As operational technology (“OT”) systems have increasingly become connected, their attack surface has grown and made them attractive to cyber threat actors. The level of investment in and understanding of OT security continues to lag behind IT security, however, despite the fact that OT systems underpin much of our critical national infrastructure.
In this blog we are going to explore what OT is, the developing challenges organisations face and discuss a tried-and-true security control model to segment and secure industrial control systems (ICS).
What is Operational Technology?
Operational Technology has existed since machines first began to replace humans during the industrial revolution of the 1800s. However, the term OT has come about more recently, describing the category of hardware and software dedicated to controlling, managing, and monitoring industrial operations, and the physical devices and processes they use. This could be anything from heartbeat monitors and traffic lights to complex centrifuges used in the enrichment of uranium.
For the purposes of this blog, we use the definition provided by NIST, which defines OT as:
“The hardware, software, and firmware components of a system used to detect or cause changes in physical processes through the direct control and monitoring of physical devices.”
This means that OT covers technologies used for the safe management of critical systems and processes that physically interact with us and our environment. Therefore, any security breach could have catastrophic consequences for society and state economies – potentially even loss of life. Consequently, the business case for OT cybersecurity could not be stronger.
The Security Impact of OT connectivity
As OT systems become more connected, they also become more exposed. Vulnerabilities previously mitigated by “air-gapping” are increasingly being discovered. Such vulnerabilities might include, for example, using unsupported legacy equipment and having unreliable or unviable patch management processes.
At the same time, the security management processes applied to OT have not kept up with improved approaches to IT security risk management. As OT systems have become more exposed, this lack of maturity is increasingly open to exploitation, including by relatively unsophisticated hackers. For example, malicious actors were recently able to access a US water treatment plant and exploit consumer-grade remote access tools to increase the lye content of the water output to dangerous levels.
What does this mean? Simply put, we will see more frequent, and potentially more devastating, attacks on OT infrastructure. The high-profile nature of target organisations, and the potential damage a successful attack could cause to both society and its economy, makes OT a tempting target for private actors looking for financial gains, or state-sponsored actors seeking to wage proxy war in the grey zone between nation-states.
Attacks are already on the rise – as the stats show. For example, disclosed ICS vulnerabilities skyrocketed by 41% in the first quarter of 2021 and Kaspersky reported an 85% increase in attacks on ICS networks in the second half of 2020, including a 30% increase in malware variants targeting OT.
Tackling the Challenge
The picture doesn’t need to be this bleak, however. In many cases, vulnerabilities can be mitigated, and worst-case scenarios avoided, by taking simple steps to ensure OT infrastructure is designed with security at its core. ‘Secure by design’ is a concept that hasn’t traditionally been applied in OT environments so ‘get well’ activities may be required. To help you ensure security stays at the core of your OT design process, we suggest you consider the following:
Apply key IT security risk management practices to secure OT environments
OT and IT differ in important ways. Where IT security focuses on user authentication, securing data transmission, and privacy to ensure a secure end-user experience and efficient data transmission, OT focuses on continuous operation, and operating in complex environments. Yet common principles can be brought from IT security management to OT. We advise organisations to consider the following fundamental security management principles:
- Implement good OT asset management – understand the OT assets you have, and how those OT assets interface with your wider IT network. Without a comprehensive view of your OT assets, effective risk assessments cannot be carried out and effective controls are impossible to implement.
- Ensure that there is a clear and enforceable plan to manage OT assets. This includes maintaining up-to-date inventory and a list of interdependencies; planning how updates and patches will be delivered, either automatically or manually; and how patches will be checked. If assets are managed by third parties, consider how those parties will access your network and their security posture. Remember, in many cases, you are only as secure as your weakest link.
- Apply appropriate access management and network segregation. Critical infrastructure communicating over a relatively public office network poses a significant risk. Consider adopting a defence-in-depth model with appropriate network segregation of riskier assets behind firewalls and DMZs. Your plant equipment should not be communicating across your main office network for instance.
- Develop a robust system to log and monitor incidents to ensure such incidents can be effectively investigated and if need be, reported. This is fundamental to the continuous improvement of a secure OT environment facing dynamic threats.
- Consider how your OT system will be protected throughout its life cycle. In some cases, this could be measured in decades. Robust vulnerability management and incident response planning must be implemented. Within the context of OT, consideration should be given to how effective testing can be carried out given the requirements for almost continuous up-time.
- Regular and comprehensive training and awareness courses supported by hands-on tabletop exercises should be carried out to ensure key staff understand how they will respond to a security incident and importantly, that your current planning is fit for purpose. Establishing communication channels between OT and IT leadership and teams is of particular importance.
Our advice is in line with advice from both CISA and the NCSC. We also recommend our clients read CISA’s Rising Ransomware Threats to OT Assets fact sheet, which includes key recommendations to prepare, mitigate and respond to such cyber threats. These are summarised for you below:
- Determine the critical processes that rely on and interface with your IT network. Even if network segmentation is enforced, critical assets may still be dependent on other business processes. Ensure your incident response/business continuity plans can cope with the loss of an ICS, and that these plans are tested. Ensure your backup procedures are appropriate and tested.
- Employ general cybersecurity best practices, including maintaining up to date software and firmware, allow-listing, least privileged user access and two-factor authentication. Ensure robust segregation between IT and OT networks, and continuously monitor these networks for abnormal activity.
- Implement your organisation’s cyber incident response plan by reference to the ransomware guide, by CISA. The first 3 steps require you to 1) determine the affected systems and isolate them immediately. 2) If unable to disconnect devices, power them down, and 3) triage systems for restoration and recovery.
Additionally, we recommend you read the NCSC’s recently published discussion on OT malware which includes reference to the NCSC’s 10 Steps to Cyber Security (see figure 1) as an effective means of mitigating most OT ransomware attacks.
