The Home of the Security Bloggers Network

Home » Security Bloggers Network » Complete Guide to OT Security

Oldsmar, a small city in the state of Florida, has a population of about 15,000. It was February 5th, 2021. At the Oldsmar Water Treatment facility, a vigilant employee noticed a spike in the levels of Sodium Hydroxide – or Lye. The levels of Lye were changed to 11,000 ppm from 100 ppm – a 10,000% jump. The hacker managed to infiltrate the critical infrastructure and release excess Lye into the water that serves the entire city.

Public Utility systems without an upright security posture as far as Operational Technology is concerned, are vulnerable to such kinds of threats. The threats are real with attackers possessing advanced capabilities increasing at an alarming rate. Fears of security experts have come true, and they only compound with time. 2 in every 5 enterprises revealed that hackers targeted their OT device. Likewise, over 60% of respondents in a survey felt that the volume, complexity, and frequency of threats are likely to increase in the coming future. For an enterprise or an industrial unit, Operational Technology security is of paramount importance. In the case of infrastructure like power grids, it is a matter of national security.

The technology associated with the detection of a change or causes a change using hardware and software is defined as Operation Technology. This change can either be via direct control and/or monitoring of hardware like valves, sensors, I/O devices, switches, PLCs, actuators, switches, etc.), and software (customized and machine-specific). Along with the above-mentioned components, OT systems employ a wide range of control components that act together to achieve an objective.

Unlike other information processing systems, any change in an OT network has its effect in the real world. Owing to this, safety and security are of paramount importance in OT systems conflicting with security design and operations frequently.

The SCADA systems collect data from many Input-Output devices across a larger geography. Its architecture consists of computers, and networked data communications having a graphical user interface. Commands sent from the command control (using GUI) are executed by PID controllers and PLCs (Programmable Logic Controllers) at the endpoints. Electric Lines, Pipelines, railways, and power transmission often comprise SCADA systems.

The DCS is seen in an environment having many control loops, offering both central supervisory equipment and local control level. It is seen in areas like refining, manufacturing, and power generation where high reliability and security are very important

On-site medical devices comprise in-hospital facilities like MRI scanners, infusion pumps, EKG/ECG Machines, defibrillators, and others. These run on age-old Operating Systems and proprietary protocols. Consumer medical devices comprise insulin pumps, artificial pacemakers, and prenatal monitors belonging to the class of IoT smart devices.

Every inch of an industrial complex – designing, fabrication, or manufacturing zone – needs to be protected. Right from HVAC systems, elevators, swipe cards, security cameras, biosecurity machines, and others, everything needs to be secured.

OT networks run off the grid – isolated from other networks – greatly limiting security vulnerabilities. Every process in an OT environment runs on proprietary control protocols. Critical infrastructure like transport, power distribution, healthcare, and others are an example of OT networks.

In an event of an on-site security lapse, an intruder or a group of attackers may manage to get into the premises of an industrial workhouse. The threats arising from such events can be avoided by improving security and surveillance along with the deployment of multi-layered security. This is to ensure access to critical assets and control rooms is always restricted to unauthorized personnel even in an event of an on-site security lapse.

Also read: Complete Guide to Cyber Threat Intelligence Feeds

There have also been reports of identity card and swipe card thefts, giving unauthorized people access to OT infrastructure facilities.

Smart transportation, smart power transmission, smart manufacturing – every ‘smart’ thing that is a part of our day-to-day lives is an upgrade of its cousin from the pre-internet days. Anyone associated – government, private contractor, or even an academician, wants to make an OT system more reliable, cost-effective, and efficient. To achieve this goal, the adoption of services like big data analytics and other enterprise software has been integrated with the OT networks.

This means IT has been integrated with OT. This brought more misery than what OT systems have seen cumulated across the past 200 years. With the integration of Information Technology and the Internet of Things into Operational Technology, the security of the critical infrastructure that holds a nation has been put under scrutiny. To mitigate risks arising out of IT and IoT integration with OT, traditional security solutions along with strategies like defense-in-depth, layered security mechanisms, and other sophisticated modern security systems should be deployed.

Also Read: How to get started with OT security

The OT systems have moved from the state of Complete Isolation to a state where complete isolation is impossible. While the integration between IT, IoT, and OT was bound to happen sooner or later, the threats and security vulnerabilities were to follow. Just like IT Cybersecurity went through some rough patches during its infancy some 3 decades ago and is still fighting with a positive spirit, hybrid-modern OT systems to are expected to continue.

