Identifying threats and finding solutions

06 September 2022

Suzanne Gill investigates the network security threats currently facing the operational technology (OT) environment today.

As a result of ever-improving connectivity between Information Technology (IT) and Operational Technology (OT) networks, it is not only the availability of data that has reached unprecedented levels – threat proliferation has also grown rapidly. According to Martin Jenkner, head of cyber security at Moxa Europe, there are some security challenges that represent an overarching pattern that enables threats such as malware and Distributed Denial of Service (DDoS) attacks to repeatedly cripple large industrial targets. These include:

• Lack of network visibility: More than 30% of respondents to IDC (International Data Corporation) EMEA’s European IT Security Survey in 2020 thought that a lack of asset visibility across network infrastructure was a security concern. This is a valid concern. Unknown devices or network connections contribute to an overall unknown cyber threat status.

• Lack of security boundary OT networks: Flat networks are commonplace in OT environments. In recent years, these network architectures allowed cyberattacks to spread easily across entire networks. Over-reliance on single point firewall perimeter protection creates a false sense of security.

• Uncontrolled access on OT network and device: With ‘Bring Your Own Device’ policies becoming popular even in OT networks more devices are connected, which are not intended nor ready to be connected to a secure network. It is imperative to control access to networks and devices to avoid even temporary, unauthorised access to device or network.

• Insecure OT communication: Traditional OT communication protocols have been designed for versatility, reliability, and even real-time performance. Many popular OT protocols still rely on unencrypted communication also lacking authentication mechanisms. Security features have been added only lately, if at all. This means that valuable data is more likely to be subject to sniffing attacks.

• Difficult to patch devices: Field level devices run on firmware or operating systems which are as subject to vulnerabilities as any other IT device. Patching can result in interoperability risks, need for recertification as well as production downtime. In many cases patching cannot be performed at all or only a long time after the publication of a vulnerability.

“All of these challenges need be considered as a root cause of severe cybersecurity risks,” said Jenkner. “Considering how different IT and OT networks are, the gap between these two domains must be bridged. To enhance operational resilience, OT networks must ensure their cybersecurity measures are as mature as those utilised in IT networks.”

His suggestions as to how it is possible to secure OT networks and increase resilience include:

• Manage OT networks: You cannot protect assets you do not know you have. The first step to improving resilience requires OT operators to monitor networks in a comparable way to how IT network administrators do it. The most important questions are: Is everything present that should be present in your OT network? Is there anything in your network that does not belong there?

• Segment OT networks: In contrast to IT networks, which are often segmented along departmental boundaries with the corresponding rights management, OT networks are often a single, flat network in which everything is connected. This makes OT networks more difficult but still possible to segment. There are two ways of segmenting an OT network – Vertical segmentation involves adding an Industrial Demilitarized Zone (IDMZ) between the IT network and OT network. Although this separation should be mandatory, many companies still have not segmented their OT networks from their IT networks. Horizontal or lateral segmentation involves creating and separating cells, zones and sites on the OT network. A cell is a tiny place where all equipment is stored, such as a cabinet. Several cells can form a zone, and multiple zones can form a site. Segmenting OT networks using either method, or both, allows operators to prevent cyberthreats from spreading to other parts of the network.

• Patch vulnerabilities: Since equipment and devices running on OT networks cannot be upgraded or replaced as frequently as endpoints on IT networks, OT networks still have many legacy devices. Some of them may even be running on obsolete operating systems. Many legacy OT devices remain unpatched and are easy for hackers to exploit. If no patch is available from the original equipment vendor, consider inserting compact industrial IPS (Intrusion Prevention System) devices in front of legacy devices. This creates a ‘virtual patch’ protecting unpatched devices against known exploits.

• Secure remote connections: Protecting the data that is transmitted from the plant or remote site back to the monitoring and control center is crucial. Ensure that each remote connection to the OT network is both authenticated and encrypted. Authentication verifies the identity of the user requesting access whereas encryption ensures that the data transmitted is securely encoded and cannot be easily deciphered.

