The challenge of nailing IT security in an OT World

The Internet of Things (IoT) might be a current hot topic in technology circles, yet linking electronic devices to improve efficiency and automate processes is not exactly a new concept.

Decades before the IoT concept was conceived, industrial automation projects were underway everywhere from factories and oil refineries to electricity generation plants and distribution grids.

Dubbed Operational Technology (OT), these systems comprise everything from industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, programmable logic controllers (PLCs), and building automation platforms. OT is a vital part of modern daily life.

While the benefits of OT are clear, things become concerning when they are viewed from the perspective of IT security. Many of the systems have been designed and built using unsecured, open communication protocols and comprise components that cannot be patched or updated.

Worryingly, many are also now being exposed to the public internet which opens up the opportunity for malicious criminals to interfere with their operation.  In real world examples, such as last year’s Crash Overide incident where an electricity transmission station near the Ukrainian capital Kiev was targeted by hackers, it becomes clear that the impact can be significant. Even attacks as common as ransomware now have the capability to infect and disrupt OT networks, as was seen during the WannaCry incident in 2017.

Effective approaches to security

The thought of properly securing OT infrastructures might seem daunting, however there are effective approaches that can be taken. These include:

1: Traditional security modelling

This approach to OT security involves defining what needs to be secured, the risks involved, and then taking appropriate mitigation steps. It can be thought of as working from the “outside-in”. There are some tried and true methods that help with this approach including:

• Existing compliance standards: For some OT environments, there are existing compliance regulations such as NERC-CIP and ISA/IEC-62433. Even if they do not directly apply to a particular industry, they can provide a good starting point for understanding risk analysis.  
• Existing frameworks: OT systems are built by engineers who, while not necessarily security professionals, know how to document what they do. Check resources such as the Purdue Enterprise Reference Architecture and its variants to gain insights into the underlying design of these systems.
• Existing mindset: In security, most people begin with the Confidentiality, Integrity and Availability (CIA) model. In OT systems, the mindset more often starts with the Reliability, Safety, and Availability (RSA) model. If OT environments are approached knowing that they were built on RSA instead of CIA, a lot of issues can be resolved quickly.

2: Passive Discovery and Analysis

Another method to achieve OT security is through passive discovery and analysis, which can be considered an “inside-out” approach. Rather than trying to reverse engineer a security model on top of an existing OT environment, base-lining and passive observation can be used to create compensating controls.

The advantage of this approach is that it can overcome many of the challenges faced with a classic security approach. This is because:

• You aren’t interfering with the environment: When using an effective network monitoring tool, it’s possible to tap into network traffic and begin classifying many OT protocols, including CIP, COAP, ENIP, Modbus, OPCUA, and Profinet. More importantly, the tool can help you see anything that isn’t a recognised OT protocol.
• Whitelists work: Fortunately, most OT environments are still on isolated networks. As a result, it’s possible to create a baseline and then quickly discover which systems are normal and expected in that environment. For example, you might find fixed IP addresses in these systems and, because the environments are comparatively static, a whitelist approach works well.
• Unusual is bad: In an OT environment, unusual activity is highly suspicious. Following the Purdue model, anything below level 3 (including control systems, intelligent devices, and physical processes) should be “one purpose only” and have easily, definable, regular behaviour.  Anything else should be closely examined.

3: Machine Learning

Because OT environments are designed around reliability, making use of machine learning techniques is likely to be highly successful. The pattern of access to OT systems should follow well-known schedules of shift changes, maintenance cycles, and other highly scheduled activities.

While machine learning, particularly for OT environments, is still very much in its infancy, the industry is investigating both User and Entity Behaviour Analytics (UEBA) and Network Traffic and Behaviour Analytics (NTBA) to see if they can offer OT a rich source of security-related information.

Achieving satisfactory security in an OT environment

OT will remain an important part of many critical infrastructures for years to come. For that reason, it is important to address associated security concerns now so that vital infrastructure does not fall victim to the activities of cyber criminals.

Whether a decision is taken to adopt a classic, compliance-driven security approach or a discovery approach, it’s important to take the time to understand what can best be done with available tools to make OT as secure as possible. The best time to start this process is now.