Explore 10 essential steps for effectively securing ICS/OT systems, addressing their unique challenges in this detailed guide. Read now !
The Complete Guide about OT Security
Increase security and value in industrial environments with OT micro-segmentation. Learn how this strategic approach limits cyber threats and improves compliance. Discover the benefits and implementation process with Trout Software.
The Complete Guide about OT Security
This article provides an analysis of the OT security concept, highlighting the unique challenges of protecting industrial systems. It distinguishes the nuances between OT and IT security, and offers effective strategies as well as practical recommendations for enhancing the security of industrial environments, increasingly vulnerable to cyberattacks.
What is Operational Technology (OT) ?
Operational Technology is define by NIST as following: “A broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through monitoring and/or control of devices, processes, and events .”
Industrial Control Systems (ICS):
General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems,distributed control systems (DCS), and other control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).
Supervisory Control and Data Acquisition (SCADA):
A generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.
Human Machine Interface (HMI):
The hardware or software through which an operator interacts with a controller. An HMI can range from a physical control panel with buttons and indicator lights to an industrial PC with a color graphics display running dedicated HMI software.
A device for moving or controlling a mechanism or system. It is operated by a source of energy, typically electric current, hydraulic fluid pressure, or pneumatic pressure, and converts that energy into motion. An actuatoris the mechanism by which a control system acts upon an environment. The control system can be simple (a fixed mechanical or electronic system), software-based (e.g., a printer driver, robot control system), or a human or other agent.
A device that produces a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).
Understanding the interactions among these systems
A typical OT workflow :
- Sensors : Collect data from the industrial environment and convert it into electronic signals.
- SCADA System : Receives the sensor data and processes it. This system is a part of the broader Industrial Control Systems (ICS) framework and is responsible for data analysis.
- HMI : Provides a user interface for human operators to monitor and interact with the SCADA system, allowing for manual input and adjustment based on the displayed information.
- SCADA System : Based on the data received from the sensors and any manual inputs or adjustments made via the HMI, the SCADA system applies programmed logic to issue commands.
- Actuators : Receive commands from the SCADA system and act upon them, influencing the physical processes or machinery, thus affecting changes in the industrial environment.
Here is an illustrate version:
What is OT Security ?
Gartner defines OT Security as “The practices and technologies used to protect people, assets and information involved in the monitoring and/or control of physical devices, processes and events ”.
This includes safeguarding the hardware, software, networks, and controls that directly affect or facilitate the functioning of critical infrastructure, manufacturing, and other physical operations against cyber threats and physical interference. The aim is to maintain the availability, integrity, and safety of these systems, ensuring that they operate effectively, continuously, and without disruption or unauthorized influence.
In the context of ACME Corp, a fictional mid-size manufacturing company, Operational Technology (OT) security is a pivotal aspect of their operations. ACME Corp relies on various OT assets such as Programmable Logic Controllers (PLCs) at Level 1 of the Purdue Model, which control manufacturing processes, and Supervisory Control and Data Acquisition (SCADA) systems at Level 2, overseeing data collection and process automation. Securing these assets entails safeguarding the integrity, confidentiality, and availability of these systems. This is achieved through measures like network segmentation, isolating the OT network from the corporate IT network to prevent cyber threats, and implementing robust firewalls and intrusion detection systems. Additionally, ACME Corp emphasizes regular security updates and employee training to mitigate risks effectively. This comprehensive approach to OT security ensures that ACME Corp's manufacturing processes are not only efficient but also resilient against evolving cyber threats, maintaining both productivity and safety.
What’s the Difference Between IT Security and OT Security?
The fundamental distinction between IT security and OT security lies in the nature of the assets and the people who use them.
In IT security, the focus is on protecting digital assets like laptops, mobile devices, servers, and data networks. This dimension is typically managed by IT professionals whose expertise centers on safeguarding information, ensuring data confidentiality, integrity, and availability.
While OT security is concerned with the protection of physical systems and infrastructure. These include machinery, industrial equipment, and control systems that are integral to manufacturing, utilities, and industrial operations. The responsibility for OT security falls to operational personnel who have specialized knowledge in managing and securing physical processes and industrial control systems.