Besides managing and segmenting OT networks, OT operators also need to ensure their systems are properly patched and remote connections are secure. These steps not only help reduce the gap between OT and IT departments, but also protect industrial control systems, which are increasingly being connected to the Internet, from cyberattacks.

Ransomware and APTs
Mark Hellinghuizer, industrial automation and OT security consultant at Yokogawa, believes that the two largest security threats are ransomware – the OT business is now clearly in the attackers crosshairs – and Advanced Persistent Threat (APT) which is cyber warfare or espionage from one country to another. 

To overcome these threats his advice is to ensure you have a full security programme. If you don’t have the expertise yourself, get help – most industrial vendors will have capabilities to support you. “A security programme starts with making sure the people in the organisation are aware,” he said. “Do a security risk assessment and gather facts to see where your system is vulnerable or where your highest risks are; establish OT policies and procedures; define the best way to organise and manage your OT automation system; set the budget based on the risk assessment and on the policies. The next step is to implement technical and operational solutions. Yokogawa recommends following IEC-62443. “Finally, maintain your security solutions and ensure that there is a security structure that maintains the security of your system,” said Hellinghuizer.

The cloud
The OT environment is ideally air-gapped but in practice it almost never is. “Being networked and then moved to the cloud could be regarded as the antithesis of ideal,” said Edward Kessler, technical executive at EEMUA. He pointed out that, while the cloud can be very secure, its strength comes with a sort of brittleness. Extra dependencies are introduced for a cloud-based solution. “There is a need for reliable, dependable, secure, correctly configured communications; correctly configured in-cloud virtualisation; and correct and appropriately configured site equipment,” he continued.  

“Experience has shown that accidental mis-configurations can exist in any one of those dependencies, and that is without considering the inevitable zero days and known but unpatched problems.” 

Kessler argues that it is, therefore, necessary to consider the insecurity of the Internet, which was never designed for mission-critical use. By now we should all be well-educated in the inherent deficiencies of bolt-on security. He  said: “The answer to these problems is firstly to have robust processes that build security into all possible modes of operation – cloud, local, remote; and secondly, to manage the changes needed to those processes as the business evolves its use of each. Business cases should include process change costs! You have to remember who carries the risk – it isn’t the provider of the cloud, nor the provider of the links between your sites.” 

These are things that the user can do something about – at least to some degree. However, Kessler points out that the deeper concern has to be the supply chain, not least because the user has no control over most of it and often very little knowledge or resources to check or test what is supplied. “The result is that it’s difficult to patch or even to know whether a patch is needed. When suppliers fail in this way, and there are potential safety consequences, a shake-up is needed in the regulations governing the products because there is very little that the user can do about it. The user’s best defence is at the procurement stage to ask some searching questions – EEMUA has some examples. If the supplier cannot answer fully and plausibly it should be taken as a warning,” concluded Kessler.

Rudimentary protection
Samir Desai, VP of product management at GTT, believes that the focus on ensuring availability and performance of industrial applications leads to more conservative approaches as to how security is deployed and maintained.  He said: “To minimise disruptions, it is not uncommon to have systems with rudimentary security protections. Security best-practices commonplace in IT environments – such as vulnerability scanning – can cause malfunctions in industrial controllers that were not designed to deal with such events. “These constraints make securing ICS/SCADA environments both unique and difficult. The result is that many organisations still work with a mixed bag of antiquated security technologies that operate in silos, are difficult to manage, provide limited situational awareness and do not provide the kind of preventive security.” 

Many organisations still using legacy technologies that are inadequate to address modern ICS cybersecurity challenges. This is why, according to Desai, Secure Access Service Edge (SASE) is such an important framework for enterprises to consider. He said: “The SASE approach provides a complete, tightly integrated set of capabilities to prevent threats while reducing the burden on organisations in deploying and maintaining security. By converging WAN and advanced cybersecurity services in one integrated solution, organisations effectively keep their critical business assets secure while still supporting an increasingly growing network perimeter.”  

