IT (Information Technology) and OT (Operational Technology) have traditionally had fairly separate roles within an organisation. However, with the emergence of the Industrial Internet and the integration of complex physical machinery with networked sensors and software, the lines between the two teams are blurring. While greater connectivity and integration is beneficial for smart analytics, control and cost saving, more connections and networked devices means more opportunities for security holes.
So, what exactly is OT and why is it so important for organisations to protect it? OT is a system of hardware and software designed to monitor or control the physical devices, processes, and events. Some common examples of OT applications are- controlling the flow of water through an aqueduct for an office, automated controls for heating in an office building or controlling equipment on a production line such as a robot used to assemble parts.
Since the OT architecture of an organisation is responsible for monitoring and managing highly sensitive processes associated with critical infrastructure, organisations were traditionally encouraged to run it on a separate and isolated infrastructure. However new requirements such as connected power grids, active inventory control, smart environmental control systems, just in time manufacturing, and interactive systems tied to Big Data have begun to change all of that.
As a result of this change, many of today’s OT systems are transited or tunneled over corporate networks, leverage common internet protocols, run on general-purpose hardware and mainstream operating systems, and are increasingly connected via wireless technologies.
This integration is increasingly making OT networks more vulnerable to cyber-attacks. A recent report from the Australian Cyber Security Centre states 58 per cent of the participating organisations experienced at least one incident that successfully compromised data or systems in 2016.
Therefore, addressing the requirements of an OT network is now more important than ever and requires an integrated approach encompassing the following elements:
Segmentation and Encrypted Communications: Network segmentation is an important safety measure to be executed on OT networks which involves partitioning the network into smaller networks. It also involves enforcing a ruleset of controlling which computing devices are permitted to communicate with which other computing devices, to minimise the method and level of access to sensitive information, without disrupting operational efficiency. In addition, applications and data should be encrypted to prevent the injection of malware into that traffic.
Access Control and Secure Wireless Access: Access to OT devices needs to be strictly managed and monitored for devices, users, applications, and protocols by securing Wi-Fi connections. There are now thousands of vendors building IoT devices using a wide variety of connectivity and communications technologies in addition to Wi-Fi, including Bluetooth, NFC, Zigbee, and RFID. And this doesn’t include IoT devices hardwired into the network behind the firewall. Security resources need to be committed to identifying, segmenting, and securing these connections.
Vulnerability and Patch Management: Operators may specifically decide not to patch systems that are operational and cannot afford to be taken offline for an update. But as these devices are connected to the IT network and Internet, this approach can no longer remain the status quo. Cybercriminals target known vulnerabilities, so tracking devices and vulnerabilities and implementing an aggressive patch and replace program is essential. For systems that cannot tolerate any downtime, it is critical to deploy alternate data routes or behavioural-based security to protect un-patchable devices.
Behavioural Analytics and tracking: Advanced threats require more than passive security systems, especially when protecting critical infrastructure. Fortunately, the behaviour of most OT systems can be pretty easily defined, which means that unusual behaviour should be likewise relatively easy to detect and block with a UEBA (User and Entity Behaviour Analytics) system in place.
Deep Packet Inspection: Deep Packet Inspection is a term used to describe the capabilities of a firewall or an Intrusion Detection System (IDS) to look within the application payload of a packet or traffic stream and make decisions on the significance of that data based on the content of that data.
Since malware is increasingly successful at hiding and obfuscating attacks inside applications and data, it is essential that organisations implement a combination of signature- and protocol/behavioural-based inspection of traffic traveling to, from, and between OT systems to prevent the abuse of particular industrial protocols. Such an approach is also better suited to the OT environments as it can provide protection critical protections without requiring frequent updates.
More organisations today are looking for productivity improvements and cost savings by optimising plant operations, deploying a more flexible operating environment, or establishing a more proactive inventory control system that requires real time online data. As a result, many of today’s OT systems are now run on general-purpose hardware and integrated with mainstream operating systems.
Unfortunately, not only are many of these now-connected systems quite vulnerable to compromise, but unlike IT networks, a failure in one of these sectors also has the possibility of causing a catastrophic event affecting both human life and property with consequences leading to the disruption, and even destruction of physical assets and essential services like water, electricity, and fuel.
Hence protecting and defending today’s critical OT infrastructures is increasingly important and requires a unified approach that integrates security solutions capable of adapting to and spanning distributed IT environments.
Article by Fortinet's senior VP of products and solutions, John Maddison.