The convergence of IT/OT means OT environments are no longer “walled off” from the rest of the organization or even the rest of the world. Exposure to cybersecurity threats in these systems is growing, and a successful attack could be extremely damaging to production, safety, and system availability.
Managing security and risk in OT environments isn’t as simple as porting over IT security best practices into the OT system. In IT, we’ve had decades to mature our security practices and minimize exposure. But the need to manage risk is universal, and we must adapt our strategies for the OT environments that we’re charged with securing.
The following article is based on a webinar with Mark Mattei, Director of Kudelski Security’s U.S. MSS Operations and Eric Johansen, Security Operations Practice Lead and guests from Claroty, Grant Geyer, Chief Product Officer, and Justin Woody, Director Alliances.
Common Challenges in OT Security
When thinking about OT security strategies, it’s important to understand some of the fundamental differences between IT and OT systems. There are three key areas that call for a more nuanced approach to OT security.
- Risk management should include security risk, but recognize safety and availability are usually top of mind for the OT side of organizations. This leads to information security oftentimes becoming an afterthought – many simply do not have cybersecurity expertise in-house. Indeed, risk to an OT organization typically refers to business risk — e.g. disruption of production, safety issues, inefficient resource utilization, loss of revenue, etc. In order for security strategies to have traction and widespread adoption therefore, they must include the extra step of connecting security risk to business risk factors. Speak OT when you discuss cybersecurity – how you can increase visibility in a non-disruptive way via passive monitoring, for instance – to help evangelize change.
- OT technology obsolescence periods are much longer than IT. Legacy systems that have sometimes been in place for 20-25 years proliferate in OT environments. Compare that to the IT world where equipment rarely lasts more than five years. This results in outdated, diverse endpoints where patches aren’t available, or updates can’t be made due to low compute power. This results in cybersecurity controls becoming that much more critical for OT.
- Production environments run 24x7x365 – In IT security, maintenance windows are frequent, and systems can be updated with regularity. However, the 24×7 nature of OT environments leaves a very small window available for patching and reboots. Even then, there is hesitancy around making changes to a system that is critical to production.
These factors do not constitute insurmountable problems. If you are responsible for security in OT environments, below are six strategies that you can employ to mitigate risk.
Strategies for Managing Security in OT Environments
Strategy #1 – End User Awareness
Frame end user training in terms of business risk, rather than cybersecurity risk.
The same end user security threats in IT environments exist in OT environments — phishing attacks, weak passwords, lack of physical device security. However, the primary focus for an OT engineer is to keep the system running, which means they are often unaware or possibly unconcerned about cybersecurity threats.
To adapt this strategy, it’s important to frame the conversation in terms of business and operational risk, rather than in terms of cybersecurity. It may also be helpful to give OT engineers and plant managers access to the security tools, so they can visualize all their assets and how a vulnerability in one could impact production of the whole.
Strategy #2 – Asset Discovery
Get visibility into processes, assets, sessions, and understand their associated risk.
Asset discovery is a critical security component for IT and OT environments, and yet it is one of the most difficult. OT systems notoriously lack visibility. Many organizations simply don’t know the assets that exist in their environment.
The first step, therefore, is quite simple: Get a detailed understanding of the assets that exist on the OT network. That means documenting the operating systems, the firmware levels, the software installed, the libraries that exist, how each asset communicates with another, and, perhaps most importantly, the criticality of the asset to the overall OT system.
Strategy #3 – Network Segmentation
IT/OT convergence will force OT environments to evolve beyond air-gapped networks.
As more IT elements are introduced into the OT environment, the air-gapped model, which so many OT networks have depended on as a primary security element, is eroding. For example, an OT engineer may want to check his or her email on an HMI on the plant floor, so they add a second NIC. Or, perhaps a vendor wants access to a device to do health and performance metric checks. In an OT environment, operations will trump security every time.
To enable the secure convergence of IT/OT, it’s important to think through network segmentation requirements well before access is requested. Don’t create new connections in an emergency, but rather, take the time to establish system-to-system connectivity through the Purdue Model and set up firewalls and firewall controls to create hierarchy in the network. The Purdue Model of Control of Hierarchy is a framework commonly used by manufacturers across industries and will be helpful to understand how data typically flows through these networks and, correspondingly, how to secure each of the network zones and their various respective elements.
Strategy #4 Threat Monitoring/Hunting and Incident Management
Clearly identify incident management roles and responsibilities throughout the OT organization. Threat monitoring and hunting is useless without it.
Take a crawl, walk, and run approach – knowing that there’s no “easy button” or “switch” you can use to get to stage. Recognize that visibility is the key first step – which leads to knowing what assets are in your environment, how assets connect to each other, how network segmentation is setup (or isn’t setup), and what vulnerabilities exist. Once you’ve established visibility – how will you monitor the network 24x7x365? What will you do when there is an alert? How will you validate it, triage it? What will you do when you have a security incident?
With the security challenges an OT environment presents, an incident can be extremely damaging in a short amount of time. IT security strategies such as threat monitoring, threat hunting, and incident management can help, but they require real-time collaboration and coordination between security and OT teams.
From the SOC or third-party MSSP to the plant manager to the OT engineer, roles and responsibilities must be clearly defined. Who will monitor for threats? Who will sift through the noise? What conditions are you looking for? Who do you notify when they are met?
Strategy #5 – Connectivity and Access Controls
For modern OT organizations, connectivity equals productivity. But many lack the proper access controls to securely connect.
Where well-established identity and access management practices are in place for IT environments, the same cannot be said for OT. Credentials are often shared internally and externally, and access is not limited to specific network devices or segments.
It’s important to assume and plan for “hyperconnectivity” in advance in order to securely enable productivity and operations. The same basic IT IAM principles apply here — identity management, password requirements, multi-factor authentication, syncing access to active directory. Having remote access capabilities can help as well (though avoid having the same remote access solution for both IT and OT in order to reduce attack surface and avoid downtime). In the event of an incident, you can see who had access to the impacted system and terminate connectivity if needed.
Strategy #6 – Vulnerability and Patch Management
Adapt vulnerability and patch management to the systems and maintenance windows of OT and leverage compensating controls in between.
The legacy systems, business criticality, and limited patch windows of OT environments complicate typical vulnerability and patch management strategies. Instead of patching your way through hundreds of vulnerabilities, you need to understand which vulnerable systems are most important to production. Ensure there is a plan in place to remediate during the next scheduled maintenance window – understanding that many OT vulnerabilities don’t have a patch or firmware update fix available at all. This is where leveraging compensating control mechanisms come into their own to limit the impact of the vulnerability of incident. Such mechanisms include the principle of least privilege, network segmentation and isolation (only allowing required traffic for control system operation), password management, and continuous threat monitoring with hunting (deep packet inspection).. Ultimately, it’s all about the balance of revenue and security.
For more information about how you can secure operational technology environments, visit https://www.kudelskisecurity.com/secure-ot-ics-networks/