Are your OT systems well protected?

In current times, it is crucial to safeguard industrial environments. With the growing attacks and vulnerabilities exploits, risk approaches with a focus on so-called Operational Technologies (OTs) are increasingly necessary.

OT is a comprehensive term that refers to the use of IT to manage devices, machines and processes in industrial control systems (ICS) such as SCADA. It extends to a range of value chains in sectors such as steel, oil and gas, chemicals, renewable energy and manufacturing, systems that must operate 24 hours a day, 7 days a week.

The convergence of IT and OT is still the biggest driving force for the transformation into industrial IT. Previously modularized machines are now connected and IoT sensors are delivering data on all aspects of production. This convergence has offered organizations a unique view of industrial systems, along with process management solutions that ensure that accurate information is delivered to people, machines, switches, sensors and devices, at the right time and in the best format. And when IT and OT systems work in harmony, new efficiencies are discovered.

There are now many more interfaces and contact points between several different areas in manufacturing – notably, IT, OT and IIoT – than before, and this poses its own challenges. But as industrial systems become more connected, they are also more exposed to vulnerabilities, generating a number of new security risks. Attacks originating in an email inbox can now more easily interrupt processes on the shop floor.

Let’s look at some examples. In January 2020, Belgian weaving machine manufacturer Picanol was hit by a ransomware attack that paralyzed production at its factories in Belgium, China and Romania. In March of the same year, a “WildPressure” attack campaign used a Trojan horse to attack targets in the Middle East to extract information from different devices. And in April, the supervisory control and data acquisition systems (SCADA) of Israel’s water supply and wastewater treatment facilities were the target of a cyber attack.

A recent Kasperksy report with data for the second half of 2020 shows that attacks against industrial control systems (ICS) have grown after 12 months of decline. The percentage of ICS computers attacked in the last six months of last year was 33.4%, with an increase of 0.85 percentage points. All the industries surveyed showed growth in cyber attacks, being the most relevant in energy, oil & gas and engineering & integration segments.

Safety has always been the main reason for isolating production. Machines and installations have always been protected from the outside world. Exposing the shop floor so that machines can communicate with customers (allowing them to place direct orders, for example) and with other aspects of the infrastructure requires opening OT in new ways.

The problem

Security, therefore, plays a central role in the convergence of IT with OT. But proprietary systems and protocols developed for industries, are not compatible with classic IT. Universal protocols like MQTT or standards like Modbus TCP or OPC UA make communication between IT and OT difficult. Most IT monitoring tools just “speak IT”, which means they only support classic IT protocols like Ping, SNMP, Flow, Sniffing and so on. As a result, security technologies that work in an IT environment may not necessarily work in an OT environment.

There is a need for a common “language” to ensure that the components of different technologies communicate. To fill this gap, the OPC UA standard has been growing as a widely adopted option – and this trend is expected to continue for years to come.

In addition, threats can be different in the IT and OT environments. So, a threat intelligence structure needs to be set up so that the company can be up to date with the latest threat information and be prepared to deal with it.

Fortunately, solutions that give complete visibility to the ecosystem are beginning to emerge. With its use and establishing the right security policies, it will be possible to put in place an effective OT strategy, protecting processes, people and profits, and significantly reducing security vulnerabilities and incidents.

What to do then?

To keep OT systems protected, experts recommend:

1. The use of event monitoring, analysis and detection solutions;
2. Conducting security audits on operating systems (OT) on a regular basis to identify and eliminate potential vulnerabilities;
3. Regularly updating the operating systems and programs that are part of the company’s industrial network. And apply security patches as they become available;
4. Offering specific training for industrial systems security (ICS), both for the IT team and for the OT team;
5. Providing these teams with access to up-to-date reports to increase the level of protection of industrial control systems; and
6. Having a security solution created specifically for industrial equipment and networks.

All OT risks considered relevant by risk management must have an owner and be monitored by the control function, to become part of corporate risk management. Regular risk assessments in all environments should be carried out to identify vulnerabilities and to ensure that appropriate security controls are in place. This includes information security risks and cyber risks, as well as all common OT operational risks.

Along this line, since the end of last year, for example, the monitoring platform PRTG Network Monitor, from Paessler, fully supports the communication standards of Industrial IT environments. This allows the PRTG to monitor data from the shop floor using native sensors for OPC UA, MQTT and Modbus TCP. The result is a holistic approach to monitoring industrial IT, allowing simultaneous visualization of data generated in OT and IT environments.

PRTG can be scaled for infrastructure of any size. Due to its architecture, it allows monitoring environments distributed locally and geographically with an implementation, a license and a central panel. This is vital when the IT and OT environments are growing together. It helps to structure and organize complex configurations and also allows mapping of complex organizational structures to dashboards and business services.

In addition, several specialized layers of defense are needed. This concept, known as “Defense in Depth”, is based on the assumption that if there are multiple layers of security, you will keep your core network more secure.

For OT, network segmentation can offer a layer of protection. This may mean that the OT network is separated from the IT network by an industrial demilitarized zone (vertical segmentation), or the OT network itself is separated into several “zones” (horizontal segmentation). Segmentation makes it more difficult for threats to reach the network, and if that happens, it is even more difficult to compromise other network areas.

Industrial firewalls often provide another layer. Like firewalls in IT networks, they protect industrial control systems, preventing unwanted traffic from entering the network.

Finally, there is also a need for deep packet inspection (DPI). A mechanism that allows the examination of the content of the data packets, from the header to the payload, to identify the protocol and the functions associated with them. The data can also be checked against a set of rules to ensure that they are not anomalous. This permits the application of more complex and detailed rules, if compared to what a firewall can manage.

DPI forms the basis for two specific cyber security strategies for OT: Industrial intrusion prevention systems (IPS) and Industrial intrusion detection systems (IDS). In an OT environment, both IPS and IDS are devices or systems that operate within the network and are intended to prevent or trigger a notification when anomalous data is discovered, depending on the system in use.

Therefore, it goes far beyond that “peek” in the data stream. It helps to achieve total communication transparency: Knowing who is joining the network, who is communicating with whom, what protocol is being used (even if encrypted), how much traffic there is, etc. All of them extremely relevant information for cybersecurity and network monitoring.

It is also important to consider that cryptography is not yet widely used in OT and probably will not be in the medium term in the future due to several challenges.

Network segmentation, encryption, firewalls, gateways, DPI monitoring and other strategies (don’t forget awareness training) must be implemented and used systematically based on the company’s specific infrastructure, architecture and requirements to achieve a good level of safety.