How can you secure your OT environment?
IT versus OT/IoT/IIoT
IT, or information technology, refers to the traditional field of IT, i.e. everything to do with active network components, such as routers, switches and firewalls, as well as the accompanying services and clients as well as peripherals, such as printers and scanners.
IoT, or Internet of Things, refers to the domestic use of smart networked endpoints, such as domestic appliances – kitchen appliances, refrigerators, oven thermometers – fitness trackers, smart TVs, home automation systems and surveillance cameras.
By contrast, IIoT, or Industrial Internet of Things, refers to smart devices used in industrial or business settings, such as the entire smart metering field, power plant control systems, medical monitoring, connected cars and smart renewable energy generators such as wind energy converters.
OT, or operational technology, refers to monitoring, control and operation in the field of industrial automation.
Securing the OT is often an organisational challenge, as this typically involves multiple departments with divergent focuses on the topic. On the other hand, there is the production manager, whose responsibility it is to ensure that the company’s production processes run smoothly. Consequently, an understanding of security and IP networks from an IT perspective will not be the main focus. On the other hand, there is usually the IT department, which is tasked with operating the company IT infrastructure securely and smoothly and ultimately has responsibility for ensuring IT security and that the company has all-round protection against cyber attacks.
IT departments do not usually have great insight into conventional production control, thus making it difficult for them to secure these OT structures.
This is what you need to consider when it comes to OT security
In contrast to IT communication via TCP/IP, where there is the possibility of proxy-based data traffic analysis, this poses a problem in many areas of OT communication protocols, as these feature real-time communication, i.e. communication taking just milliseconds, and switching and process flows need to be directly controlled to ensure seamless workflows.
Due to the lengthy running times of machinery, their controls are often comparatively durable and robust. Consequently, the control technology PC in a company may not necessarily run on a current operating system as in normal IT, the half-life of a system is no more than three years. In OT, the service life is considerably longer. Even today, some control units are still running on significantly outdated operating systems such as Windows NT or Windows 2000. These operating systems are not secure to present-day threats and most endpoint security applications no longer support them.
Lack of visibility and control
As OT is usually set up independently of the company IT, there is a lack of insight into the structure on the part of IT. In common with traditional IT, unknown devices on the network represent a potential danger to the security of the network. Whatever IT cannot see is not under control, and only if IT knows exactly what is on the network and how those network devices should communicate, can the network be secured effectively.
No security focus with IT systems
In the development of most systems, security did not play a role, or its role was only minimal, as the focus would have been primarily on operational stability and uninterrupted communication. Additionally, these systems were generally conceived for a closed environment and not designed for networking.
As in traditional IT, the following three main areas or levels are part of the solution:
Stage 1: Establish visibility
The visibility of all devices needs to be established as the IT can only secure the devices that it knows about and has under control. Visibility and control, in this case, can be established with a wide range of different solutions. Monitoring and reporting of the DHCP scope is the most straightforward option. The introduction of automated IP address management (IPAM) is the most sensible solution, particularly in larger environments. The introduction of a network access control solution (NAC) is similarly useful and offers the added benefit of not only making the individual hosts visible in the different network segments but of automatically assigning them to different network segments, thereby regulating access to specific resources.
Stage 2: Segmentation
Segmentation refers to the formation of network areas (segments) for applications, services or hosts, perhaps according to their respective function. Typical examples are network segments for servers, clients, printers or telephony services or according to the application area, such as development, production, sales, etc. The model that is chosen does not play a role – the aim of segmentation is to divide the larger network into ‘manageable’ or clear segments, which then represent ‘encapsulated’ areas that are separated from one another in order to remove some of the complexity from the overall structure. Potential attacks on one network segment will not then have a direct impact on unaffected segments, only those segments that have been targeted. As an example, only the development department may be the focus of an attack and not the sales department.
The network segments must be assigned to corresponding security zones in the firewall so that only clearly defined network traffic is permitted from one segment to another. One effect of this will be to increase the risk of unnoticed access to valuable network services that need to be protected.
Segmentation can be intensified further through ‘micro-segmentation, where individual applications are relocated to special network segments in order to permit access to sensitive data by special users or hosts only. With the increasing migration of on-premise services to hybrid (multi) cloud environments, micro-segmentation offers a good opportunity to secure such environments and ensure secure access.
Stage 3: Secure access
Today, secure access to company resources is a major challenge thanks to widely distributed system services in on-premise applications in company networks as well as in divergent cloud applications. Different resources need to be made available to a wide range of different users via numerous access routes. On the one hand, there are users working on company devices from the office who need access to internal network resources. Then, on the other hand, there are users who are not on the network, but who still need to be able to access resources on the company network or in the cloud. In the worst-case scenario, these users will not be using company devices but working according to the BYOD principle – Bring Your Own Device – i.e. on their own devices, such as tablets, smartphones and PCs. The security status of these devices is, logically, outside of the responsibility of IT. They may not currently be patched and may not have an up-to-date virus scanner or may be outside of a secure environment (e.g. connected to a public or unsecured hotspot network, such as in a hotel or airport).
In order to be able to provide users in these kinds of environments with secure access, user access should be secured on a service-specific basis with multi-factor authentication, so that if a user accidentally loses his user data, no one is able to gain access to critical company resources surreptitiously.
The firewall policy itself should also take this user information into account, and not simply permit authorisation based solely on IP addresses.
Using next-generation features for OT
With next-generation features, a connection between client and server is regulated not solely at connection level (source and destination IP and port), but there is a deeper look into the connection in order to check, for instance, that a TCP connection on destination port 80 is actually an HTTP connection. The protocol or application, therefore, undergoes an additional check and the traffic in OSI layers 4-7 is analysed. The tools required for these checks are SSL encryption, in order to be able to analyse encrypted network traffic, which today makes up 80 - 90% of all traffic, or Intrusion Prevention Systems (IPS), which go deeper and which also analyse application and protocol-oriented network traffic.
And it is exactly here that we run into problems in the OT environment because industrial protocols such as Siemens S7, DICOM, Ether-S-Bus, LOGO, KNXne/IP or IEC 60870-5-104 are not TCP/IP protocols, which means that they cannot be checked and validated at the application level by the majority of firewalls. This is most decisive when it comes to securing the corresponding OT environments as only if the IT can be certain that the OT protocols are also transporting OT protocol data from validated sources to validated destinations can this communication be reasonably permitted.
A switch cabinet is not an air-conditioned server room
The physical conditions that prevail in some production environments also complicate matters, having little in common with air-conditioned server room environments, quite apart from the pure design (19” versus top-hat rail mounting). In these conditions, hardware that will remain functional in harsh environments must be used, perhaps hardware that can be operated safely from dust or in humid environments, or that, housed inside the cabinet, can still be exposed to normal weather conditions.
These are all factors that need to be considered when deciding on security measures for your OT environment. There are certainly other circumstances to consider in your field, so please do not hesitate to contact us and together, we will find the right solution.