IT departments' approach to cyber protection of OT networks

In principle, much can be said about cyber security, but one thing cannot be predicted: whether it will ever be fully and forever guaranteed in our infrastructure. In this peculiar arms race against various cyber threats and the consequences of potential attacks, the most important aspect is a thorough risk analysis and an optimal selection of tools – which does not necessarily mean buying “a bit of everything”. One of the key security issues for manufacturing enterprises is the coexistence and intertwining of IT and OT networks – two similar yet very different IT infrastructures.

We deal with IT networks every day. Although today it is impossible to imagine even a small enterprise functioning without a network, the topic of security is still underestimated. If we analyze the type of business, the type of processed data and the way it is processed, as well as the potential impact of data loss and leakage, we can easily come to the conclusion that a firewall at the interface between the internal network and the Internet is definitely not enough. On the basis of various expert studies (e.g. British NCSC), it will be easy to list a number of security mechanisms worth considering, such as network access authentication, isolation of various types of services and assigning access to them according to the role in the organization, privileged access control, backup copies, log collection and network traffic anomaly detection, incident response procedures … or, finally, training of all employees on how to use computers, the Internet or data carriers in a conscious and secure way. Companies, where budget and risk analysis indicate greater “fortification” possibilities, probably also consider concepts such as IPS, SIEM and vulnerability assessment, or periodic penetration tests to demonstrate weaknesses of the so far created protection dome.

One of the common challenges in IT networking is the lack of segmentation of network traffic by authenticating and isolating devices with different roles in the organization and further assigning access to specific communication ports or network resources. This approach, on the one hand, makes it difficult to identify potential security vulnerabilities in systems present on the network, but on the other hand, in the event that an attack is successful, it provides some degree of “damage control”. An illustrative example of the effects (or an impetus for consideration) may be the NotPetya ransomware from June 2017. Companies such as Raben, Mondelez and Maersk, which estimated losses of hundreds of millions of dollars, were “hit” by the malware, which spread between machines via a vulnerable version of the SMB protocol. Even operators of critical infrastructure in Ukraine suffered! Interestingly, this attack happened a month after a similar campaign called WannaCry. Both attacks used a vulnerability that had already been patched by Microsoft a few months earlier. This indicates a problem with procedures related to updating users’ systems and software.

Phishing, which allows to take over credentials of a person from inside of an organization, is still high on the list of methods of attacker’s infiltration into infrastructure. A lot of work is still needed in the area of education of employees at every level, who sometimes for their own convenience seek or even demand ways to bypass rigid rules of internal cyber security policy.

Perhaps trivial today, but still relevant, are issues such as enforcing password screensavers and policies for the very passwords that employees use to access computers or resources such as CRM or ERP systems. Rules that are too permissive can make cracking passwords trivial based on today’s techniques and hardware. Too strict approach (very frequent change of passwords with long “memory” of previously used ones) may result in frustration and noting down passwords e.g. in a notebook or on a piece of paper lying on a desk. These can already be used by a curious visitor to our office, just like access to an unlocked laptop with business email open on top.

These types of problems are common in IT networks, but can also occur in OT networks, especially when these infrastructures are inevitably interconnected. For example, an OT network administrator who functions daily with his or her laptop on the IT network, where the two networks are not galvanically isolated, but rather – for reasons of cost optimization, the security capabilities offered and the potential need to access the public network – share common network nodes (e.g., a router, firewall or entire core/distribution area). According to the survey, nearly 75% of enterprises are in a situation where IT and OT networks are interconnected. However, there are significant differences between the two because of the different purpose for their existence, and this also creates potentially different risk factors that need to be addressed in security policy.

While one of the characteristics of an IT network is to ensure confidentiality, data integrity and availability, and further looking at the ability to respond quickly to failures, in OT, high availability has been the most critical element from the beginning. For example, when an office worker who alternates between writing e-mails and watching videos on social media becomes a “victim” of a downtime or communication interruption ranging from tens of milliseconds to even a few seconds, he probably won’t even notice it. Industrial automation systems, real-time systems cannot afford such long downtimes. They could result in delays or, in extreme cases, halting production, where process continuity is of utmost importance.

Another phenomenon noticeable in operational networks, which distinguishes them from the rest of company’s ICT infrastructure, is long life time of applied solutions, which can reach even two decades. In IT networks it is rather unprecedented time interval. For this reason, it is not uncommon to come across industrial systems and communication protocols that were created without the awareness of how cyber threats will develop and without the assumption of hyperconvergence (a similar problem seems to manifest itself in the modern vision, which is the world of the Internet of Things). In addition, infrequent patching of systems present in OT networks can represent a long standing risk of them being attacked, the requirement for continuous availability means that the need to update SCADA and PLC systems is not always accepted with approval.

In December 2016, 20% of the Kiev area was cut off from electricity for at least an hour due to the Industroyer malware-one of several publicly known malware targeting ICS systems, along with Stuxnet, HavexBlackEnergy and Triton. The latter, targeting SIS controllers in the oil and energy industry, was exploited in 2017 and 2019. What is noticeable is the slow focus of attackers on ICS systems. In the case of production networks and critical infrastructure, the actions of competitors or foreign services cannot be excluded, apart from the random factor. On the example of Triton, considered innovative, it is worth noting the possible great caution and patience of attackers, whose presence in the infrastructure before the blow can last for months. What options were available to the attackers? Interrupting industrial processes with a false alarm or reprogramming the logic of the SIS controller or DCS systems, so that a more serious failure could go undetected in time or be directly caused by malware. 

However, the stories mentioned above should not lead us to isolate industrial infrastructure from IT networks and the Internet, it seems to be impossible today, and would cut off businesses and institutions from the benefits of hyperconvergence. Instead, a prudent step would be to incorporate this phenomenon into risk analysis and security policies. It is necessary to specify the points of contact between OT and the “rest of the world,” the protocols that could potentially span IT and OT, and the IT network objects that should have access to OT. Consideration should also be given to how to enforce established rules. Network access control systems, privileged access control systems, and firewalls may be helpful. It is worth considering the implementation of security mechanisms in accordance with the “zero trust” paradigm, blocking any communication protocol between any devices connected via the network that is not necessary. At the same time, risk adequate protection of computers and staff training should be implemented for both industrial and IT networks. Regular vulnerability analysis and penetration testing will help to maintain awareness of new risks, and analysis of traffic inside the OT infrastructure and at the interface with the IT network based on anomaly and threat detection will allow to observe potentially dangerous phenomena in network traffic in advance.

Finally, it is worth mentioning that almost 80% of companies are innovating in the digital world faster than they can provide adequate cyber security. Perhaps the solution is to bring this area under the innovation strategy? 

demo scadvance

Request a Demo

Fill in the form. Our experts will contact you to arrange individual tests.

Request a Demo

Fill in the form. Our experts will contact you to arrange individual tests.

Thank you

We will get back to you within 1 business day