The security needs of Industrial Control Systems (ICS) and Operational Technology (OT) environments are changing as these environments are rapidly being connected to enterprise networks and exposed to hackers and Internet-borne malware. What is needed is a new-generation security solution that secures connected devices spread across both industrial and IT environments.
All of this is changing. Control system architectures are now being connected to traditional enterprise IT networks (Ethernet, Wi-Fi, etc.), and device manufacturers are building OT devices and control systems on top of common operating systems such as Windows, Linux, Android, and VxWorks. These changes increase the risk that control systems can be compromised by the same kind of attacks used to compromise devices on corporate IT networks. According to a commissioned study conducted by Forrester Consulting on behalf of Armis, 66% of manufacturers experienced a security incident related to IoT devices between 2018 and 2019.[1]
Although many legacy control systems still maintain an effective air gap, the trend in manufacturing and industrial plants is to connect OT devices directly to the enterprise network. As a result, the Purdue Enterprise Reference Architecture, which for years indicated a standard hierarchy of applications, controls, data flows and enforcement boundaries, is being flattened and the lines between levels are dissolving.
To determine the extent of these changes, the SANS Institute conducted a survey in 2018.[2]2 The results indicated that devices at all levels of the Purdue model are now routinely being connected to enterprise networks using a variety of communication technologies—wired, Wi-Fi and cellular. On average, SANS reported 37% of devices in the Manufacturing Zone (Purdue levels 0, 1, 2 and 3) were connected to enterprise networks, and 32% of IIoT devices were connected directly to the Internet.
Figure 1: The Purdue Enterprise Reference Architecture
These architectural changes are happening across many different kinds of control systems, including:
· Programmable logic controllers (PLCs)
· Supervisory control and data acquisition (SCADA)
· Distributed control systems (DCS)
· Manufacturing execution systems (MES)
· Telematics
· Robotics.
Impacts of OT attacks observed include:
· Changes to process automation which impacted product quality
· Stoppage of production lines
· Human machine interface (HMI) devices that were infected with WannaCry
· Vulnerable industrial control devices that were exposed to the Internet
· Third-party devices that opened reverse tunnels which breached network segmentation.
These attacks also demonstrate the increasingly connected nature of OT. A joint study by Deloitte and the Manufacturers Alliance for Productivity and Innovation showed that only 50% of manufacturing environments currently maintain isolation between their OT networks and their IT networks. 76% are using Wi-Fi to enable communication between connected systems. A telling 39% of respondents to the Deloitte survey said they experienced a breach of their OT network in the previous 12 months.[3]
A report by NIST titled ‘Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks’ (NISTIR 8228) is especially relevant because it is focused entirely on OT device security. This report highlights four critically important areas for OT device risk mitigation[4]:
· Asset management – Maintain a current, accurate inventory of all OT devices and their relevant characteristics throughout the devices’ lifecycles in order to use that information for cybersecurity and privacy risk management purposes.
· Vulnerability management – Identify and eliminate known vulnerabilities in OT device software and firmware in order to reduce the likelihood and ease of exploitation and compromise.
· Access management – Prevent unauthorised and improper physical and logical access to, usage of, and administration of OT devices by people, processes, and other computing devices.
· Device security incident detection – Monitor and analyse OT device activity for signs of incidents involving device security.
The technical challenges of OT security
“Despite authoritative guidance on cybersecurity goals and outcomes from NIST and other organisations, security managers working for manufacturing and industrial firms have difficulty finding security tools that can provide these outcomes,” says Andre Kannemeyer, CTO at Duxbury Networking, distributors of Armis technology.
There are several reasons for this.
· Agents do not work.
· Network scanners cannot be used.
· Conventional network security products are insufficient.
· Patching is extremely difficult.
· Complexity is increasing.
· Connectivity is a risk.
“The security outcomes needed for OT environments are well understood but can’t be achieved using traditional security tools. Neither specialised OT security tools nor traditional IT security tools were designed for today’s hybrid OT/IT environment,” says Kannemeyer.
What security managers need is a different approach to security – one that is designed for the unmanaged devices across OT environments. Such a security system would have the following characteristics:
· Agentless. The security system should be able to function without any reliance on agents because most OT devices and enterprise IoT devices (printers, IP cameras, HVAC systems, etc.) cannot accommodate agents.
· Passive. The security system should be able to function using only passive technologies. This is because a security system that relies on network scans or probes can disrupt or crash OT devices.
· Comprehensive security controls. For the OT environment, it would be desirable to obtain comprehensive coverage of the required security controls using as few tools as possible.
· Comprehensive device coverage. The scope should include all unmanaged or industrial IoT devices in the enterprise.
“There are a variety of unique challenges associated with protecting OT devices from cyber-attack, but it can be done if you have the right kind of tools. Contact the Duxbury team to discuss a unified enterprise security platform that has been specially built to function in both OT and IT environments,” says Kannemeyer.
[1] State of Enterprise IoT Security: A Spotlight on Manufacturing, September 2019, Forrester Consulting
[2] The 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concerns, SANS, June 2018
[4] NISTIR 8228 – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, National Institute of Standards and Technology, June 2019.