As IT and operational technology networks converge, organizations are exposing their traditionally isolated OT networks to new cyber-risks. Cybercriminals have already begun designing new malware threats, like CrashOverride/Industroyer, Triton and VPNFilter, to target vulnerable OT systems. While some of these new attacks target SCADA (supervisory control and data acquisition) and ICS (industrial control system) systems, most are focused on highly vulnerable industrial IoT devices.
Traditionally, OT engineers attached devices to monitor and control the OT infrastructure through a serial connection, which made them less available to traditional hackers. Today, as OT managers add serial-to-Ethernet converters to these devices, they are becoming prime targets. Part of the reason is that many of these devices are highly vulnerable to attack. For example, many run aging operating systems, such as Windows XP, that are highly susceptible to exploitation. In addition, most OT networks simply haven’t deployed the sorts of security technologies commonly in place in IT networks. As a result, targeting IIoT devices has certain advantages for some cybercriminals.
Network access control
The first step to securing OT networks is to monitor the IIoT devices connected to the network. Monitoring needs to provide two critical data points. The first is to identify and document every new device that connects to the network, and the second is to watch for changes in device profiles. Network access control (NAC) is especially useful for inventorying, tracking and monitoring those devices.
NAC also complements an organization’s ability to gather actionable intelligence about the OT network. In an IT network, a tool like nmap can be used to actively scan devices. Interrogating devices in an OT network is much more difficult because you can’t use active scans. In addition to being vulnerable, IIoT devices can also be quite fragile, and even something as innocuous as an active scan can have serious consequences. This means gathering OT-based data needs to be done as passively as possible. One workaround is to collect information from networking gear rather than the devices themselves.
Once you have identified an infected device, responding to that threat is the next challenge. Automated quarantining, for example, is not an option. In a paint manufacturing plant, for example, shutting off a device that manages vats of chemicals and dyes could stop a production line or ruin millions of dollars’ worth of product. This means that security teams need to work closely with OT to establish intervention protocols whenever NAC detects a compromise.
Segmentation is the other critical strategy for securing OT environments. As with IT networks, segmentation tends to fall into two camps: north/south and east/west, and ISO 99 outlines segmentation standards for industrial OT environments.
North/south segmentation: Even as IT and OT networks converge, they must remain as isolated as possible. This helps prevent two primary concerns of any OT security team: insiders and worms. If an IT and OT network are converged behind a single perimeter, OT systems can be inadvertently exposed to problems created by normal sorts of IT activities. For example, users or devices inside the firewall may actively monitor IT traffic and scan devices to identify its origin and destination. However, due to the nature of many IIoT devices, the potential consequences of even scanning can be severe.
To safeguard against intentional or accidental device tampering, therefore, it is essential that OT traffic be completely segmented from the IT. Even updating or patching systems should avoid a direct connection to the internet or the IT network. Such segmentation can also protect critical OT systems from worms that originate in the IT network that propagate by hopping between devices.
East/west segmentation: Worms are also an east/west issue. An active factory floor may have several lines of production; the impact of a security breach needs to be limited so the entire floor isn’t taken offline. Production line segmentation ensures that an attack that impacts one line of production can’t spread to the others.
Even inside a single line of production, one device rarely needs to talk to another. This is why active device segmentation is a fundamental best practice. In general, IIoT devices only require three lines of communication: to their SCADA and ICS controllers, to HMI (human-machine interface) consoles and to historian devices that log device activity.
As you converge your IT and OT networks, you will naturally expose critical devices and processes to new threats, and the results of a breach can be devastating. The loss of data, expensive downtime, physical damage to production resources and even injury or death to employees and surrounding citizens can have a devastating effect on businesses as well as communities.
Technologies like NAC and network segmentation play a critical role in helping CSOs embrace the power of digital transformation without exposing themselves and their organizations to the risk of compromised OT environments.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.