Operation Technology is industry-oriented and focuses on the manufacturing, production, and transmission landscape. A single failure in an OT system can hurt industrial operations directly leading to long non-production hours. There have been instances of fatal accidents in some cases. Though such incidents are of low frequency, they have a destructive effect, threatening national security at times. OT security puts Safety at the forefront, despite being non-dynamic.

On the other side of the fence, IT Security deals with data flowing across various IT systems. IT security primarily is a business-oriented vertical driven by an enterprise landscape. An IT security breach can cause loss of data, leading to financial losses and compromising of data. Technologies continue to evolve to counter the new threats emerging every hour. This demands regular and constant updation and up-gradation of IT Security systems. IT Security deals with the aspect of confidentiality, and often is connected and distributed across a wide network (via the cloud).

Many OT networks are now an integral part of complex network systems often comprising thousands of devices. The gap between OT and IT is dissolving at a rapid pace, thanks to the emergence of IIoT. The OT and IT convergence have greatly improved the efficiency and performance of critical infrastructure elements. With the availability of meaningful and accurate data, it is easier to identify KPIs that further help in achieving higher efficiencies and performance.

Another big takeaway in OT and IT convergence is the cost-effectiveness it brings. Ranging from cooling systems and device management, cost optimization can be achieved across the entire system, thereby achieving considerable long-term savings. Another key development can be security orchestration and improved operational and security standards across the entire network.

Parallelly, the OT and IT convergence also throw up some critical challenges. If unaddressed, can lead to a complete shutdown of critical infrastructure. The challenges range from incompatibility of the existing edge devices, cybersecurity challenges, scalability, and lack of cross-training among employees. Often IT systems and practices evolve at a rapid pace, while OT systems are designed to work for decades with little to no invention.

This made OT networks that are a part of complex IIoT and IT networks, a soft target for many bad actors and other cybersecurity threats. This has raised serious concerns about various critical infrastructures, amplifying the need for robust OT Cybersecurity solutions.

OT networks running off the grid had little to no security challenges in terms of technology. While physical threats were always there since prehistoric times, these OT networks were almost secure from any cyber-attack. The exponential growth of IoT systems and data-driven systems in a way changed how OT networks interact with each other.

In a bid to promote corporate business solutions and increase the market share, OT systems started to integrate with other networks using IoT and other IT infrastructure. This has increased the attack area of OT systems to security vulnerabilities and bad actors manifold times.

Back in the days when the Internet was in its infancy, information was entered manually into machines and there was nothing to worry about regarding Operation Technology security. By the time ‘big data’ explosively arrived onto the scene, so did the interconnectivity between OT, IT, and IoT systems. This opened doors to numerous security threats that the OT systems have never experienced in the past.

With a lot of stakeholders in place and billions of dollars of investments, securing and protecting Operational Technology is key. This has led to a call for a convergence of OT and IT security solutions, paving way for OT Cybersecurity. With Industry 4.0 heavily going to rely on data and data analytics, security cannot be rationed at any level.

As bizarre as it may sound, a coordinated cyber-attack on OT Systems can bring down an entire power transmission of a city, state, or region of a nation. The European states have been a victim of such targeted OT attacks. Firms were forced to shut down production operations for weeks. This not only impacted the production from a warehouse, but also the entire production chain, leading to losses to the tune of millions, and even billions at times.

If a bad actor manages to get access to a power grid, taking over power transmission and distribution, one can only imagine the destruction that is to follow. Similarly, a slight malfunction caused by a threat in a busy industrial environment can be life-threatening to the workforce.

Many OT systems are often left untouched for years (and even decades), to prevent any unplanned downtime. With increasing connectivity between OT, IT, and IoT networks, firms without robust OT & IT cybersecurity in place, are at the mercy of bad actors. Hackers keep lurking in the dark to make the most of exploits and vulnerabilities. A poor OT Security posture only complements their position further. Firms in the UK, Japan, Australia, and Germany have been victims of such attacks in the recent past.

Also read: Why IoT Security is Important for Today’s Networks?

Threats not only emerge from outside the network, but also from inside the network. A rogue employee, corrupt personnel, or a genuine human error can lead to non-operating time. To prevent these, an enterprise needs constant vigilance, monitoring, and controlling system in the form of Operational Technology Security solutions.

The biggest challenge the OT environment poses is the safety and reliability of the entire system. The entire system should be safe and highly reliable without any scope for failure. The risk of a cyber-attack on OT systems became lofty as they started being a part of a broader cyber network. Parallelly, there could be other entry points that can dissolve ‘the safety and reliability of an OT system.

The margin for error does not exist given that OT, IT, IIoT, and IoT systems are interconnected into an indistinguishable network. Forget not, an attacker can use the OT devices to crack into a highly sophisticated IT network, which otherwise would have not been possible.

