an office is less impactful than one on a similar system in a hospital. There are plenty of other examples to be used. However, the point is clear: there needs to be a higher standard for more important OT solutions. Thus, the need to secure OT becomes a bit nuanced after all.

There is, however, a significant paradigm shift to be made. Since critical infrastructure tends to run on outdated systems, they are inherently prone to attack. “If it ain’t broke, don’t fix it” is the prevailing line of thought, something that is as predictable as it is logical. “If it ain’t supported, don’t use it” may not roll of the tongue as easily, but it applies just as well.

Read also: OT security of data centers should be a top priority