OT Security – Though the term sounds familiar, global SRM leaders are yet to develop robust OT security solutions for protecting OT networks. Sectrio’s The IoT and OT CISO Peer Survey 2022 highlights that close to 90% CISOs reported one major cyber incident in the last 12 months. Most respondents stated that operations were halted for over four days, incurring losses of over $2.5 Million. The stats mirror the current situation. As if this is not enough, here is another wake-up call. According to a survey, over 30% of critical infrastructure organizations will likely be the victims of OT attacks and threats by 2025.
Many point out fingers at the rapid digitization of technologies that propels critical infrastructure. On the same lines, we cannot ignore the fact of the underspending when it comes to establishing and realizing OT security. It took a mammoth effort of countless ransomware attacks, data breaches, and cybersecurity attacks to make us recognize the need for cybersecurity. This transition happened over a decade. Cyber-attacks on IT systems primarily affected individuals and firms, and government organizations.
lso read: How to get started with OT security
It will not be the same in case of an OT attack. A nation’s security would be at stake if it were a large-scale OT attack. Despite an ever-growing list of OT security vendors, many companies still choose not to opt for OT security solutions. The reason can either be due to budget constraints or failing to acknowledge the consequences of an OT attack.
More worrying is that over 80% of the CISOs believe their supply chains are vulnerable to cyber-attacks and OT security attacks. Cyber-attacks on OT networks are an ever-growing concern in the industry. One can minimize exposure to such attacks by following protocols and identifying commonly experienced OT security challenges. This approach will help a CISO and the company’s C-Suite to understand their needs while discussing with various OT Security vendors.
Top 10 OT Security Challenges and Solutions:
The digitization might have exposed OT networks to more frequent and sophisticated cyber-attacks. But there are other reasons that one needs to understand to address the problem. Subscribing a random OT Security Solutions suite may not protect an OT network entirely. Evaluating the security posture of an OT network prior helps in understanding the kind of security solutions needed.
Before addressing the common OT security challenges an OT network might face, it is essential to understand the difference between Challenges and Threats. Challenges are the adversaries that one can address using available resources. Threats are those adversaries that require additional or highlight the lack of resources in a specific domain.
The following are the most common OT security challenges on an OT network. To keep you less worried, we also listed the solutions that can help you to handle these challenges.
- Attrition of Network Architecture
- Lack of homogeneous ownership
- Poor visibility
- IoT Bots and DDoS attacks
- Use of removable media
- The security posture of sub-components
- Human Error
- Connecting to the cloud
- OT and IT Convergence
- Lack of awareness
Most OT Networks currently existing were designed in the early ’90s and built into the late ’90s, with few in the early 2000s. The security of an OT network work’s on the design philosophy of isolation – completely separated from other networks. This technique ensured default protection of an OT network, irrespective of the advancement of IT-related threats. The OT networks were often guarded by strict protocols at their respective sites, eliminating most threats.
The decades-old OT networks need continuous maintenance and installation of upgrades. Rather than periodic and broad-scale upgrades, most manufacturing plants opt for ad-hoc upgrades. This pattern can lead to a gradual attrition of security. Most OT networks’ security architecture follows the Purdue Model of Control Hierarchy – a six-layered, well-defined security protocol.
Security erodes with time. One can attribute Ad-hoc updates and those changes made to machinery without considering the impact at a broader level to this. Adding to this, the adoption of ‘wireless communication’ has further worsened the security woes. Despite robust OT security solutions in place, having these vulnerabilities puts the OT network at risk in its entirety.
Managers at manufacturing plants should plan for a complete assessment of the OT network’s security posture ahead of the scheduled updates. It is better to replace obsolete components with new ones on the network than to opt for ad-hoc updates. Trying to extend the lifespan of outdated components through patching and ad-hoc updates weakens the security posture.
The cybersecurity team must understand the broad impact of any update before installing it on any device. No one should override the ‘Purdue Model of Control Hierarchy’ or the established set of security protocols to facilitate the installation of any device on a network.
