How to Build a Defensible OT Network
1. Assessment
Although vulnerability assessment and risk assessment are commonly used interchangeably, but they are two different approaches, and both are needed as part of a comprehensive security assessment.
Another misconception is that security assessment is a network anomaly detection tool like Nozomi Networks, Claroty or Tenable. Any of those methods can certainly give asset owners some critical data, but it would be a partial view and visibility.
Our methodology is to assess the entire attack vector and in order to achieve that, we need to evaluate the followings:
- Physical Assessment: We conduct a site walk down to evaluate if the plant is suitable to any possible physical access to cyber and non-cyber assets.
- Staff Interview: We often find a wealth of information by interviewing the operational and cyber staff. It doesn’t matter how regulated is the industry or how tight is the cyber security controls, if the staff bypass them, which often they do, then they could create a breach and provide access to bad actors.
- Wireless Assessment: Due to the size of some plants, wireless network and communication is commonly seen in the OT environment, which expands the attack surface beyond physical network and premise. A through wireless assessment can ensure security of such networks.
- Asset Inventory & Network Mapping: It’s often said, you can’t secure what you can’t see. Almost all industrial environment suffer from lack of detailed asset inventory. Before identifying what vulnerabilities exist in an environment, we need to make sure we have a detailed list of all OT assets, IT assets inside the OT environment, hardware, software, firmware, operating system and network devices.
Also Understanding the physical and digital locations of all devices mapped within a network should be a primary concern of operational technology managers. For example, if a programmable logic controller (PLC) is communicating with a different PLC due to an error or a hack, it is crucial for the manager to be able to discover this issue, as well as implement a mitigation strategy as soon as possible. This can only be accomplished if the connections of all assets are accurately mapped. - Vulnerability Assessment: A vulnerability assessment provides an organization with details on any security weaknesses in its environment. Vulnerability Assessment is the process of defining, identifying, classifying and prioritising vulnerabilities in computer systems, applications and network infrastructures.The assessment process, whether it’s performed one regular basis or continuously, is intended to identify threats and the risks they pose. They typically involve the use of both automated testing tools, such as network security scanners, and some manual scripts, whose results are listed in a vulnerability assessment report.
- Risk Assessment: In essence, risk assessment involves looking outside of an organisation to determine what threats exist that could potentially lead to problems, while vulnerability assessment involves looking inside the organisation for structural flaws and weaknesses.Unlike vulnerability assessment, which is searching inside an organisation for security flaws, risk assessment involves looking outside of an organisation to identify the attack vectors and potential threats that could lead to security breaches. Security risk assessment identifies:
- Your organization’s weak points
- The consequences of manipulation of those weak points
- The ways to prevent such events from occurring
- A thorough ISC security risk assessment empowers you to make informed decisions about how to protect your facilities and how to prioritize the actions you decide to take.
2. Real-time Network Anomaly Detection and Monitoring
Having security is great, but detection capability is a must. A solid OT security posture maintains an inventory of assets, maps vulnerabilities against those assets (and mitigation plans), and actively monitors traffic for potential threats.
An organization may have a security operation center monitoring their IT network and part of the OT network as well, but without real-time anomaly detection capability, there is no context and baseline for security analysts to decide.
Investing in one of the next-gen network intrusion detection vendors will elevate an organization’s security level significantly.
3. Architectural Review and Defensible Networks
Industrial plants are known for lack of proper security and partially, DCS vendors are to blame as security for them is an afterthought. From critical infrastructures to manufacturing plants may have acquired some sort of security but may require an architectural review by a team of industrial automation and cybersecurity. An organization might be able to improve cyber security using the existing solutions they have, by making some design changes. Depending on the industry and its known threats and previous attack history, the network should be able to at least handle the known cyber attacks.
4. IT / OT Segregation and OT Network Segmentation
Needless to say, by far the most common issue we keep finding is a lack of appropriate segregation between IT and OT networks, or between OT and telemetry systems.
Gathering data and managing OT performance is a critical benefit to businesses, particularly around efficiency. That’s one reason why OT systems are networked with others.
However, mistakes in the segregation are a common problem that we exploit when testing security. Excessive permissions, misconfigurations or even vulnerabilities in switches and firewalls themselves expose OT networks.
We’ve also found issues in the telemetry communications systems used to transmit data from remote outstations. Common problems include assumptions made about private APN security, default or crackable credentials on data modems and communications over completely unencrypted RF protocols.
It’s not always unintentional mistakes either; we’ve found modems fitted by third parties suppliers without authorisation. We’ve seen remote access software such as Team Viewer installed by staff who wanted to review data without leaving their chair. We’ve seen staff install their own wireless access points in order to stream music. In all cases, these bridged important network segments that were otherwise isolated.
Once we are done by segregation, we need to move on to segmentation. Network segmentation is a layer of physical security that cordons off a network from other networks, separating an OT network from an IT network, a guest network from a corporate network, or one critical manufacturing network from another.
Without effective segmentation of ICS and SCADA networks, ransomware and other cyber threats gain free flowing lateral access to operational systems, enabling potentially dangerous disruption or damage.