This is not to say the unique context OT operates in should be ignored; the inherently sensitive nature precludes consideration of tools that meet this increased risk as well as methods to manage devices over significant periods of time. For instance, using off the shelf IT tools to manage remote access may not be appropriate. We advise clients should take steps to understand their own security context and risk profile when implementing security controls.
Apply best practice guidelines
If you are responsible for the design or maintenance of OT networks, then make sure you are aware of the latest standards and consider how they apply to your organisation.
- The NCSC has published their five cybersecurity design principles which will aid designers to build a network with security at its core.
- The NCSC Cyber Assessment Framework is both a compliance assessment tool for the Network and Information Systems (“NIS”) regulation, and also a comprehensive framework to build a secure OT environment for the critical national infrastructure (CNI) sector.
- NIST Cybersecurity Framework and NIST-800-82 form the core of US guidance for companies that are part of the U.S. critical infrastructure network.
- ISA-62443-2-1 is an international standard for “industrial communication networks” and which leans on the concepts outlined in ISO 27001.
Manage supply chain risk
Reliance on remote access by third parties for data gathering and supporting ICS systems introduces further cyber risks. It is vital your organisation invests time and energy into getting a comprehensive view of your OT supply chain, including an understanding of their security posture and the interfaces and privileges they have within your organisation. Here at Evalian, we have recently discussed the important questions to be asking your supply chain security, and updated our advice for managing third-party suppliers. To help you understand more about how to assess these risks, and define working relationship criteria, we recommend you read our Supply Chain Security guide, which gives a detailed overview of best practices for working with suppliers.
Implement a zero-trust framework
A zero-trust framework does exactly what it says on the tin. It takes the view that everything – whether internal or external to a network – is hostile until proven otherwise. Designers should apply the key principle of least privilege. This defines the maximum access level for any user or application within a system as the minimum access required to carry out their function. This ensures that organisations reduce their risk of exposure to lateral movement or unauthorised access.
The framework is built on 3 pillars: (i) access control, (ii) device security posture, and (iii) network segmentation. It is the last pillar that we’ve pulled out to discuss in more detail in the next section. Network segmentation can be challenging. Luckily, in the 1990s, a team at Purdue University Consortium came up with a model that lays out the framework for effective and secure ICS environment segregation. This model has gone on to heavily influence current CNI guidelines and standards.
Effective OT Network Segregation: the Purdue Model
The commonality between the latest OT security frameworks mentioned in this blog is the importance given to the effective segregation and segmenting of ICS processes from outside networks. The key to effective network segmentation is to understand the boundaries between IT and OT systems, and clearly identify each level of infrastructure, from the plant equipment to the email servers at the edge of an enterprise network. Like the OSI network layer model, the Purdue model provides a useful abstract to visualise the interconnections and interdependencies of a typical ICS environment and to segment and secure critical processes in an industrial network (see figure 2).
The model is strictly hierarchical, separated into 6 layers with information passing through each layer in order. In-between each layer, at the borders, are DMZs where access and data flow should be strictly controlled by firewalls and VPNs. The layers are described in brief below:
- Layer 0: Includes the physical components on the “shop-floor” e.g., sensors, motors, assembly-line robots, etc.
- Layer 1: Includes the systems that monitor and send commands to layer 0, such as Programmable Logic Controllers (PLCs).
- Layer 2/3: Includes the devices that support and manage the processes within the OT environment, including application/database servers and human input interfaces (HMIs), that enable humans to monitor and manage the lower layers.
- Layer 3: Defines the barrier between the OT and IT where jump servers and patch deployment servers manage limited user access between environments.
- Layer 4: Includes ERP software, databases, mail servers and other systems that enable management of the organisation’s logistics.
- Layer 5: This is your enterprise-wide network that faces the internet and sits outside the ICS environment.
Because the Purdue Model was developed in the 1990s, it is fair to ask whether it is still relevant to secure ICS networks now based on Industrial Internet of Things (IIoT) and cloud architecture. The answer is: yes and no.
Beyond the Purdue Model
Whilst Purdue provides a useful model from which to segregate a hierarchical manufacturing process, with clearly defined borders between industrial machinery, ICS and external networks, its viability to be applied to a modern connected industrial process has come into question.
Organisations are increasingly adopting smart devices and other edge technology to gather data directly from layers 1 – 3, bypassing the DMZs of the higher layers. Additionally, cloud-oriented infrastructure makes strict hierarchical segregation difficult (see figure 3). However, whilst on a network level the Purdue model may no longer be applicable, the abstract layers, similar to how the OSI model is used, can be an extremely useful tool to visualise the segmentation requirements of an OT network in a connected environment (see figure 4). Further, the model has formed the foundation of current CNI security standards, evident by their emphasis on achieving security through segmentation of industrial processes by clear network boundaries and security controls / DMZs.
So, in short, Purdue still applies and segregation between ‘layers’ remains critical.
Where to Start
We’ve covered a lot in this blog and linked out to numerous external resources. As such, the starting point may be less than clear. To summarise then, security risks apply to OT just as they do to IT because OT is no longer air-gapped or disconnected from the outside world. The attack surface is growing, and security risk management is far more immature because OT environments have been seen as ‘lower risk’.
Your starting point is therefore good security risk management. Assess the risks and manage them. Start with policies and standards – document what is required, by whom and how and train your staff on these security requirements. Understand and manage your OT assets, identify vulnerabilities and manage risks based on likelihood and impact, apply critical security controls starting with strong network segmentation combined with identifying and access management best practices. The way in which you apply these things may differ from IT environments, but the fundamentals remain the same.
If you need help or support to build a security risk management strategy for your OT environment, we can help. Please call us for a no-obligation chat.