PartnersSupport

OT Cybersecurity: The Ultimate Guide

April 25, 2022

As digital transformation fuses information technology (IT) with operational technology (OT), it has become critical for cybersecurity teams to implement best practices to protect OT systems from cyberattacks.

Table of Contents

  1. What Is Operational Technology (OT) Cybersecurity?
  2. IT vs. OT Cybersecurity
  3. Traditional OT Network Architecture: The Purdue Model
  4. High-Profile OT Cyberattacks
  5. Defending OT Systems from Nation-State Attacks
  6. Making a Business Case for OT Cybersecurity
  7. Cybersecurity Frameworks for OT/ICS
  8. Best Practice Recommendations for OT/ICS Cybersecurity
  9. OT Cybersecurity Resources

What is Operational Technology (OT) Cybersecurity?

OT cybersecurity refers to the set of procedures and best practices designed to mitigate and prevent the exploitation of cyber-physical systems and industrial control systems (ICS). Industrial control systems are digital networks employed across a wide variety of sectors and services to automate production processes. From energy grids to manufacturing plants, industrial control systems are used across a wide variety of business and critical infrastructure sectors.

The importance of ICS security is a function of the unique risk associated with the operation of operational technology. Plant and factory level employees are often exposed to safety risks. Global supply networks rely on the consistent availability of industrial control systems within ports and other shipping nodes. The public requires critical infrastructure, such as water and energy systems, to operate around the clock. Any disruption across this wide network has far reaching consequences, making the availability and resilience of operational technology key for public wellbeing.

IT vs. OT Cybersecurity

Information and Operational Technology serve different purposes. IT cybersecurity concerns enterprise-level equipment used to manage data. OT cybersecurity concerns production level equipment used to manage physical products. These differences lead to unique security environments. IT security operators must keep up with quickly evolving equipment, platforms, and applications. The high rate of change means modular networks and routine updates. Furthermore, the value of IT is often linked with data and intellectual property stored within the network. For this reason, IT security’s primary concern is the confidentiality of the data. On the other hand, OT cybersecurity operators maintain systems with legacy equipment because of the high cost of equipment replacement and the slow change of system requirements. This means industrial control systems often contain known vulnerabilities. The value of operational technology, however, is most directly related to the continual and consistent operation of the equipment. Therefore, there are fewer opportunities for system downtime, updates, and equipment replacement. As a result, OT cybersecurity’s primary responsibility is the availability of the industrial control system.

Traditional OT Network Architecture: The Purdue Model

The technological architecture of organizations using operational technology can be organized into five distinct layers. Within industry, this is known as the Purdue Model and provides a method for understanding the distinct functions of technologies at various levels of an organization.


The Purdue Model

Enterprise Levels (4 - 5)
The Enterprise Network, and Business Planning elements of the network compose levels 5 and 4 respectively. Collectively these are the levels of the corporate office. Routers, servers, personal computers, and printers are all likely to be devices within these layers.

Production Levels (1 - 3)
Levels 3 through 1 constitute the production environment of a given network. Level 3, or Site Control, commonly houses data storage devices (historians) and the central management system (likely an engineering workstation). Here, plant-wide information is simultaneously accessed and warehoused. Level 2, or Area Control, contains more specific control information. This might be the Supervisory Control and Data Acquisition (SCADA) interface for a subcomponent of devices or even the specific Human Machine Interface (HMI) of a single device. Level 1, or Basic Control, refers to the actual distributed control system (DCS) or programable logic control (PLC) that actuates an operational process.

The Purdue Model is helpful in understanding the complexity of modern technological architectures, but is also complicated by the continued rise of the Industrial Internet of Things (IIoT). As information increasingly informs production processes each layer is becoming more intertwined. Therefore, even while the Purdue Model may not reflect the logical typology of network architectures, it does provide a functional map of such systems.

High-Profile OT Cyberattacks

High-profile OT cyberattacks demonstrate that network vulnerabilities exist at each level of network architecture. The Stuxnet worm, uncovered in 2010, was a SCADA exploitation designed to destroy nuclear refiners within Iran. The worm was injected into a closed network via removable media device – likely a USB drive. Once within the enterprise layer the code was able to exploit installation permissions to automatically execute malware. In this case the malware degraded integrity down the network architecture causing specific PLCs to report incorrect information back to area control workstation. This risk could have been mitigated by:

  • Tracking removable media
  • Managing installation permissions
  • Actively monitoring the network for unusual movement

In 2021, a hacker attempted to pollute a Florida public water supply by exploiting the outdated operating system of a particular water plant. The attack began when a personal computer within the network made a visit to an unsecured web address. As a result, the hacker was able to gain network access through the combination of a remote management application and weak password security. After this, the command to pollute the water supply was easily made – though thankfully was observed and reversed by plant personnel. The attack could have been diverted more easily however, had the security operators:

  • Closely managed software updates
  • Heightened password security and authentication processes

Colonial Pipeline was the victim of a target ransomware attack in 2021 that was facilitated by a compromised virtual private network. The hacker group utilized un-retired credentials to access a legacy virtual private network (VPN). The pipeline had been unaware of the continued existence of the VPN and as a result had not factored it into their security considerations. From this vulnerability, however, the hacker group was able to encrypt corporate systems which directly resulted in system downtime. This loss of accessibility could have been avoided if they had:

  • Full asset visibility
  • More closely managed and retired user access
  • Increased password and authentication processes

Summary of Key OT Cybersecurity Attacks

2010

Stuxnet Worm

Target

SCADA & PLC systems that control & monitor industrial electromechanical processes

How It Works

MS Windows worm typically introduced via USB flash drive, modifies PLC code and gives unexpected commands to the PLC