As we speak, OT and IT networks are consolidated into a giant complex network. Enterprises should have a comprehensive suite of OT security solutions, preferably from multiple OT Security vendors.
2. Obsolete Machinery and Legacy OS
The obsolete machinery and the legacy OS add more weight to a weakening OT network. While obsolete machinery is directly responsible for low productivity, it is solely responsible for ‘incompatibility’ across various systems. Given that every vendor’s software and protocols are proprietary, compatibility across components from different vendors is impossible.
Adding to it are the ever-growing cybersecurity concerns. Despite the availability of many OT security vendors, securing obsolete machinery running on legacy OS is impossible. The history of vulnerabilities in Microsoft XP and Windows 7 are well covered. With Microsoft discontinuing the support for these Operating System software, enterprises are left bare in cyberspace, waiting for an attack to occur.
These archaic machines and systems do not support modern-day security protocols and have no room for flexibility and scalability. A system crash on this infrastructure results in data loss and a recovery time of hours. If a component fails, this downtime runs into days and even weeks, given the scarce availability of spare parts.
High maintenance costs further hit the margins. Knowing that data is the oil of the 21st century, these obsolete machines and legacy OS systems cannot make the most of it. The utilization of data is what decides the fortunes in the present and future. Many enterprises fail to comply with statutory and other regulations by the local and state authorities. Such a failure can dampen the company’s brand image and reputation in the market.
Modernizing is the most viable solution to overcoming the risks of obsolete machinery and legacy systems. Archaic hardware cannot support modern software. In the digital age, where cybersecurity threat is real, upgrading to modern hardware can bring down the risk factor to a great extent.
An enterprise should carry out the legacy infrastructure modernization in a phased manner. One can adopt various preventive measures during this time. Starting with limiting the users accessing the highest authorization is an excellent way to begin. Though basic, replacing default credentials with stronger passwords and unique names can eliminate threats from novice attackers. Similarly, scanning and verifying updates before updation, disabling ports and services that are not in use, and periodic network scanning is mandatory.
Adopting data encryption wherever possible and using a secure VPN to transmit data can secure communications to a reasonable extent. Updating the latest patch available for the respective component aids in strengthening the security posture. Other techniques like migrating workloads off the central server, using a virtual machine, and limiting network access protects legacy infrastructure.
3. Lack of homogenous ownership
It is essential to establish comprehensive security ownership of a firm. It is of even greater importance in the case of an industrial unit. The manager and Plant operations director share security ownership, with occasional assistance from the C-suite. While this seems to reduce the burden, this breeds vulnerabilities, encouraging threat actors. Sharing security ownership across the hierarchy makes monitoring and conducting surveillance difficult.
Unlike the IT companies that have well-defined security protocols and security ownership, OT networks do not. The design philosophy on which they are built – Isolation from other networks does not pave the way for well-defined security protocols, regulations, and procedures.
Many manufacturing firms have been late in realizing the impact of large-scale orchestrated attacks on OT networks. Lack of homogenous security ownership adversely affects the ‘Detection and Recovery’ time during a security breach. It can lead to non-operation times ranging from a few days to weeks and running into months. It does not come as a surprise to learn that only 1 in 5 companies having manufacturing units claim that their CISO looks after OT security ownership. After a thorough assessment, the CISO plays a pivotal role in choosing the suitable OT security solutions offered by various OT security vendors.
The C-suite of every enterprise has been a tad over-cautious towards security ownership. An increase in recent successful cyber-attack intrusions and victim companies is likely the cause. Many firms believe their Vice President or Network Engineering Director is best to take over, limiting a CISO’s role. The declining trend of CISOs’ influence in security decisions should take a U-turn.
