Many operators don’t know what’s actually transpiring on their OT network and,even if hacked, have no knowledge of the assault |
Innovation in the oil and gas, utility, healthcare and transportation industries is heavily reliant on connectivity - between devices and systems, machines and data, people and processes. This connectivity is great for productivity upstream, mid-stream and downstream, but is also exposes these systems to greater cyber threat. Furthermore, as operational technology (OT) leverages the benefits of the network, the threat of a successful cyber attack greatly increases with the expanded attack surface. System operators and security directors face challenges in responding to the growing number of security threats they face in today’s connected environment.
Whether from outside threats, like hackers or state sponsored actors, or inside threats, like human error, in an environment where companies are operating drills, electric grids, MRI's or locomotives, unplanned downtime is simply not acceptable. In many cases, management will respond, "Yes, we know. That's why we focus so much effort on IT cyber security. Isn’t cyber security for OT environments just like security for IT systems, but with different protocols?"
The answer is, "No." IT security lives in the context of an IT stack with tools from many vendors – network, servers, storage, apps and data. It’s in a periodically updated ecosystem where most hosts are talking to lots of other hosts and where there are frequent patch cycles - in weeks or sometimes days - in response to expected and known cyber threats. IT security basically protects data (information), not machines.
Why IT security does not work in OT environments
In OT, high-value, well-defined industrial processes - which execute across a mix of proprietary devices from many different manufacturers - need protection, not data. Many of the devices and software used in operational environments are 10 to 30 years old. They were not designed to be connected, have not been patched very often and were not devised to withstand modern attacks. Surprisingly, many operators don’t know what’s actually transpiring on their OT network and, even if hacked, have no knowledge of the assault.
Executives are looking for other options other than relying on IT cyber security systems to protect OT processes. First of all, OT utilises communication protocols and network architectures not often shared with IT systems and requires different security tools that are capable to operate on those protocols and architectures.
The Wurldtech OpShield is being used by companies the world over to protect industry operations |
The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. Patch management is a particularly painful operation in an OT system; many organisations don’t have the infrastructure for qualifying patches to ensure they do not impact any of the software running on their system and, so, have to depend on their vendors to test and ensure new patches will not impact control of their processes.
Secondly, many of the security controls that are effective in IT are not effective in OT; they have to be adapted to the technical requirements of OT systems. Lastly, to apply the patch to an OT system usually means the operation must be shut down. Closing down one's business periodically to add yet another patch is not a remedy that works when minutes of downtime can cost immense amounts of money. To eliminate turning off the operation when patching, patches must be delivered to a security solution that resides directly in front of the control unit.
Specifically, OT needs a solution that addresses five areas:
1. ICS/SCADA (Industrial Control System/Supervisory Control and Data Acquisition) equipment is difficult to patch
2. OT protocols can easily be misused to disrupt critical systems.
3.Factory networks are very hard to rewire for proper segmentation.
4. Limited visibility into attacks on the industrial network.
5. IT security staff lacks experience with industrial equipment.
OT security applications need to protect these ICS and SCADA operations. It must defend unpatched systems with strong perimeter and field defence, plus inspect and control industrial protocol traffic. To do so, the security must offer the protection of three security applications: (i) firewall with stateful inspection for layers 2 through 4; (ii) an Intrusion Protection System/Intrusion Detection System (IPS/IDS); and (iii) an Application Visibility and Control (AVC) system. The combination of these security applications will monitor and block malicious activity and attacks - enabling highly available industrial operations for maximum uptime and secure productivity.
To simplify security administration, an easy to use graphical user interface (GUI) must empower operators to efficiently manage security policy and protection profiles and include breakthrough drag and drop virtual zoning for segmentation without network disruption. The solution also needs to offer full security visibility of the industrial network and integration with Security Information and Event Management (SIEM) tools.
Hackers typically start with elements which give them access to specific computers, and often target security equipment such as cameras |
Implementing security and quality testing services
Once management has added such an OT solution, the job is not over. To get into OT systems, hackers leverage many different physical assets, including those within the enterprise security system, to gain access into entire system. They typically start with elements which give them access to specific computers. Interestingly, security people don’t seem to secure their own security equipment. For instance, IP wireless cameras are favourite target of hackers. Card readers in the access control system are also easy to hack.
In this manner, hackers can then go after control systems directly. Because of this, it makes sense to employ a security and quality testing service to simulate attackers challenging your own system, allowing you to "know yourself" by making sure that you are controlling who is talking to whom. Also, be sure to ask the manufacturers of your mission critical devices if they have been tested to repel cyber attacks. Have they had their products monitored to both network and operational parameters, allowing vulnerabilities to be discovered and faults to be reproduced, isolated, identified and resolved before they introduced this or these products to the market? Are they certified to be secure?
Lastly, management needs to assure that the security experts they hire are highly certified and trained to carefully assess, design and implement OT security in their industry environments. If the goal is to help secure operational assets, reduce compliance penalties and enforce supplier security, they need such expertise.
Needed - specific protections that ensure operational technology security
Cyber attacks on oil and gas, utility, healthcare and transportation infrastructures can result in significant downtime and productivity loss. As a result, more and more operations are now implementing an OT network security solution that combines the protection of a firewall, IPS and application visibility and control (AVC) to monitor and block malicious activity and attacks to ensure highly available operations for maximum uptime and secure productivity. They are devoting as much interest now to their OT and they have historically given to IT.
For more information on OT cyber security, attendees at the ISC West exposition can visit the Wurldtech booth 105 in the Connected Security Pavilion.