Digitalization is a significant trend in industrial environments, fundamentally transforming operations through automation and increased efficiency. However, the core of this transformation lies in creating a robust network and embedding security throughout. This article explores strategies to secure industrial environments and networks, focusing on the differences between IT and OT security, the importance of asset inventory, network segmentation, and the role of governance and policies.

The webinar, moderated by Florian from Trout, featured a discussion with Mehdi Guelzim on the critical topic of securing industrial environments. Mehdi, with extensive experience in industrial networks and environments, shared his insights on the unique challenges and practical solutions for enhancing security in OT networks. The session delved into various strategies, from establishing a comprehensive asset inventory to implementing robust access control measures and continuous monitoring. By addressing these key areas, industrial organizations can better protect their networks and ensure the successful digital transformation of their operations. Click Here to watch back the webinar On-Demand.

Mindset and Priorities:

OT environments prioritize productivity and agility, often viewing security measures as obstacles that could hinder operational efficiency. This is a stark contrast to IT environments, where the primary focus is on protecting the confidentiality, integrity, and availability of data and systems. Mehdi emphasized this difference, stating, "OT people are more focused on keeping the processes running smoothly and efficiently, whereas IT people are concerned with ensuring that everything works securely and correctly."

Safety vs. Security:

OT systems are often designed with a high emphasis on safety to ensure operational reliability and protect human lives. For instance, railway signaling systems are built to immediately halt train operations if any safety issue is detected. However, these systems may not be equipped to handle external hacking attempts. Mehdi provided an example, "In sectors like railway signaling, the level of safety is very high, but these systems are not prepared for external hacking. An attacker could blind the signaling system with fake GPS signals, causing significant disruption."

Physical and Digital Security Threats:

Mehdi highlighted the importance of addressing both physical and digital security threats in OT environments. He pointed out that traditional IT security measures might not be sufficient to protect OT systems. "Hacking is not just about installing a virus or malware. It can involve making a system operate in a way it was not designed to," Mehdi explained. He cited an example of using stickers on stop signs to confuse detection cameras, illustrating how simple physical manipulations can compromise OT systems.

Cultural Differences in Security Approaches:

There is also a cultural difference in how security is approached in IT and OT environments. OT personnel may share passwords to facilitate access, which is contrary to IT security best practices like using two-factor authentication. Mehdi noted, "The mindset of OT people is more about agility and keeping things running, while IT people are more focused on security protocols and procedures."

Mehdi Guelzim shared his insights on 6 critical measures needed to protect industrial networks and systems effectively.

1. Building an Asset Inventory:

Mehdi stressed the importance and difficulty of creating a comprehensive asset inventory. "If you don't know what you have, you cannot protect it," he emphasized. A detailed and up-to-date inventory of all network assets is fundamental for effective security. Mehdi pointed out that many OT environments have grown organically over the years without a systematic procedure for tracking assets, making it challenging to establish an accurate inventory.

2. Access Control:

Robust identification and authentication systems are crucial to ensure that only authorized personnel can access critical systems. Mehdi highlighted the need for clearly defined access levels and permissions. "Defining who can access what and how is essential," he said. Implementing strong access control policies and using tools to manage and monitor access can prevent unauthorized changes and enhance security.

3. Access Monitoring:

Continuous monitoring of access and system usage is essential for detecting suspicious activities in real-time. Mehdi recommended using advanced tools for this purpose. "Without visibility into the network, it's very difficult to prevent or detect attacks," he noted. Intrusion detection and prevention systems (IDS/IPS) and traffic analysis tools provide the necessary visibility to identify and respond to potential threats.

4. Network Segmentation and Device Segregation:

This involves dividing the network into smaller segments and using demilitarized zones (DMZs) to isolate internal networks from external ones. Mehdi shared examples of successfully segregating IT and OT networks using internal DMZs and advanced monitoring systems, stating, "Segmentation is crucial to contain potential incidents and protect critical systems."

5. Security Audits and Risk Analysis:

Regular security assessments, audits, and penetration testing are vital to identifying vulnerabilities and improving defenses. Mehdi explained the importance of these practices, saying, "Security audits simulate real attacks to uncover breaches and misconfigurations." By conducting thorough security audits and risk analysis, organizations can prioritize threats, understand the potential consequences of disruptions, and improve their preparedness and disaster response.

6. Security Policies and Processes:

Clear policies and structured procedures for incident response ensure comprehensive protection against threats. Mehdi emphasized that cybersecurity is not just about hardware and software but also about governance. "The governance part is very, very important," he stated. Establishing and maintaining clear security policies, conducting regular training to raise awareness, and implementing structured incident response procedures are crucial steps for effective security management.

Mehdi Guelzim shared insightful real-world examples to underscore the importance of proactive measures in securing OT environments. These examples illustrate the types of attacks OT systems face and the necessary steps for effective incident response.

Honeypot Projects: One significant project involved the implementation of security measures in a port's control tower. "We set up a honeypot to study attacks specific to OT systems. The findings showed that while conventional IT threats were easily detected, physical attacks or those targeting hardware were much more challenging to identify," Mehdi recounted. This project underscored the need for OT environments to adapt their security strategies to defend against both conventional IT threats and more sophisticated physical attacks.