The CISO, by default, should be the one who makes critical decisions regarding the budgeting of OT security, cybersecurity, and other related aspects. A qualified CISO brings in more experience and tactical advisory regarding negotiations with the OT security vendors. In general, C-suite decisions are limited to choosing the right OT security solutions, with a tab on the budgeting. But a CISO, on the other hand, takes critical initiatives that protect and secure the enterprise and embed a cybersecurity culture among the employees. Breeding such a culture at an employee level goes a long way in fortifying the enterprise.
The CISO’s role has changed dramatically from the mere securing digital perimeter for assets. It has transformed into an independent risk decision maker, a trusted facilitator, and, notably, a value creator.
4. Poor Visibility
The lack of centralized visibility of OT components adversely affects security and production. Identifying a component failure in a manufacturing plant can take a few minutes, hours, or even days. Applying the fix is altogether another story. This unplanned downtime can severely affect the operation schedule and the enterprise’s business opportunities. It heightens the security risk of the enterprise by a significant factor.
With no centralized visibility of the entire OT network, it is impossible to know which devices are joining and leaving the network in real time. It would be too late by the time one realizes the presence of a foreign device on the network. By that time, an attacker can do enough damage. This time-lapse in detection can affect the production and safety of the industrial unit.
According to a report, above 95% of companies (that took part in a survey) agreed that they do consider OT networks are significant targets. Surprisingly, only 15% of companies stated they have centralized visibility for their OT network. 52% of the companies acknowledged that they could monitor their network from SOC (Security Operations Center).
The threat detection time can run into days on an OT network that lacks OT security solutions like centralized visibility. While few industrial units suffer production time, others can suffer safety issues. An attack on critical assets like power distribution can affect a nation’s security.
Unlike IT systems which work on confidentiality – Integrity – Availability, OT network works on ‘Availability’ exclusively. Integrity and privacy only come second. At all times, the OT system has to be up and running. When an attacker successfully intrudes the network, a few sections of an OT system experience downtime. Though many attackers cannot bring the entire system to a halt, they meticulously gain access to higher authorization controls with time. The attacker can enter the system through known and unpatched vulnerabilities, third-party systems, or poorly managed OT devices. Constant network surveillance should be in place to identify any intrusion attempts.
Identifying attackers before they intrude on the system is vital in the OT network. Knowing that OT networks provide a vast attack surface, it is essential broad visibility is achieved entirely. We need to adopt a data-driven and management-driven policy to attain comprehensive visibility. Implementing asset identification, logging, NAC (Network Access Control), SIEM, and network segmentation is vital.
Keeping a tab on every device on an OT network is essential to secure the perimeter. It is also a labor-intensive and tedious task. We need OT security solutions that help us get information about any device on the OT network from a single screen. The devices can include engineering workstations, PLCs, HMIs, and other ICS’. Asset identification and Network Access Control can help secure the OT network perimeter. The adoption of zero-trust access is critical in this exercise.
The security command control should know every device leaving and entering the network. Analyzing data generated by a device, one can understand its effect on the network’s security posture. Especially in the case of malicious traffic, uncommon behavior, or random IP address logs, it can help take the device off the network. Given that devices and components on OT networks come from different manufacturers, it is essential to install patches and updates when readily available. Such a measure can help close any vulnerabilities, strengthening the security posture.
5. IoT bots and DDoS attacks:
IoT is the next biggest thing happening in the tech world. From smart homes to smart factories, we are seeing the deployment of IoT devices like never before. For a fact, all cybersecurity experts know that the security posture of those devices is poor. The entire system can be compromised if an attacker finds a single vulnerability. IoT devices are metamorphosed into botnets by bad actors. Attackers use these botnets to launch massive DDoS attacks on OT and IT networks. Tech giant Google has witnessed a DDoS attack on the range of 167 Mpps in 2020. Meanwhile, GitHub saw what was supposed to be the largest DDoS attack that involved an enormous bandwidth of 1.35 Terabits per second (at its maximum). The attack on GitHub took place using the Memcached protocol (that originates from UDP port 11211).
