Protect Industrial Control Systems from Cyber Threats By Securing the Operational Technology NetworkIT security best practices such as network segmentation, asset discovery and anomaly detection can be applied to the OT layer without putting operational reliability at risk By: Leo Kershteyn
Over the years, the need for a more efficient manufacturing and industrial process control has led to advances such as the Industry 4.0 standards and a general push toward smart manufacturing. Industrial companies have increasingly adopted industrial internet of things (iIoT) devices to improve productivity and efficiency, while also reducing manufacturing error rates by providing relevant and real-time feedback to their process control systems. Unfortunately, these advancements also introduce more cybersecurity risk that should be managed.
Today, many manufacturing companies, utilities, and energy and gas providers have hundreds if not thousands of iIoT devices incorporated into their networks. With the adoption of new technology, which in some instances was made with limited security controls, these companies have significantly increased their attack surface for the sake of efficiency.
Adding to the challenge, Operational Technology (OT) networks are notoriously outdated. Many were architected and deployed decades ago, with the idea that the manufacturing environment is air gapped and therefore does not need the same level of cybersecurity protection as the IT network. OT networks often were architected with a flat topology using IT equipment that may have been scoped appropriately at the time of deployment, but after decades of use is no longer supported by its manufacturers.
There are some basic steps that can be taken, however, to mitigate the expanding attack surface and secure the OT network. Once you have a good understanding of risk associated with the current state, here are some key ways to improve security while still balancing operational reliability and efficiency.
1. Overcome Yesterday’s Architecture
The concept of air-gapped OT networks is, for the most part, no longer valid due to increasing demand from business owners for connectivity that facilitates enhanced visibility and integration into the processes, and real-time information available from their factory floors. Due to the inherent risks associated with the network connectivity required to maintain this level of business process integration with industrial operations, an OT network possessing a flat topology should be rearchitected into proper enforcement zones and security layers that separate and control traffic routes an attacker might otherwise exploit to gain access to industrial processes.
A good reference framework for this type of high-level segmentation is the industry standard Purdue Enterprise Reference Architecture model, which divides the network into five primary layers aligned with the ISA-95 manufacturing enterprise control model. Each level of the Purdue model contains specific technology components associated with the manufacturing business and its industrial processes. In this model, each level is separated by enforcement zones containing security controls such as firewalls and IDS/IPS appliances. A demilitarized (DMZ) zone between Purdue layer 3 (manufacturing or “OT” network) and Purdue layer 4 (business or “enterprise” network) is essential for controlling and securing traffic flows between the two. Further segmentation and enforcement of network traffic controls down to the manufacturing process or “cell” area will yield even more granular security control.
2. Bring IT security best practices to the OT network layer
Aside from basic network hygiene best practices, there are two overarching cybersecurity considerations for an OT network that can contribute to a significantly enhanced overall security posture:
- Asset discovery and inventory: IT network managers tend to have a good grasp of what devices are located on their IT networks, because they are IP addressable and can be inventoried relatively easily with automated network tools. That generally is not the case at the lower layers of an OT network where the ICS process controllers and field devices exist. These devices often use proprietary protocols and non-IP communication busses that are not directly reachable for automated inventory. Further complicating the matter, is the fact that even if they are reachable, they cannot be actively polled without jeopardizing the reliability of a running industrial process. Because the IT teams who are familiar with detailed device inventory best practices are not able to easily deploy a security solution that will provide device visibility across the entire OT network and its ICS subnetworks, they must rely on either plant engineering or plant maintenance groups to keep track of device inventory, which often is either not kept at all or is grossly inaccurate.
- Anomaly detection: IT networks often have multiple security controls deployed to identify anomalous behavior, such as firewalls, IDS/IPS, EDR and DLP solutions that relay information to a SIEM and allow SOC operators to act before a severe cybersecurity incident occurs. That same level of detection capability traditionally has been missing in OT networks – outside of what the SCADA software can provide – due to complications such as inability to put endpoint detection sensors on OT endpoints, sensitivity to exposing operational data to non-operational network segments, and fear of interrupting the manufacturing process. In most cases, a firewall and some security monitoring available with the SCADA software is all you get.
An Increased Focus on OT Sensors that Balance Security and Operations
Several recent and highly publicized security breaches in the OT space have added impetus to driving cybersecurity controls. Smart cybersecurity entrepreneurs are listening. In recent years, some vendors have developed specific OT network sensors that can operate at most levels of the Purdue model. These sensors can passively listen to communication between industrial devices without risk to the industrial process and can identify, classify, and even logically segment them based on pre-determined security policies. OT sensors also can identify anomalous conversations between devices on the OT network, and even identify malware and suspicious activity using their integrated IDS engine. Other tools providing more control over network traffic flow – such as data diodes and properly configured firewalls – are becoming more common, as business owners and risk managers increasingly realize the importance of securing the OT space.
In addition to appliance solution vendors, organizations like Secureworks® have evolved OT security monitoring services by adding personnel with industrial operational and security experience as well as the skills to build playbooks that can help alert on the presence of malware and anomalous operational behavior.