Any of the following events can jeopardize the safety and reliability of an OT network:

Hackers manage to somehow bypass current safety protocols and enter the system. Reasons can range from a rogue employee, malware-infected USB device, poor coding, or even a calibrated attack. And OT Systems are no exceptions to threats. Every system in every industry needs to be secured on all fronts at all times.

Often, the critical infrastructure is secured using a multi-layered approach. Preventing bad actors and unauthorized users from entering the system is prudent. Given various entry points – control rooms, logic controllers, cybersecurity attacks, unauthorized access, and others – an OT system is highly vulnerable if unprotected.

 A comprehensive and concrete mechanism should be put in place. The primary aim of a security system is to prevent the entry of any unauthorized actor or device without authentication. At Sectrio we have drafted a list of key objectives that every Chief Information Security Officer should take a look at, before deploying his strategy for a secure OT System.

Every CISO’s security plan should have the following objectives to facilitate the strengthening of their OT System:

This can be achieved by using DMZ architecture, separating OT and Corporate network traffic, different credentials and authentication mechanisms for OT and Corporate networks, installing unidirectional gateways, and using multi-layered network topology to define security policies. 

Every new security suite that has evolved has had its share of challenges. With Operational Security, it gets further challenging. Many OT systems run for years and even decades, unlike IT systems, before getting a replacement. As the addition of new-age devices keeps increasing, the security framework if left unaddressed continues to weaken. At Sectrio we have identified the core challenges OT Security often faces:

When OT systems made their way into the industrial sphere, the concept of cyber threats was largely a part of Hollywood sci-fi films. These OT systems are designed for reliability with little to no security. The only way one could access a device or a system is by physical means.

Changing times and evolving technology meant, that the industrial sector had to take advantage of the big data. This mandated the connection of isolated OT Systems on a network, with the status of security being unchanged. This has increased the attack surface manifold times with hackers constantly trying to infiltrate OT Systems globally.

Advanced cybersecurity solutions have greatly enhanced the security of IT systems in recent times. The same could not be applied to the OT Systems that were operated in an isolated environment. By deploying user-defined policies, security posture can be vastly improved.

Even as of date, many OT Systems run on legacy protocols that have either run out of support or are nonexistent. Even many critical operations are still run on legacy protocols, leaving the door wide open for cybercriminals to exploit.

Despite the willingness to replace legacy systems, protocols, and processes, many industrial workplaces do not complete the process. This is attributed to the ‘unplanned operations downtime’, which could result in losses to the tune of millions. Hence, enterprises should take a collaborative decision across the hierarchy, opt for a thorough review of their OT Security posture and go ahead with planned operational downtime.

By far the biggest challenge in today’s world is the scarcity of certified workforce in handling OT Security. With a vast number of industrial spaces connecting to networks across business verticals, the need and demand for OT Security professionals, in particular, has shot up. But the availability has been scarce. Enterprises should focus on nurturing young talent across multiple disciplines for a secured future.

To help you decide more on the steps to address OT Cybersecurity challenges, we have an in-depth blog post on it. You can find here 9 easy steps to address OT Cybersecurity challenges.

With new vulnerabilities being created and let loose into the industrial sphere, protection from such threats is vital. The recent industrial revolution of leveraging the power of data across industries has only made the call for comprehensive OT Cybersecurity Solutions more demanding and imminent. What seemed to be isolated industrial networks a decade ago, are now a part of a giant network. This phenomenon not only improved efficiency and productivity but also gave rise to an unsecured OT environment.

A comprehensive OT Security Solution should be able to monitor every device/machine that enters and leaves the network. This gives the Security Operation Center an overview of the network. Every device, its respective connective pathway, its interaction devices, assets it is accessing, and other data will be visible.

Once a device is tracked at all points, it becomes easier to protect the network even if a threat arises after a new device joins the network. This is often seen as the principle of ‘Reveal and Protect’.  Cent percent visibility of the devices on the network results in improved efficiency, ease of operations, and security.

When designing a system, cybersecurity architects take every measure to protect from the existing types of threats. In complex industrial environments, cybersecurity systems are designed to defend against new kinds of threats. Hence, a wide range of threat detection measures should be deployed that help us in identifying the threat at the earliest.

Security architects usually employ the following measures as a part of a better threat detection technique:

Thanks to RBVM Systems, the security team gets clear and accurate insights into the kind of threats, vulnerability severity, and threat actor activity. This information is then thoroughly correlated to the assets to understand the criticality of the event. Without context, the thousands of alerts generated are more of a problem.  