Desai goes on to point out that, to protect against cyber threats, organisations need to implement a comprehensive defence posture that is balanced with performance and availability of critical industrial processes. “The solution must combine the benefits of industrial endpoint-focused security with threat awareness and intelligence,” he said. “Furthermore, it must provide granular visibility and control at application and user levels to allow for network segmentation that better aligns with business needs.” This should entail adoption of security best practices and solutions deployed in the traditional IT environment such as advanced intrusion prevention and threat response systems, which combine DDoS mitigation methods with firewalls, anti-spam, content filtering, and other network security functionality. “Together, these next-generation security capabilities enable constant and consistent network protection to contain a DDoS attack and protect business-critical internet resources more comprehensively,” concluded Desai.

High value targets
Industrial automation presents a high value target for bad actors given that the revenue producing side of a business can be completely shut down. For this reason the most significant security threat facing continuous and discrete manufacturing today is inaction. 

As Steven Fales of the ODVA, pointed out one critical security threat is to provide a sole security measure in an effort to create an easy-to-manage and low-cost solution. “While firewalls can be rugged and comprehensive or deep packet inspection can be very thorough, a single obstacle, even a substantial one, makes it easier for a bad actor to infiltrate an operational technology network. Attitudes can also present a serious security threat if there is a pervasive ‘it won’t happen to us’ point of view,” he said. 

It can be helpful to think like an attacker to better understand and prepare for threats. The raw value of a target can be thought of in terms of the revenue of the total company. The value is then reduced by the number of security measures that are in place, which both increase the time and expense required to be able to defeat the defence. It is a mistake to think that smaller firms will not be targeted, given that supply chains for much larger companies can be heavily impacted from a successful cyber-attack and because smaller firms often present a soft target. Another consideration is that the more information that is available about a target, the more likely that there will be an intrusion. Discoverable IP addresses, information from disgruntled employees in discussion forums, and excessive disclosures in publicly available information can serve as unintentional marketing to those looking for an easy target.  

The ODVA believes that one of the most important ways to reduce your attack profile is to implement a defence in depth architecture. “A bad actor can be a singular, highly skilled person, a cooperative group, or even a nation state,” explained Fales. “With that in mind, it’s necessary to create a defence that includes many layers of deterrence. Physical security is a valuable consideration given that wireless networks can be potentially reached outside of company property, open USB ports invite spyware, and lost electronic entrance security keys allow uninvited access that can increase the attack vector of a facility. Contractors and supply chain partners should not be forgotten as they can have access to critical OT systems or be the weak link in the supply chain if they present a soft or easy to beat target due to limited security measures.”

From there, traditional security within switches including firewalls, approved listing and deep packet inspection is a must. “Don’t forget about the value of protecting
the final mile of automation in terms of field devices,” warned Fales. “Consider leveraging CIP Security to help protect EtherNet/IP devices from attack on at least your most high-risk devices that could reveal secret recipes, lead to worker injury, or shut down manufacturing lines. CIP Security can now be implemented via a proxy device to help protect existing assets. Additionally, CIP Security can be used on the lowest level for resource-constrained devices such as contactors and push buttons.” 

Another method to minimise the potential for attackers to be successful is to conduct regular threat modelling using the STRIDE, DREAD, or Attack Tree approaches. The STRIDE approach covers spoofing, tampering, repudiation, information disclosure (privacy breach or data leak), denial of service, and elevation of privilege. The DREAD threat model includes damage, reproducibility, exploitability, affected users, and discoverability. Attack Trees or Threat Trees are a logical approach to better understand how an intrusion could happen in a detailed, logical, and step by step manner. 

Regardless of the threat model employed, it is important to conduct these analyses on a regular basis to take into account changes in manufacturing footprints and newly discovered threats. Another valuable approach is to think of security as a state of mind within an organisation. The best policies, procedures, and systems can be overcome, but a host of vigilant employees can be much harder to defeat. In summary, security should be treated with the same care as safety when designing, updating, and operating an industrial facility. Security is an invaluable investment in the future of your enterprise.

Contact Details and Archive...

Print this page | E-mail this page