Over these two fundamentals differences, IT & OT security has also other interesting differences to highlight:
Centralized Control in IT vs. Edge Management in OT : IT systems are often standardized, which allows for centralized control and security management. This centralization facilitates easier implementation of security policies, updates, and monitoring across a network. Conversely, OT systems are typically managed at the edges, closer to the physical processes and machinery they control. This decentralized nature poses unique challenges, as security measures need to be tailored and applied across diverse and often remote locations.
Longevity and Vulnerability of OT Systems : OT systems are designed for durability and long-term use. It's not uncommon for these systems to be operational for decades, far exceeding the lifecycle of typical IT hardware and software. Consequently, many OT systems become outdated in terms of security, lacking the capabilities to support modern security measures. This makes them more susceptible to vulnerabilities, requiring specialized approaches to secure these legacy systems without disrupting their operational functionality.
Protocol Diversity in OT : Another significant aspect is the difference in protocol usage between IT and OT. In IT environments, there's a consolidation around approximately ten major protocols, which streamlines the process of securing communications. OT, in contrast, uses hundreds of different protocols, many of which are specific to certain types of equipment or industries. This diversity not only complicates the process of securing communications but also necessitates specialized knowledge and tools to ensure each protocol is adequately protected.
Given this differences some special considerations when considering security for OT must be taken into account according to NIST SP 800-82 :
- Timeliness and Performance Requirements: OT systems require planned outages due to continuous operation, and unexpected downtime is unacceptable. Pre-deployment testing is essential to ensure system reliability, with redundancy often used to maintain service continuity.
- Availability Requirements: OT demands high availability due to the critical nature of its continuous processes, with any interruptions requiring advanced scheduling and meticulous planning.
- Risk Management Requirements: OT prioritizes human safety and fault tolerance over data concerns, emphasizing the protection of life, OT compliance , and preservation of physical assets.
- Physical Effects: OT directly controls physical processes, necessitating expertise in both operational technology and the physical domain for effective management.
- System Operation: OT systems require specialized control engineering knowledge, differing significantly from IT system management.
- Resource Constraints: OT may lack the resources for modern IT security features, and applying IT security practices without adaptation can disrupt OT operations.
- Communications: OT uses unique, sometimes proprietary communication protocols distinct from IT systems, tailored for control tasks.
- Change Management: OT system updates are less frequent, needing extensive testing and coordination, unlike the more routine updates in IT.
- Managed Support: OT often relies on single-vendor support, which can restrict the use of third-party security solutions and necessitate vendor approval for changes.
- Component Location: OT components may be located in remote areas, requiring extensive effort to access and secure, unlike the typically accessible IT components.
What are the main OT Security Challenges ?
According to a study made by MAKEUK & Blackberry Cyber the main OT Security Challenges for manufacturers are the following:
Let’s detail these following OT security challenges:
Maintaining legacy IT: Legacy IT systems often lack modern security features and are not regularly updated, making them more susceptible to cyber threats. Their outdated nature can leave exploitable vulnerabilities unaddressed.
Limited Cybersecurity skills within the business: Cybersecurity Ventures predicts that by 2021, there will be as many as 3.5 million unfilled cybersecurity positions globally. This shortage of cybersecurity expertise limits an organization's ability to effectively identify, defend against, and respond to cyber threats, leaving the business more vulnerable to cyber attacks.
Providing access to third parties for remote monitoring and maintenance: Allowing third-party access introduces risk, as their security practices may not align with the organization's standards. This can inadvertently create security gaps or points of entry for cyber attackers.
One prominent example is the breach experienced by Toyota in February 2022 . Toyota had to completely shut down operations in Japan after a major plastic supplier, Kojima, suffered a data breach. This incident was significant because Kojima had third-party access to Toyota's manufacturing plants, necessitating the shutdown to protect their data. The breach not only affected Toyota's operations but also potentially impacted its bottom line due to slowed car production
Understanding IT Security VS OT Security: Differentiating between IT and OT security is crucial. Each has unique requirements and threats, and a lack of understanding can lead to inadequate security measures in either domain, has highlighted previously.
No single tool or sensor can provide visibility into all threats: Relying on a single security solution is ineffective, as no one tool can cover the entire spectrum of cyber threats. A comprehensive security strategy should involve multiple layers of defense and diverse tools.
