OT cybersecurity refers to the set of procedures and best practices designed to mitigate and prevent the exploitation of cyber-physical systems and industrial control systems (ICS). Industrial control systems are digital networks employed across a wide variety of sectors and services to automate production processes. From energy grids to manufacturing plants, industrial control systems are used across a wide variety of business and critical infrastructure sectors.
The importance of ICS security is a function of the unique risk associated with the operation of operational technology. Plant and factory level employees are often exposed to safety risks. Global supply networks rely on the consistent availability of industrial control systems within ports and other shipping nodes. The public requires critical infrastructure, such as water and energy systems, to operate around the clock. Any disruption across this wide network has far reaching consequences, making the availability and resilience of operational technology key for public wellbeing.
Information and Operational Technology serve different purposes. IT cybersecurity concerns enterprise-level equipment used to manage data. OT cybersecurity concerns production level equipment used to manage physical products. These differences lead to unique security environments. IT security operators must keep up with quickly evolving equipment, platforms, and applications. The high rate of change means modular networks and routine updates. Furthermore, the value of IT is often linked with data and intellectual property stored within the network. For this reason, IT security’s primary concern is the confidentiality of the data. On the other hand, OT cybersecurity operators maintain systems with legacy equipment because of the high cost of equipment replacement and the slow change of system requirements. This means industrial control systems often contain known vulnerabilities. The value of operational technology, however, is most directly related to the continual and consistent operation of the equipment. Therefore, there are fewer opportunities for system downtime, updates, and equipment replacement. As a result, OT cybersecurity’s primary responsibility is the availability of the industrial control system.
The technological architecture of organizations using operational technology can be organized into five distinct layers. Within industry, this is known as the Purdue Model and provides a method for understanding the distinct functions of technologies at various levels of an organization.
Enterprise Levels (4 - 5)
The Enterprise Network, and Business Planning elements of the network compose levels 5 and 4 respectively. Collectively these are the levels of the corporate office. Routers, servers, personal computers, and printers are all likely to be devices within these layers.
Production Levels (1 - 3)
Levels 3 through 1 constitute the production environment of a given network. Level 3, or Site Control, commonly houses data storage devices (historians) and the central management system (likely an engineering workstation). Here, plant-wide information is simultaneously accessed and warehoused. Level 2, or Area Control, contains more specific control information. This might be the Supervisory Control and Data Acquisition (SCADA) interface for a subcomponent of devices or even the specific Human Machine Interface (HMI) of a single device. Level 1, or Basic Control, refers to the actual distributed control system (DCS) or programable logic control (PLC) that actuates an operational process.
The Purdue Model is helpful in understanding the complexity of modern technological architectures, but is also complicated by the continued rise of the Industrial Internet of Things (IIoT). As information increasingly informs production processes each layer is becoming more intertwined. Therefore, even while the Purdue Model may not reflect the logical typology of network architectures, it does provide a functional map of such systems.
High-profile OT cyberattacks demonstrate that network vulnerabilities exist at each level of network architecture. The Stuxnet worm, uncovered in 2010, was a SCADA exploitation designed to destroy nuclear refiners within Iran. The worm was injected into a closed network via removable media device – likely a USB drive. Once within the enterprise layer the code was able to exploit installation permissions to automatically execute malware. In this case the malware degraded integrity down the network architecture causing specific PLCs to report incorrect information back to area control workstation. This risk could have been mitigated by:
In 2021, a hacker attempted to pollute a Florida public water supply by exploiting the outdated operating system of a particular water plant. The attack began when a personal computer within the network made a visit to an unsecured web address. As a result, the hacker was able to gain network access through the combination of a remote management application and weak password security. After this, the command to pollute the water supply was easily made – though thankfully was observed and reversed by plant personnel. The attack could have been diverted more easily however, had the security operators:
Colonial Pipeline was the victim of a target ransomware attack in 2021 that was facilitated by a compromised virtual private network. The hacker group utilized un-retired credentials to access a legacy virtual private network (VPN). The pipeline had been unaware of the continued existence of the VPN and as a result had not factored it into their security considerations. From this vulnerability, however, the hacker group was able to encrypt corporate systems which directly resulted in system downtime. This loss of accessibility could have been avoided if they had:
As high-profile cyberattacks increase in number and sophistication, private companies today must be prepared to defend against increasingly capable adversaries and even nation-state attacks. This daunting task can be best approached by systematically understanding network architecture and the lessons of past attacks. The non-profit MITRE Corporation has published the MITRE ATT&CK for ICS framework for this precise purpose.