With OT and IT systems consolidated into one complex cyber network, we can expect more DDoS attacks targeting OT components exclusively on the network. Often a delay in communication between the command control and the PLC affects the functioning of an industrial plant. After gaining authorization, attackers can manipulate data sent to PLCs, affecting the plants’ safety and functioning. State-sponsored DDoS attacks aim at halting production for weeks and months.
OT and IT networks will be inseparable in the future. Every production plant’s OT network is connected to the IT network to improve efficiency and attain optimum use of resources. But how do we protect these sensitive networks, which cannot afford downtime? It starts with securing the devices before we link them to the network. One should use strong passwords and unique usernames in place of default credentials. Asset identification will play a key role while securing the systems.
OT security vendors provide deep monitoring and surveillance management systems. These systems and network management tools help us understand threat vectors’ behavioral patterns. Looking out for any critical alerts, bandwidth monitoring, and network segmentation is helpful. Though one cannot prevent DDoS attacks, one can mitigate the risk by implementing comprehensive OT security solutions. ACLs (Access Control Lists) can filter input packets based on the port, efficiently mitigating DDoS attacks.
6. The Cloud and Internet:
To achieve maximum efficiency and attain optimal resource utilization, OT networks are using the cloud. OT networks depend highly on vendors to meet hardware requirements and other needs. Many third-party vendors use the cloud frequently. Few third-party vendors provide product warranty only if they have access to the plant’s floor via the cloud. Vendors use this access to manage and operate their equipment remotely. Any vulnerability found on the vendor’s end can compromise the OT network’s security.
Similarly, Remote solutions providers leverage the power of cloud integration while extending their services to their clients, the OT networks. Cloud provides both scalability and redundancy. But these remote solutions providers have no control over their assets on the cloud. A DDoS attack on a cloud provider can affect their clientele – OT networks. Such attacks can lead to communication disruption between local and cloud components, giving rise to other issues.
Another exciting aspect of OT networks is internet connectivity. Most OT networks connect directly to public ISPs without strong firewalls and other security protocols. These unsecured connections expose the system to cyber-attacks. Furthermore, these OT networks and systems run on legacy systems with little to zero security against evolving threats.
Cloud integration is undeniably the need of the hour in the modern world. Be it for resource management during high resource intensive periods, to improve efficiency, or to achieve optimum functionality. Parallelly, security is of paramount importance. CISOs should thoroughly understand the level of protection on the vendor’s side before granting them access to the plant floor. The checklist should include vendor’s security procedures, logins that give access to the OT network, data flow through their network, and others. It helps to patch any gaps in security on the vendor side, thereby keeping the level of security intact, despite cloud integration.
Likewise, CISOs should understand their remote service provider’s cloud infrastructure and develop a backup plan in case their primary cloud service is affected. In hindsight, having a backup plan can keep the plant functioning despite a cyber-attack on the primary cloud infrastructure. It does not come surprising that 59% CISOs in our survey felt that threat environment has deteriorated in the last 12 months.
Connecting directly to a public ISP means you are calling for trouble standing in the middle of a freeway. It won’t take long for attackers to scan the OT network for vulnerabilities and successfully find one. Channeling through a secure VPN, improved network security, firewalls, limiting broadcasting networking, and cloud-based protection is vital in protecting internet-linked OT networks. Most OT security vendors do offer these OT security solutions comprehensively.
7. Use of removable media
No device is safe when connected to a network. On connecting to the internet and intranet, the security risk elevates. The same is the case when using removable media. Plant managers often use thumb drives to install a patch, an update, or other software. The thumb drives are also ideal for data transfer among the systems. While this can be tech-savvy, it brings many problems to the forefront. Many reports in the past had showered light about employees being undertrained when installing and updation of OT systems. Security experts see removable media on OT networks as a Pandora’s Box. There have been several cases of malware injections into systems through removable media.