Increased attack surface with the increase in IT/OT convergence: As IT and OT systems become more integrated, the number of potential points of vulnerability increases. This convergence expands the attack surface, making systems more susceptible to cyber threats that can impact both IT and OT domains.
Lack of visibility of OT on the manufacturing floor: In many manufacturing environments, there is limited visibility into the security posture of Operational Technology. Without clear insights into OT systems, identifying vulnerabilities and ongoing attacks can be challenging, leaving critical infrastructure exposed to potential threats.
Inability to adress security issues: This is due to the organizational challenge of not being able to effectively respond to identified security threats. It could be due to a lack of resources, expertise, or appropriate tools. This inability leaves the organization at risk, as unresolved security vulnerabilities can be exploited by cyber attackers.
To effectively mitigate the spectrum of OT security challenges, the implementation of the ICS MITRE ATT&CK framework is interesting. This framework methodically categorizes and elucidates adversary behaviors, thereby facilitating a comprehensive understanding of the various tactics, techniques, and procedures (TTPs) utilized by cyber attackers. Such detailed insight is important for augmenting threat intelligence efforts, reinforcing cybersecurity strategies against the evolving landscape of OT security challenges.
What is Defense in Depth for OT Security ?
Defense in Depth is a comprehensive, multi-layered security approach aimed at safeguarding the essential infrastructure within industrial settings . This strategy is particularly vital in Operational Technology (OT) contexts, as these settings typically involve systems that manage physical processes and machinery. An effective practice in network architecture is the segmentation and isolation of IT and OT devices. To initiate this process, organizations should evaluate how to categorize these devices. This categorization could be based on various criteria, such as management authority, trust levels, functional importance, data flow patterns, physical location, or a combination of these factors.
For structuring OT network segmentation, businesses can adopt models acknowledged within the industry. Several frameworks exist, including the Purdue Model , ISA/IEC 62443 , and the Three-Tier IIoT System Architecture .
In this article, we will focus on detailing the model proposed by ISA/IEC 62443:
The standard introduces the concepts of 'zones' and 'conduits'.
A zone is defined as a grouping of logical or physical assets that share common security requirements. A conduit is a path for data flow between zones.
The idea is to create a layered defense by segmenting the network into these zones and conduits, limiting the pathways for potential cyber threats.
The creation of zones is based on a risk assessment process . Assets are grouped into zones based on their function, security requirements, and the level of risk they present or are exposed to. Higher-risk areas might be segmented into more secure zones. Each zone is assigned a Security Level (SL) , which ranges from SL 0 to SL 4, indicating the level of security required. SL 0 represents the least secure zone, while SL 4 represents the most secure. The SL is determined based on the potential impact of a security breach in that zone. To manage and monitor data exchange between these zones, conduits are employed. These conduits serve as critical checkpoints, equipped with advanced security measures such as firewalls, Intrusion Detection/Prevention Systems (IDS/IPS), and other sophisticated data filtering tools. Their primary role is to regulate the flow of information traversing different zones. This zoning and conduiting approach facilitates a defense-in-depth strategy, as it creates multiple layers of security. If one zone is compromised, the breach does not necessarily propagate to other parts of the network. The standard also emphasizes the importance of regularly reviewing and adapting the zone and conduit configurations. As threats evolve and the industrial environment changes, so too should the network segmentation to maintain effective security.
The key OT Security Best Practices
The NIST Guide on Operational Technology Security outlines nine key components of an Operational Technology (OT) security program, which are as follows:
1 - Establish OT Cybersecurity Governance
2 - Build and Train a Cross-Functional Team to Implement OT Cybersecurity Program
3 - Define OT Cybersecurity Strategy
4 - Define OT-Specific Policies and Procedures
5 - Establish Cybersecurity Awareness Training Program for OT Organization
6 - Implement a Risk Management Framework for OT
7 - Develop Maintenance Tracking Capability
8 - Develop Incident Response Capability
9 - Develop Recovery and Restoration Capability
Trout Software, to assist its clients in securing their Operational Technology (OT) assets, has developed a white paper titled "10 Steps to Protect Industrial Environments from Cyber Threats”, complementing the NIST approach outlined above. This white paper is designed to guide industrial companies in significantly enhancing their cybersecurity measures and ensuring their resilience with 10 operationals and actionnables measures. Below, you will find an overview of the key measures proposed. The complete white paper can be downloaded at the bottom of the page.