The MITRE ATT&CK for ICS framework acts as a common industry lexicon by describing eleven categories that are important for understanding how adversaries enter, explore, and exploit your network. Adversaries enter and stay within networks through initial access, evasion, persistence, and by inhibiting responses. Adversaries gather information about the compromised network through discovery, collection, and lateral movement within the ICS environment. After gaining access and information, adversaries are able to execute code, manipulate command and control functions and impair process control in order to negatively impact the overall industrial control system.
Understanding the evolving security landscape is now a requirement of sound business practice. Without robust industrial security measures, companies take on significant risk to their safety, profitability, and reputation. Profitability can be decreased from unexpected production downtime, legal costs, and increased insurance costs, among other concerns. Our OT Risk Calculator can provide a customized estimate of each factor to show what a cyberattack could really cost your company.
Furthermore, a cyber incident can quickly shake confidence, resulting in brand and reputational damage which translates into a reduced customer base. As a result, it is increasingly important that security professionals learn how to effectively ask for the proper OT cybersecurity budgeting. Explaining these risks to management and requesting an expanded OT security program will ultimately result in gains across the entire business.
When determining where to further invest in security, there are many standards out there that can help. One of these is the NIST Cybersecurity Framework (CSF), which can provide a simple method for identifying what opportunities exist to optimize your security processes. The NIST CSF is a voluntary set of guidelines that were created to aid the development of business security strategies. The framework is organized around a security cycle: identify, protect, detect, respond, recover. Each stage requires an understanding of the distinct elements of the OT network and the proper people, processes and technologies for effective implementation.
Another popular standard used to design an OT/ICS security program is the ISA/IEC 62443 standard. The ISA/IEC 62443 series of standards offers a flexible framework of security controls that define ICS security techniques, processes, and procedures to aid organizations in mitigation and risk reduction for security vulnerabilities in ICS. Organizations can adopt and enforce security controls that work reliably across devices, networks, and infrastructure based on this single congruous framework.
Within OT environments, specific best practices can be employed to maximize security effectiveness. The first requirement is robust asset management. With a full understanding of the network, it is possible to establish centralized management with effective monitoring techniques. Centralized monitoring will subsequently enable security operators to implement automated vulnerability and anomaly detection abilities. Each of these steps and best practices fundamentally serve to assure that the right data is in the hands of your OT defenders. Understanding your system and knowing how to ask OT security vendors the right questions is the first step in reaching this goal.
Understanding OT cybersecurity can be complicated. The increasing frequency and sophistication of ICS cyberattacks, the rise of the IIoT, and many other factors add to the complexity. Yet, the importance of critical infrastructure is too great to ignore its security. Furthermore, it is now impossible to safely operate an industrial control system as a business without a rigorous OT cybersecurity approach. Industrial Defender offers resources to aid in the search for solutions to each of these issues.
Our OT Security 101 Webinar provides guidance to better understand the security principles of OT cybersecurity. Industrial Defender’s OT Cybersecurity Solutons Buyer’s Guide provides information that can help narrow the search for an ICS security solution. The Defender Sphere is designed to help clarify the various vendors, services, and equipment involved in the operational technology landscape.
By taking advantage of these and additional resources, security professionals can understand industrial control systems and achieve robust OT cybersecurity to support key business interests and safety requirements.