As outlined in IEC 62443 standards, OT segmentation is considered best practice when it comes to controlling communications across ICS and SCADA systems.
OT zone segmentation is an effective way to mitigate perimeter breaches, as well as prevent intentional and accidental OT and IoT cyber incidents from spreading.
Network segregation and segmentation are the most effective method to contain a breach and minimize damages.
What is Micro-Segmentation?
Network segmentation breaks the network into zones that typically consist of multiple devices and the applications that they host. Micro-segmentation takes this a step further, placing each device or even each application within its own segment. All traffic between devices or applications is inspected for potential malicious content or violations of the corporate security or access control policies.
5. Endpoint Protection (Anti Malware, White Listing and Device Control)
Just like in IT environment, OT endpoint protection is a necessity to safeguard critical and none critical infrastructures with continuous protection from malware and virus. However, there are number of challenges such as securing non-Windows devices or outdated Windows servers and workstations and compatibility issues which requires years of experience gained in the OT environment.
Application whitelisting is a proactive strategy in OT security that enables only the sole administrator to pre-approve and allow programs to run. Any program that is absent on the whitelist is automatically blocked. The essence of whitelisting applications in the OT environment is to prevent malware from infiltrating and executing commands on endpoints within the system and network. The controls over which programs to run on the user’s system lies on the administrators and not the end-users which is what obtains in a normal operating procedure.
The last point on endpoint protection is device control. Device control software is critical to protecting organizations data assets from the risks associated with the use of removable devices. Removable devices may transfer malware to computers and can also be used to extract sensible information from computers to unauthorised hands, therefore the importance of device control.
6. Patch and Update Management
In first encounter to OT, an IT security engineer may get shocked to see Windows 7 and firmware as old as 20 years.
Before deciding whether to install a patch or not, it is important that we understand the associated benefits and risks of doing so.
Do we need to patch and is patching worth the effort? We often think of patching as a need to fix a vulnerability or a flaw in he OS or the applications but that’s not all.
Vendors release patches to improve the applications’ stability.
Putting these two reasons together, we have a strong case to patch some of our assets in our OT environment.
But there are equally number of negative or risky reasons for not patching. Within the IT side of the organization, the benefits outweigh the risks, as loss of data is considered a bigger concern than the downtime of a network. On the other hand, for the OT side, systems uptime is of great importance. How the two sides of an organisation (IT/OT) view risk versus reward is vastly different.
Focusing on ICS environments, where reliability is a key factor, a major risk could be taking down a critical network or component due to malformed or corrupt patch. In addition, patching can be considered as a very time-consuming and in some cases a full-time job if we consider that over 15 new vulnerabilities are discovered on a daily basis. Another factor to consider is the associated cost of testing the released patches.
What if you cannot patch?
It all starts by acknowledging that patch management is a subset of vulnerability management. Vulnerability management is not a stand-alone scan-and-patch function. It’s a holistic function that takes a proactive view of managing the daunting task of addressing identified vulnerabilities in deployed hardware devices and software. Vulnerability management is more than just getting alerts whenever your infrastructure needs a patch applied. Vulnerability management is about making informed decisions and properly prioritizing what vulnerabilities to mitigate and how. This is achieved by embedding internal hooks for telemetry into all systems of interest as well as external hooks for threat intelligence from all sources. Based on these considerations, this is what ICS organizations should do as a bare minimum if they are not in a position to patch.
In case patching is not an option, it’s recommended to deploy “virtual patching” which is a security layer that analyzes incoming traffic for malicious activity to protect any system vulnerabilities from exploitation. The idea is to block attacks before they reach the intended vulnerable target.
7. Incident Response Plan and TTX (Table Top Exercises)
Having an incident plan is important, simulating an incident in a TTX is even more important. On the first encounter with an incident, your plan will be tossed out of the window, if you had not practiced it.
As cyber attacks and incidents become more common and sophisticated, having the capability to provide a coordinated and effective response to cyber threats across an entire business becomes increasingly essential. An OT Cyber Incident Response Plan can ensure that an organisation is equipped with the necessary skills and preparedness to respond to cyber threats that arise throughout all technological environments that the organisation possesses and utilizes. Tabletop exercises are meant to help organizations consider different risk scenarios and prepare for potential cyber threats.
8. Managing identities, Credentials and Authentication
Controlling who is able to access your system plays a big role in your cybersecurity posture, particularly because allowing the wrong person inside may make it easy for an attacker to penetrate. At times, a well-meaning employee may leave their login credentials exposed or otherwise insecure, enabling a hacker to get inside a critical system. Therefore, you should take into consideration the following:
Educating employees about how to safeguard their access credentials
Ensuring that a least-privilege policy is maintained across the organization, which limits access rights only to those who absolutely need them
Canceling the access privileges of former employees as soon as possible
Revoking access that was temporarily granted to visitors and other guests
Even though it is possible to revoke access privileges too early, it is typically easier to remedy this than it is to recover from a cyberattack.
These are some of the steps an organisation can take to improve their identify and access management:
- Controlling passwords and security
- Multi-factor authentication
- Making sure the right people have the access they need
- Monitoring and managing the access privileges of current and former employees
- Control Identity and Access Management