Attackers use removable media as an initial vector to access systems directly. Attackers use Trojan malware commonly to infect the systems. Over 75% of reported injected malware intrusions had Trojan. Apart from injecting malware through a removable device, an attacker can exfiltrate crucial data, establish commands and take control of critical systems. Safety and production systems can be a part of the critical systems. Setting up a remote connection with the system is entirely possible. Once an attacker establishes secure remote connection access, the attack can inflict considerable damage on production and lives.
An enterprise should have a zero-tolerance policy toward using any removable media within the corporate and manufacturing plant premises. Achieving the highest security standards is only possible by following strict measures. An enterprise should ensure computers have no USB access. Though this does not guarantee complete protection, it dramatically limits the primary threat vector – the removable media, from entering the OT network.
Companies should conduct regular workshops to help employees identify and report any suspicious connections in the working space. A zero-trust policy regarding sharing of passwords should be at the top of the list of the company’s policies. Disabling autorun and autoplay options is helpful. Encrypting confidential and important data on the systems is one way to limit any damage caused to malware intrusion. Putting corporate data and other manufacturing-related data is essential. OT security solutions should be able to provide the OT network’s IT management team with endpoint security controls and management tools.
8. The security posture of sub-components
On an industrial network, OT security systems secure endpoints. These endpoints extend from computers that control the entire production systems’ safety operations to those that look after the CCTV setup. Though visible endpoints are well protected, that is not the case with the sub-components and sub-systems. These internal components and systems usually do not have the same security standards.
It is easy to find old racks of obsolete machinery working with modern equipment on an industrial site. Plant operation managers use old machinery to cut down on the budget or utilize the residual life span of the component. While these bring down the costs reasonably, they elevate the security risk exponentially. The security posture also relates to the various infrastructure shared across the entire network. This infrastructure includes but is not limited to routers, switches, network management tools, firewalls, and wireless access points. Most components of this infrastructure fail to meet modern security standards and support current security protocols. They become the fragile portion of an OT network’s security. Furthermore, they are becoming a part of consolidated OT-IT systems as we march into the future.
Some obsolete OT infrastructure is still in use, with many discovered and undiscovered vulnerabilities. If not protected or patched timely, they can open the door to bad actors, putting the entire system at risk.
Engineers design and build OT components to work for decades, if not more. As the OT networks are often isolated, the OT components have little to zero security. The CISO and other security personnel should thoroughly assess which components fail to meet the company’s security posture. Replacing such components with modern ones is ideal. While carrying out this exercise, one should disengage the OT network from the internet, and IT networks, if any.
The inter-device communication protocols will never be in-line with modern protocols. Above this, most manufacturers publicly share the device’s working and protocols to facilitate interoperability. Attackers use this publicly available information to understand the communication protocols of the devices and thereby inject malicious code that can change the system’s normal functioning. It would be impossible to keep monitoring sub-components that run on zero security. Securing endpoints does not guarantee securing a component having zero security from within the component. Few such components and protocols are as follows:
Additionally, the software and hardware of the sub-components are generic. Windows Operating Systems holds a significant portion of the OS software on which these components run. A mid-level IT researcher has enough technical skills to create a package that acts against the component running on Windows. Stuxnet attack is a classic example of exploiting a previously known vulnerability in Windows.
9. Human Error and BYOD:
Knowingly or unknowingly, humans (especially the workforce) are one of the primary vectors for malware and attackers to enter secure networks. Malware can intrude on a system when an employee clicks unsolicited links, downloads malware-infected files (unknowingly) from phishing emails, or uses removable media. A vast number of ‘next-generation firewalls’ on a network makes it difficult to track firmware and patch updation. Any human error in installing or updating can make the network vulnerable.
The BYOD culture also lowers the security posture of the network. While many IT companies encourage their employees to bring their own devices, this trend has caught off late with OT networks. These include personal notebooks, mobile devices, and even smartwatches.
In comparison to IT networks, OT networks have poor protection against cyber-attacks. Employees often browse unsecured sites on their devices, which affects the device to an extent. Connecting these personal devices to the OT network can significantly affect the network’s security. Employees use various software on their devices interchangeably for personal and business purposes without consulting the company’s IT team. Using consumer-grade software on a business network is a definite risk. Moreover, if a personal device is lost, it could potentially lead to business data theft.