This reduces the need for human intervention in monitoring less-threatening alerts, that often crop up for a wide variety of reasons. It also helps the enterprise to better understand the risks associated with the threats, and prepare ahead for a more treacherous future. RBVM System tells us about the acceptable level of risk, the probability of the risk, the severity of Risk, and the urgency the risk brings for the security teams to act upon.

The aspect of segmentation helps in compliance with the regulatory framework and explains the security posture even for a non-technical employee. Logical segmentation using AI greatly reduces time and cost for the enterprise. Artificial Intelligence is leveraged for segmentation, based upon well-defined and distinguished policy groups. Mapping of attack vectors and predicting possible attack pathways using AI is another facet that is fast catching up in the RBVM.

Monitoring a network alone is insufficient. Constant data gathering about the status of every asset, interaction between assets, and other unparalleled awareness of the entire network is key in asset management.

With increased depth and breadth in analytics, overviewing asset management is user-friendly. The availability of all IT, IIoT and OT devices under a single source changes our learning about the assets’ interactions on the network. With constant data inflow of minute data changes, including but not limited to changes in code or similar events, help us understand the assets at a granular level. This helps in optimization to a better degree.

You can keep constant track of the network topology using asset management. This serves us regular feed on properly configured and misconfigured devices on the network. Parallelly, one can monitor the type of device, firmware level, serial number, and other basic data at all times to understand the level of homogeneity of the network. Thanks to the extensive use of AI-ML (Artificial Intelligence – Machine Learning), asset management and threat detection capabilities are only going to get better with time.

A remote access channel authorizes access to highly fragile and sensitive industrial network ecosystems. On misconfigured and unsecured networks, a threat can enter networks through remote access channels.

OT Security Solutions should focus on deploying remote access solutions that are secure and fast, with swift authentication. Personally, Sectrio recommends remote access if it possesses the following characteristics:

With these in place, the MTTR (Mean Time to Respond) can be brought down and thereby reducing the non-operational time.

Above all, enterprises should adopt a Zero-Trust policy and put the Least Privilege Access mechanism in action. Restricting remote access sessions by time, user, and activity is a basic-yet-powerful way to improve the security posture of the remote access session. 

Information like firmware version and last configuration details of a device is vital to understand the ‘last known good state’ of an asset on a network during disaster recovery. A well-organized configuration control capable of listing out user-made or malware-made changes over a device or the network is critical in building the security posture of the network.

Every hardware component, software process, and associated settings should be carefully monitored, configured, and documented as a part of the Configuration Control console. It helps in managing and controlling each device throughout its lifecycle. The key goal of the system is to ensure the entire network moves to an operationally sound and hardened configuration, as per the needs of the industry segment, away from its original design. Often the configured control system follows a closed loop and goes deep into the network, getting better insights and other useful data. It ensures that:

The Configuration Control Console also assesses whether the current configuration meets compliance standards. This enables the enterprise in meeting industry regulations, IT/OT cybersecurity standards, and other compliances.

Cyber threats are everywhere. A small vulnerability in a code can give access to critical infrastructure, leading to a complete takeover. A ransomware attack or even a targeted high-level state-sponsored attack can be avoided by following strict policies across every aspect of an enterprise.

We have compiled a list of best OT Security practices that keep your industrial networks safe and secure from cyber threats. Do remember that, these practices coupled with strong OT Security solutions ensure your network is secure.

Many enterprises see frameworks and standards away from OT Cybersecurity. The frameworks and standards that help an enterprise to devise a robust cybersecurity program in protecting its assets and the valuable data of its clients. While standards are a more well-defined instruction manual at every stage, a framework is much broader, comprising of documentation and processes that an enterprise needs to adhere to and follow. One can see the frameworks as blueprints for assessing, monitoring, mitigating, and reducing risks and vulnerabilities.

While the general need for OT Cybersecurity may be well-defined and understood, the real gist depends on how a CISO perceives it and communicates it to his security team. Connecting industrial workplaces to the internet (cloud) is a game-changer. It helps efficiency, optimal use of resources, and production. Enterprises will be able to leverage emerging tools like Artificial Intelligence and Machine Learning to better understand workflows, processes, and other crucial analytics.

This can be achieved only if the OT Systems are secure from both within and outside. Whether your enterprise’s OT System comprises 1000 or 10,000 devices, securing them at every level, patching them from time to time, and deploying OT Cybersecurity tools will be the only way to go forward in the future.  

At the recent (12th of July, 2022) OT Cybersecurity Expert Panel (OTCEP), Singapore’s Minister Josephine Teo outlined the nation’s approach to neutralizing OT threats.

*** This is a Security Bloggers Network syndicated blog from Sectrio authored by Sectrio. Read the original post at: https://sectrio.com/complete-guide-to-operational-technology-ot-security/