Step 1: Risk Assessment
Conduct a thorough analysis of potential vulnerabilities and threats to understand and prioritize the risks to your OT/ICS systems. If you want to get a detailed analysis about how to conduct an OT Security Assessment, we break down the main aspects in this article.
Step 2: Network Segmentation
Divide your network into separate segments to limit the spread of cyber threats and make it easier to isolate and contain any breaches.
Step 3: Access Control
Implement strict access controls to ensure that only authorized personnel have access to critical systems and information.
Step 4: Regular Software Updates and Patch Management
Keep all systems up-to-date with the latest software patches and updates to protect against known vulnerabilities.
Step 5: Employee Training and Awareness
Educate employees about cybersecurity best practices and the specific threats to OT/ICS systems to enhance overall security posture.
Step 6: Implementing Firewalls and IDS/IPS Systems
Deploy firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) to monitor and protect your network from malicious activities.
Step 7: Data Encryption
Protect sensitive data by encrypting it, both in transit and at rest, to prevent unauthorized access or tampering.
Step 8: Backup and Disaster Recovery Planning
Develop and regularly update a robust backup and disaster recovery plan to ensure business continuity in the event of a cyberattack.
Step 9: Continuous Monitoring
Constantly monitor network activity and system performance to quickly detect and respond to any suspicious activities or anomalies.
Step 10: Regular Security Audits
Conduct regular security audits to identify and address any weaknesses in your cybersecurity strategy and compliance with industry standards.
Choosing an OT Security Vendors : What to Look For
When embarking on the journey of enhancing Operational Technology (OT) cybersecurity, selecting the right vendor is a critical decision that requires a well-defined and structured approach. This process must begin with a comprehensive understanding of the company's current state and resources, ensuring that the vendor's solutions are not just added complexities but are effectively utilized and integrated into the existing system.
The first step involves a detailed assessment in three key areas:
Infrastructure : This involves a thorough inventory of all assets and tools currently in use within the OT environment. Understanding the existing infrastructure is crucial to identify gaps in security and areas that need reinforcement. This inventory should encompass everything that falls under the scope of the OT security policy.
Resources : A realistic evaluation of the human resources within the company is essential. This includes understanding the skills, capabilities, and limits of the existing workforce. It’s vital to identify areas where the team can scale up or where additional training and support might be necessary.
Priorities : Every company has unique business priorities, be it compliance, insurance requirements, or specific risk management objectives. Recognizing these priorities is key to determining what changes or enhancements are needed in the current security posture.
With this comprehensive audit in hand, companies can then draft a strategic plan. This plan should start from the key goals and map out the anticipated impact on both resources and infrastructure. A tabular view of this plan can provide a clear and concise representation, enabling an effective comparison of potential vendors.
Selecting a vendor should then be based on how well they align with the company's objectives, their ability to integrate seamlessly into existing workflows, and the potential to scale as needed. It’s important to establish clear Key Performance Indicators (KPIs) and assess the vendors during a Proof of Concept (POC) period. This approach ensures that the chosen vendor not only meets the current needs but is also a viable partner for future growth and adaptation in the ever-evolving landscape of OT cybersecurity.
Speaking about long term partnership, pay specific attention to the vendor alignement with compliance frameworks that matters to your industry, such as NERC CIP for power systems or ISA/IEC 62443 for industrial automation and control systems. Similarly, assess the vendor's experience and track record with industries similar to yours. Familiarity with similar operational technologies and challenges can be a significant advantage.
About Trout Software
Cyberattacks on industrial companies are increasing by 87% year-over-year, yet many industrial sites lack systems for continuously monitoring their assets and protecting them. Trout Software , founded by former Google and Amazon engineers, offers simple hardware appliances that solves this problem. IT and Site management can implement Trout Software appliance, directly on-site, to get visibility into which assets are present, how they talk to each others, identify and enforce secure/unsecure patterns.Trout Software is trusted by clients in the defense, manufacturing, and transportation sectors.