Moreover, if a personal device is lost, it could potentially lead to business data theft.
While eliminating human errors is impossible, we can reduce the degree of such incidents to almost zero. Implementing technical and organizational controls is vital to achieving a homogenous security posture. The company policy should explicitly mention that no employee should connect their device to the OT network or use any removable media. These measures can bring down the chances of malware intrusion through human-vector to a great extent. If an employee had to use their device, containerization is an excellent way to tackle this. Containerization lets the user work in a single space (personal or business) at a given time. While in the business space, the user cannot access their personal space. Encrypting data in transit and storage can eliminate any business data loss during a theft.
The company’s CISO should carefully examine OT security solutions by various OT security vendors. Apart from providing continuous surveillance and device management, the security solutions adopted should also give the status of firmware and patch updates of every component installed. The status information can provide the device’s last updated time, version, and installation procedure. The ‘Four-Eye’ principle should be a default way of approving an action.
On the organizational front, CISOs should organize cybersecurity awareness and education programs for the workforce. These programs help employees recognize suspicious links in emails and messages. It can prevent employees from clicking unsolicited links, using removable devices, and connecting personal devices to the network. Such a proactive approach can foil several malware attacks in which humans are vectors.
several malware attacks in which humans are vectors.
10. OT and IT Convergence
The conjugal of OT and IT seems exciting to every industrialist and SaaS provider. The OT and IT convergence is the next big thing happening in the industrial sector, opening doors to Industry 4.0. The prospect of such convergence seems green from afar. Advantages like increased efficiency, reduced operating costs, increased productivity, and optimal use of resources, call for this convergence.
But many overlook the risks arising from OT-IT convergence. The focus jumps to legacy systems that might make the entire scenario vulnerable. Adding to it, any delay of information through ICS networks, for whatsoever reasons, can disrupt the whole system. The damage to 1000 nuclear centrifuges in the Stuxnet incident is a staunch reminder of what can go wrong. The impact of any unauthorized modifications to the configuration settings can go a long way.
On a compromised OT-IT network, one can gain adequate authorization to control processes that otherwise wouldn’t have been possible on a compromised OT network. Such access to the OT-IT network leaves safety systems and other vital functionalities at the mercy of attackers.
functionalities at the mercy of attackers.
Communication between OT and IT personnel will be the key to developing a comprehensive risk management plan before, during, and after integrating OT and IT systems. It can help both sides to understand the inherent risks due to integration and devise a framework for the same. It will be essential to understand the causes of risks, the likelihood of a cyber-attack, the impact, the pros and cons of different approaches to mitigating risk, and the tolerable residual risk level. Pre-evaluation of various OT security solutions from different OT security vendors can be beneficial.
The key challenge lies in how the management teams bring unacceptable levels of risk to tolerable levels. The zero tolerance level for the traffic navigating the ICS network highlights this challenge. Additionally, enterprises should resort to practicing standard risk-reducing procedures. It is mandatory to create demilitarized zones between the OT and IT networks and enable 2FA on both ends. Implementing strict security procedures and protocols in practice in accessing and sharing information, a zero trust policy, and micro-segmentation is crucial. Installing firewalls and unidirectional gateways and establishing security levels and zones for both systems can help reduce the likelihood of an intrusion.
How to overcome the ever lurking OT Network Challenges:
Prevention is better than cure – No one knows this better than cybersecurity and a doctor. Choosing the right OT security solutions is never going to be easy.
The vast array of vectors and strategies that attackers deploy calls for a dynamic security team capable of analyzing a threat to its bare bones. Understanding this helps take suitable measures to mitigate and secure the system from further intrusion. The CISO should assess the OT network’s security posture before approaching OT security vendors for a comprehensive security solutions suite. Go for a: Comprehensive Asset Discovery with Vulnerability and Threat Assessment