Common Mistakes IT Security Staff Make in an OT Environment
1 ) Our ICS network is absolutely air-gapped.
Throughout the years, we have heard this statement over and over again, specifically from IT department, but in practice and during our assessments, we discovered some sort of connectivity to internet either through the network or some sort of out of band connectivity.
Air gaps between the ICS network and other networks—if implemented correctly and maintained—are very effective barriers against cyber attacks. However, a true air gap is no longer practical in an interconnected world. While many will agree that air gaps are disappearing, some still believe this is a viable security measure.
With increasing digitalization (Industry 4.0 and smart grid networks), the use of the air gap has eroded or disappeared altogether. OT (operations technology) and IT (information technology) networks are converging and resulting in the evolution of a new threat landscape.
Who needs an air-gapped network?
Air-gapped networks are physically isolated from any public or private networks. Some businesses and critical industries need a zero-risk approach to online threats and naturally, the best way to guarantee that level of protection is to isolate a network from all external connections. Industries like nuclear plants and railways are amongst those who avoid connectivity to internet at all costs.
2 ) The concept of deploying IPS in ICS networks.
IPS has been one of the most effective tools in any IT environment. It has covered the holes not covered by anti virus and in principal; it should provide that extra level of security in an OT network. However, just the thought of leaving the decision to some vendor’s understanding of threat or AI to shut down part of the network or an entire network will make any production engineer scared to death. As much as an anomaly detection is valuable and it has become one of the best security and monitoring tools for OT security teams, but the prevention part is not something we could see in the near future.
3 ) We can extend our SOAR to ICS network.
Just like an IPS, SOAR (Security Orchestration, Automation, and Response) solutions function based on combination of behaviour, signature and artificial intelligence AI. Inside an IT network, sometimes the security team cannot respond to a threat in a timely manner, hence they use SOAR to automatically handle the response. For example, upon detecting a threat, SOAR can signal the firewall to isolate part of a network or close a port.
Can you imagine the potential damage in a time sensitive network , you segregate and cut the communication and telemetry data between the operation center and field devices?
4 ) Patching devices and software frequently.
To secure the critical infrastructures against attackers, the recommended approach is to think like them. Vulnerable Operational Technology (OT) assets are low-hanging fruits for bad actors. When patches are released to the public, the vulnerabilities often are disclosed. However, unlike IT, all the missing patches cannot be installed on the OT assets. There are several reasons including:
- ICS or Operating System (OS) patches cannot be implemented because of non-compatible hardware.
- ICS vendor did not approve the OS patches
- The patches are not approved by asset owners – i.e., the patch crashed the OT asset while testing
- Applying patches may require a shutdown of operation
In such scenarios, either the patches cannot be installed, or they need to wait until the next shutdown. And the vulnerabilities will be present until the next shutdown or forever.
Moreover, patching in the OT environment is an expensive approach. If the risk can be reduced to an acceptable level by applying alternative controls – meaning if the attackers can be prevented from reaching the vulnerable assets – then the cost or effort of patching and applying alternative controls needs to be compared to decide which approach is best. It is not feasible to patch all the OT assets, thus, it is recommended to patch smartly.
5 ) Penetration testing with IT mindset
Penetration tests are essentially simulations designed to go above and beyond a standard vulnerability assessment. Penetration testers play out the same scenarios a hacker would use to break into a network. These simulations aim to identify security issues early on, before hackers can find and exploit them. But, if the pen test is conducted by developers inexperience with ICS, the penetration test can have some serious effects on a system.
Asset owners and CISOs should make sure the company and the team that conduct the pen test do have experience with industrial control systems.