Mehdi also discussed a honeypot project that simulated a critical industrial plant and a port traffic control tower. The project aimed to study specific types of attacks targeting OT systems and gather valuable data on how these systems are compromised. "We set up two honeypots: one simulating a critical industrial plant and the other a port traffic control tower. The goal was to study attacks specific to OT systems, rather than just IT systems," Mehdi explained.

The honeypot project revealed that while conventional IT threats were detected relatively easily, physical attacks or those targeting hardware were significantly more challenging to identify. "More than 90% of the attacks we recorded were common, such as privilege escalation and brute force attacks aimed at gaining access or escalating privileges," Mehdi noted. However, the port control tower honeypot exposed new types of attacks, such as GPS spoofing, which highlighted the vulnerability of OT systems to sophisticated threats. "Very few merchant ships are equipped to verify whether the received GPS signal is genuine," Mehdi explained.

Incident Response: Mehdi emphasized the importance of having effective incident response plans in place. These plans should start with threat detection, followed by rapid assessment, containment, eradication of threats, and thorough post-incident analysis. "Incident response starts with the detection of a threat. This can be through monitoring systems, automatic alerts, or reports from staff," Mehdi stated.

Once an incident is detected, the next step is to conduct a rapid assessment to determine the nature and extent of the attack. This involves identifying affected systems and evaluating the potential impact. "The next step is to contain the incident to prevent it from spreading. This may involve isolating compromised systems, blocking suspicious IP addresses, or disconnecting devices from the network," Mehdi explained.

After containment, the focus shifts to eradicating the threat, which includes removing malware, correcting exploited vulnerabilities, and restoring systems to their normal state. Mehdi emphasized the importance of thorough post-incident analysis to understand how the attack occurred, which vulnerabilities were exploited, and what measures can be implemented to prevent future incidents. "Once the incident is resolved, we perform a thorough analysis to understand how the attack occurred, which vulnerabilities were exploited, and what measures can be implemented to prevent future incidents," he said.

The real-world examples shared by Mehdi highlight the importance of proactive measures and effective incident response plans in securing OT environments. The honeypot project demonstrated the effectiveness of AI in monitoring and detecting common cyber threats, while also highlighting the significant challenge of addressing physical and hardware-based attacks. Effective incident response plans, starting with threat detection and followed by rapid assessment, containment, eradication of threats, and thorough post-incident analysis, are crucial for protecting industrial operations from evolving cyber threats.

In the webinar discussion, Mehdi Guelzim emphasized the significant impact of AI and new technologies on enhancing security in OT environments. He highlighted the transformative potential of these technologies in improving both operational efficiency and security measures.

AI in Security:

Artificial Intelligence (AI) and data analysis play a crucial role in real-time processing and analysis of large volumes of information, which is essential for optimizing resource use and enhancing operational efficiency. Mehdi explained, "AI can identify unusual patterns in network data that may indicate threats, allowing for faster and more accurate responses." By automating many of the analysis and response tasks, AI reduces the manual workload and improves incident response capabilities.

Mehdi provided specific examples of AI applications in security: "AI-based systems like intrusion detection and prevention systems (IDS/IPS) and traffic analysis tools are critical for continuous monitoring. They provide the visibility needed to detect and respond to threats in real time." He further highlighted the importance of AI in detecting anomalies, stating, "No human team can analyze millions of log lines daily. AI is the right approach for handling this vast amount of data efficiently."

Cloud Computing:

Cloud computing infrastructure is another key technology that provides scalability and flexibility, which are essential for handling the large volumes of data generated by industrial networks. Mehdi noted, "Cloud infrastructure allows for rapid adaptation to changing market demands and provides the necessary resources to process and store vast amounts of data securely." The flexibility of cloud services ensures that companies can scale their operations up or down as needed, without compromising on performance or security.

Mehdi also emphasized the importance of implementing robust security measures in the cloud: "Ensuring data integrity and accuracy is essential for effective AI-based analysis. Erroneous or incomplete data can lead to incorrect decisions." Implementing proper data collection and storage practices in the cloud ensures that the information is reliable and useful for analysis.

AI Enhancements:

Mehdi discussed the future potential of AI, particularly with the advent of large language models (LLMs) like OpenAI's GPT. He explained, "LLMs open new windows in security by enabling more sophisticated analysis of text-based data, such as emails and logs. This capability allows for better detection of phishing attempts and more comprehensive log analysis." By leveraging AI's ability to understand and summarize complex data, security teams can gain deeper insights and respond more effectively to threats.

Demilitarized LAN (DLAN) - A New Approach to Industrial Network Security:

The webinar provided invaluable insights into the complexities and critical aspects of securing OT environments. Digitalization in industrial settings offers numerous benefits such as automation, resilience, and efficiency, but it also introduces significant security challenges that must be addressed comprehensively.

The insights shared by Mehdi Guelzim underscore the necessity of a proactive and comprehensive approach to OT security. By understanding the unique challenges of OT environments and leveraging advanced technologies such as AI and cloud computing, industrial organizations can better protect their networks and ensure the successful digital transformation of their operations.

The strategies discussed in this webinar highlight the importance of integrating security into every aspect of digitalization, from asset management and network segmentation to incident response and policy implementation. As industrial environments continue to evolve, staying ahead of potential threats with robust, adaptable security measures will be crucial for maintaining operational integrity and resilience.

By applying these practical steps and harnessing the power of new technologies, companies can navigate the digitalization journey with confidence, ensuring that the benefits of automation, resilience, and efficiency are realized without compromising security.