Securing converged IT/OT networks

20 September 2021

Martin Jenker, head of cybersecurity at MOXA, offers advice about securing converged IT/OT networks. 

The gap between the IT and OT domains has to be bridged. To enhance operational resilience, OT networks must ensure their cybersecurity measures are as mature as those utilised in IT networks. 

Step 1: Manage your OT networks
You cannot protect assets you do not know you have. So, the first step to enhance operation resilience requires OT operators to monitor everything on their networks in a similar way to how IT network administrators often have complete visibility. Is everything that should be on your OT network there? Is there anything on your network that should not be there?

For example, OT operators can start to determine who can and cannot access the network by leveraging ACL or other authentication mechanisms. Furthermore, there are simple mechanisms that OT operators can set up to define which PLC can be connected to the network by port access control or sticky MAC. In other words, everything on the trusted list is allowed to go through the network, and anything not specified on the trusted list is blocked. Managing your OT network, instead of relying on the IT department, also allows OT operators to respond more quickly to downtime and troubleshoot issues more rapidly.

Step 2: Segment your OT networks
Unlike IT networks that can be segmented by dividing the network into different departments with their own set of permissions, OT networks are essentially one giant Intranet where everything is connected. This makes OT networks more difficult but still not impossible to segment. There are two ways for segmenting an OT network:

• Vertical segmentation involves adding an Industrial Demilitarised Zone between the IT network and OT network. Although this separation should be mandatory, many companies still have not segmented their OT networks from their IT networks.

• Horizontal or lateral segmentation involves creating and separating cells, zones, and sites on the OT network. A cell is essentially a tiny place where all equipment is stored, such as a cabinet. Several cells can form a zone, and multiple zones can form a site.

Segmenting OT networks using either method, or both, allows operators to prevent cyberthreats from spreading to other parts of the network.

Step 3: Patch vulnerabilities
As equipment and devices running on OT networks cannot be upgraded or replaced as frequently as endpoints on IT networks, OT networks still have many legacy devices. Some of them may even be running on obsolete operating systems like Windows 95. Many legacy OT devices remain unpatched and are relatively easy for hackers to exploit. If no patch is available from the original equipment vendor, consider inserting compact industrial IPS devices in front of legacy devices. This creates a ‘virtual patch’ protecting unpatched devices against known exploits.

Step 4: Secure remote connections
Protecting the data that is transmitted from the plant or remote site back to the monitoring and control center is crucial. Ensure that each remote connection to the OT network is authenticated and encrypted. Authentication verifies the identity of the user requesting access whereas encryption ensures that the data transmitted is securely encoded and cannot be easily deciphered by prying eyes.

Besides managing and segmenting OT networks, OT operators also need to ensure their systems are properly patched and remote connections are secure. These steps not only help reduce the gap between OT and IT departments, but also protect industrial control systems, which are increasingly being connected to the Internet, from cyberattacks.

Contact Details and Archive...

Print this page | E-mail this page