OT Security: Risks, Challenges and Securing your Environment
Before the revolution of Information Technology (IT), the world experienced the revolution of Operational Technology (OT). Operational Technology is the combination of hardware and software that controls and operates the physical mechanisms of industry. OT systems play an important role in the water, manufacturing, power, and distribution systems that transformed industry into the modern age. All of these systems function to operate, automate, and manage industrial machines. With the rise of the internet within the industrial sector, OT systems are also being exposed to the same disruptive threats that exist for all internet-connected devices, such as intellectual property theft, Distributed Denial of Service (DDoS) botnets, and ransomware attacks.
Difference between IT and OT
Traditionally, OT and IT networks have been managed and monitored separately. IT and OT systems have the same tools but we use them in different ways. Unlike IT tools, OT tools are designed to interact with machines. The main purpose of using these tools is to ensure that the industrial control systems are operating correctly and maintaining the high availability of devices. Using legacy software makes them more vulnerable to threats that can affect the high availability requirements. Generally, OT systems were “air-gapped” from the IT network, running in a separate, siloed environment away from the internet. However, with the introduction of Industrial Internet of Things (IIoT), systems can be controlled and monitored remotely, taking full advantage of networks and software.
Remote capabilities helps organizations to decrease costs and increase efficiency. However, this means that the air-gaps are decreasing rapidly. This has made OT more accessible and open to cyber threats.
What is Operational Technology Security?
Historically, OT security was limited to protection of the physical plant because OT systems were not connected to the internet. Strong perimeter gates, and human-based access controls, such as security guards, were the standard, and highly visible deterrents to intrusions. The protection of the technology was highly conspicuous.
Why are OT networks at risk?
Internet connectivity introduces ease of operability, but apart from those benefits, this transformation has exposed the system to vulnerabilities that cannot be stopped by an armed guard. Worse yet, an attack to the physical systems can cause the destruction of these highly valuable machines, as was proven in the Stuxnet attack. Can industrial networks be secured without causing any disruption in operations?
According to the 2020 Global IoT/ICS Risk Report, 71% of these networks have outdated operating systems that are no longer receiving security updates, 64% are using insecure passwords, and 66% are not updated with the latest antivirus updates. This presents the following problems:
- Direct Internet Connections: Most organizations have direct connections to the public internet. It is common knowledge that only one internet-connected device is enough to provide a gateway for attackers to introduce malware into OT networks.
- Insecure Passwords: Operators have been using insecure passwords for convenient entry to the networks. This makes it easy for attackers to use brute-force discovery of credentials to gain unauthorized operator access.
- Unnecessary Exposure: Many industries have at least one misconfigured wireless access point that many devices such as laptops can access. To prevent malware attacks, access point configurations must be audited to reveal any misconfigurations.
- Outdated Operating System: An outdated operating system that no longer receives security updates is extremely vulnerable to security attacks. All machines, including access points, must be inventoried and patched to the latest manufacturers specifications to prevent compromise.
Challenges in OT Threat Detection
Over the past years, several OT threat detection tools and software have come onto the market. But there are few challenges in OT threat detection:
- Limited cybersecurity skills in operations and manufacturing knowledge in the Security Operations Center (SOC).
- Threats are continuously changing, and adversaries are advancing their techniques.
- No single tool or sensor can provide visibility into all threats.
- Sensitivity in Industrial Control System environments requires many tools to be passive, meaning that they cannot automatically trigger a shut-down event in the absence of a bona fide failure.
- Legacy equipment and vendor restrictions limit endpoint tool coverage.
How should organizations secure their OT environment?
Managing operational technology security is one of the most important tasks for organizations. To secure an OT environment from any type of cyber threat, organizations can create a Smarter Security Operations Center using the MITRE ATT&CK framework. The information in MITRE ATT&CK will help organizations to protect themselves.
A few important processes that may immediately help you in securing your OT environment include:
- Secure Access/Centralized Logging: Providing secure access is challenging for many organizations. Organizations need to establish different access for different users via various access routes. To provide secure access, user access should be secured by multi-factor authentication. Secure access control can be achieved with centralized logging. Centralized logging helps to manage and analyze all logs to identify security gaps, and optimize defense.
- Asset Management: OT systems serve as the brain of any industry, and an organization’s primary task is to protect them. Many OT systems face a lack of visibility. Many organizations do not know the exact number of OT systems they have in their organization. As a part of asset management, every organization must have a full inventory of their OT systems. This will enable them to know what they are protecting, and plan accordingly.
- Software Vulnerability Analysis: Organizations must be cognizant of the all software versions, updates, and compatibility with the OT systems in the environment. Vulnerability scanning is also an important part of understanding where weaknesses may exist.
- Patching Management: Patching is an important part of hardware and software stewardship. Organizations must know the patching requirements of the assets in their possession. OT patching is a complex process, so the process must be handled judiciously. This means that sometimes, automatic OT patching may not be the best approach. However, that does not preclude the need for a thorough patching plan.
- Network Segmentation: Network segmentation is the clear demarcation between unrelated networks. The aim is to divide large networks according to their respective functions. Segmentation can assist in isolating a compromise. For example, an attack against the development network will not affect the sales network. Instead of creating a new network, a company should follow an established procedure, such as the Purdue Model to establish system-to-system connectivity.
- Backup Management: Data backups are the most effective way of recovering from data loss. Organizations must regularly perform backups. There are different backup methodologies, as well as best practices to ensure that backups are protected.
OT security is a high-priority task for every organization to meet market demand and plant availability. Due to the low visibility of assets, OT security management can be difficult for organizations. Fortunately, there are steps that can be taken to reduce the high-level risks. An effective security program can be achieved with the correct knowledge and careful planning and implementation.
Protect your infrastructure with ICS security solutions from Tripwire: https://www.tripwire.com/solutions/industrial-control-systems
About the author: Gaurav Pratap, an Internet Researcher, started his journey in 2013. He has an uncanny ability to make the most complex subject matter easy to understand.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.