CYE Insights

Improving Security in Your OT Environments

December 11, 2022

Improving Security in Your OT Environments

The past several years have seen the rise of highly sophisticated cyberattacks on organizations of every size, and in both IT and OT environments.

The primary difference between IT and OT oriented environments is that certain security aspects and mechanisms cannot be implemented in an OT environment because they can hinder availability and reliability. Regardless of the motives of a malicious entity, the result of a successful intrusion into an OT environment could have severe and far-reaching implications, especially when critical infrastructure is involved.

While IT environments are considered flexible and dynamic, with an average lifecycle of 3–5 years, some OT architectures are designed to last decades with little to no changes. In addition, the usage of outdated protocols like Modbus, reliance on proprietary software or hardware, and the general lack of resilience to network stressors are just some of the issues a company would have to face when it comes to establishing a sufficiently secure OT network.

Below are crucial insights about certain areas that could end up being an Achilles heel to organizations in the event of an intrusion, as well as recommendations for prevention.

1.    Remote access

Along with network segregation, remote access is also a considerable challenge. This is because of the different entities that require access to the network and related components, such as company employees or vendors providing continuous support for their products. Employee access is relatively easy to manage as there should already be a centralized identity management system. The primary risk, therefore, would be the vendors.

When looking into different remote access schemes, there are two main designs: VPN and ZeroTrust access. VPN, the older of the two, provides a connected endpoint with direct access to the internal network. If such access is granted to your vendor for the purpose of providing remote support under their warranty agreement, it could very quickly turn into a third-party attack should vendor endpoints be compromised.

On the other hand, ZeroTrust access provides a more ideal and secure solution, granting indirect access via cloud-based broker to only the relevant applications. ZeroTrust also enables a more granular approach in terms of access management, as you can enforce stricter policies. Additionally, as the ZeroTrust access does not provide the endpoint with a seamless connection to the internal network, the potential attack surface would be considerably smaller than with a VPN architecture.

2.    Dependency on outdated vendor technologies and processes

A classic example of outdated technologies used in OT environments is Modbus. This critical protocol is designed to facilitate communication between PLC components yet provides no built-in security mechanisms for authentication or data encryption. This can enable various attacks including unauthorized command insertion or interception of data. Despite not being able to support even rudimentary security controls, Modbus is still being utilized by critical infrastructure such as nuclear reactors for operational processes.

Furthermore, hardware and software deployed by different vendors often use proprietary technologies, as opposed to off-the-shelf solutions with standardized communication protocols in the IT world. This consequently creates a very strong vendor dependence by negatively impacting the ability of organizations to upgrade any component independently.

Since most components in the network are owned and maintained by the different vendors, an organization could take additional security measures in an approach referred to as “virtual patching.” This ensures proper separation between the different networks, enforces an allow-list firewall ruleset, disables interfaces that are exposed unnecessarily, and more. While this approach does not provide an airtight solution, it would substantially reduce the exposed attack surface.

3.    Network visibility

When it comes to your OT network, the ability to detect, react, and manage an incident could be the difference between a minor breach of the peripheral systems and a catastrophic failure of production lines. It is imperative that an organization is able to rapidly detect and react to potential breaches.

With network visibility, three key areas should be taken into account:

Asset management – A precompiled list of assets such as PLCs, technician workstations, and HMI endpoints should be periodically updated to ensure the state of the network is well known in the event of a breach.

Network monitoring – Since some OT environments, even those that were deployed 10 years ago, consist of older hardware, deploying active monitoring solutions could run the risk of overstressing the different components. By implementing regular logging collection and analysis alongside OT-aware monitoring solutions, security teams would have better detection points throughout the network with a more fine-tuned response times in the event of an unauthorized intrusions.

Event logging – This is a crucial part of incident investigation and response in any environment. By conducting a thorough analysis of the different logs, a baseline of day-to-day operational activity in the network can be established, which consequently would increase the detection chance of anomalous behavior or potential intrusion.

4.    Network segregation

The importance of network segregation cannot be overstated. This is a recurring issue we have seen time and again that includes direct access from the employee IT networks, both LAN and WAN, to the human machine interfaces (HMI). This would place an attacker with internal network presence in a strong starting position to compromise the exposed interfaces.

To help ensure network segregation, make sure you have dedicated jump stations that are hosted on an internal demilitarized zone (DMZ), sufficiently hardened, regularly updated and that access is granted to designated personnel only.

Conclusion

While security strategies in OT environments are similar to those of IT networks, many of these mechanisms need to be implemented with a heightened sense of awareness of ICS components, as the even the modern ones are not “secure by design” and would require peripheral protection to ensure the continuous operations of your organization. By implementing the recommendations that are highlighted in this article, you can help improve the security maturity of your OT network.

Want to learn more about how to implement strategic IT and OT security? Watch our webinar

Tal Memran

By Tal Memran

Cybersecurity Expert at CYE