2013

Havex /Dragonfly

Target

SCADA OPC (Object linking and embedding for Process Control) servers

How It Works

Industrial protocol scanner finds devices on TCP ports used by specific PLC venders, plants a backdoor installer file

2015

BlackEnergy & KillDisk (Ukraine power grid)

Target

SCADA systems that remotely switch substations off

How It Works

Spear-phishing to plant malware, to disable/destroy UPS, modems, RTUs, etc. and destroy files on servers and workstations

2016

Shamoon 2 (Disttrack)

Target

Disruption and damage – targeted GCC energy companies

How It Works

Remote access with stolen credentials, plant malware & covertly spread across computers with a scheduled service (process) – then wipe the data

2017

ClearEnergy

Target

Certain PLC models found in SCADA and ICS systems

How It Works

Exploit firmware vulnerability flaws - erases the ladder logic diagram

2017

WannyCry Ransomware

Target

Broadcast globally to everyone via the internet

How It Works

Exploits unsupported (unpatched) MS Windows OS, implants a file running as a service, encrypts users files

2017

Industroyer (CrashOverride)

Target

Electric power distribution grid substation switches and circuit breakers

How It Works

Connects to a remote server, maps the network, issues commands to specific devices

2020

SolarWinds

Target

Large “supply chain” attack affecting 18,000 businesses.

How It Works

Malicious code installed on Orion software update.

2021

City of Oldmar, FL

Target

Oldsmar Water Treatment Facility

How It Works

Remote access software allowed hacker to manipulate formula for adding lye to the water supply.

2021

Colonial Pipeline

Target

Colonial pipeline

How It Works

Ransomware attack from an unidentified legacy VPN that resulted in operational downtime.

Defending OT from Nation-State Cyberattacks

As high-profile cyberattacks increase in number and sophistication, private companies today must be prepared to defend against increasingly capable adversaries and even nation-state attacks. This daunting task can be best approached by systematically understanding network architecture and the lessons of past attacks. The non-profit MITRE Corporation has published the MITRE ATT&CK for ICS framework for this precise purpose.

The MITRE ATT&CK for ICS framework acts as a common industry lexicon by describing eleven categories that are important for understanding how adversaries enter, explore, and exploit your network. Adversaries enter and stay within networks through initial access, evasion, persistence, and by inhibiting responses. Adversaries gather information about the compromised network through discovery, collection, and lateral movement within the ICS environment. After gaining access and information, adversaries are able to execute code, manipulate command and control functions and impair process control in order to negatively impact the overall industrial control system.

MITRE ATT&CK for ICS TTPs

Making a Business Case for OT Cybersecurity

Understanding the evolving security landscape is now a requirement of sound business practice. Without robust industrial security measures, companies take on significant risk to their safety, profitability, and reputation. Profitability can be decreased from unexpected production downtime, legal costs, and increased insurance costs, among other concerns. Our OT Risk Calculator can provide a customized estimate of each factor to show what a cyberattack could really cost your company.

Furthermore, a cyber incident can quickly shake confidence, resulting in brand and reputational damage which translates into a reduced customer base. As a result, it is increasingly important that security professionals learn how to effectively ask for the proper OT cybersecurity budgeting. Explaining these risks to management and requesting an expanded OT security program will ultimately result in gains across the entire business.

Cybersecurity Frameworks for OT/ICS

When determining where to further invest in security, there are many standards out there that can help. One of these is the NIST Cybersecurity Framework (CSF), which can provide a simple method for identifying what opportunities exist to optimize your security processes. The NIST CSF is a voluntary set of guidelines that were created to aid the development of business security strategies. The framework is organized around a security cycle: identify, protect, detect, respond, recover. Each stage requires an understanding of the distinct elements of the OT network and the proper people, processes and technologies for effective implementation.


The NIST Cybersecurity Framework

Another popular standard used to design an OT/ICS security program is the ISA/IEC 62443 standard. The ISA/IEC 62443 series of standards offers a flexible framework of security controls that define ICS security techniques, processes, and procedures to aid organizations in mitigation and risk reduction for security vulnerabilities in ICS. Organizations can adopt and enforce security controls that work reliably across devices, networks, and infrastructure based on this single congruous framework.

Best Practice Recommendations for OT/ICS

Within OT environments, specific best practices can be employed to maximize security effectiveness. The first requirement is robust asset management. With a full understanding of the network, it is possible to establish centralized management with effective monitoring techniques. Centralized monitoring will subsequently enable security operators to implement automated vulnerability and anomaly detection abilities. Each of these steps and best practices fundamentally serve to assure that the right data is in the hands of your OT defenders. Understanding your system and knowing how to ask OT security vendors the right questions is the first step in reaching this goal.

OT Cybersecurity Resources

Understanding OT cybersecurity can be complicated. The increasing frequency and sophistication of ICS cyberattacks, the rise of the IIoT, and many other factors add to the complexity. Yet, the importance of critical infrastructure is too great to ignore its security. Furthermore, it is now impossible to safely operate an industrial control system as a business without a rigorous OT cybersecurity approach. Industrial Defender offers resources to aid in the search for solutions to each of these issues.

Our OT Security 101 Webinar provides guidance to better understand the security principles of OT cybersecurity. Industrial Defender’s OT Cybersecurity Solutons Buyer’s Guide provides information that can help narrow the search for an ICS security solution. The Defender Sphere is designed to help clarify the various vendors, services, and equipment involved in the operational technology landscape.

By taking advantage of these and additional resources, security professionals can understand industrial control systems and achieve robust OT cybersecurity to support key business interests and safety requirements.