Four Action Steps for Shoring Up OT Cybersecurity
Putting time and intent into the setup can save time and cost later.
Cybersecurity isn’t a foreign concept to industrial enterprises. Management, engineers, and technicians can’t help but see the headlines in the trade and business press, regardless of their sector. In fact, a 2019 global survey of 282 industrial companies operating in critical infrastructure and process industries revealed that 80% consider operational technology (OT) cybersecurity to be a high priority. However, that same survey found that only 31% had implemented an incident response program and only 57% had committed any budget to cybersecurity.
This suggests a gulf between intention and practice, a gap not lost on the various sources of cyber threats of all kinds—increasingly criminal enterprises, state actors, and so-called hacktivists with political agendas.
That’s in addition to solitary hackers using powerful tools readily available on the dark web, such as ransomware-as-a-service. Implementing a comprehensive, defense-in-depth OT cybersecurity program, including an effective incident response and data/business recovery plan, doesn’t necessarily require a lot of costs. It does demand some specialized knowledge, time, and effort. Much of the time can be potentially recovered on future projects when accurate documentation and better familiarity with existing systems may reduce pre-engineering and startup time.
The following are four steps that industrial enterprises may consider to deploy and harden OT cybersecurity, in addition to improving their resiliency and data/business recovery times should an intrusion occur.
Understand the similarities and differences between OT and IT cybersecurity
OT and information technology (IT) cybersecurity have the same goal: To keep the business safe from external cyber-attacks and insider threats, whether they are malicious or, in the case of the latter, more likely unintentional.
However, OT and IT cybersecurity typically have different approaches with different priorities, management structures, types of protected assets and even different standards. First, consider their respective goals. IT focuses on data confidentiality, integrity and availability, while OT focuses on personnel and environmental safety—a huge concern not typically part of IT’s responsibilities—as well as asset availability and utilization, plus the integrity of operating data and relevant intellectual property.
OT networks must operate in near real-time with minimal latencies, while IT networks can operate with best-effort packet timings, with latencies in seconds not being disruptive. Second, each group has different backgrounds, management, and responsibilities.
With computer science backgrounds, IT usually reports to the CSO or CIO, who reports either to the CFO or CEO. With industrial engineering backgrounds, OT typically reports up through plant management and, at the executive level, the COO.
Third, IT and OT use different standards for their frameworks. Both may employ layered, defense-in-depth approaches, but IT follows the ISO/IEC 27000 family of information security standards.
In OT, the ISA/IEC 62443 series and NIST SP 800-82 standards are most prevalent as they provide flexible frameworks to address and mitigate security vulnerabilities in industrial automation and control systems.
Finally, IT and OT are responsible for different types of hardware and software. While IT strives for tightly controlled and short lists of supported hardware, operating systems and software applications with refresh cycles in the 3-5 years range, OT is stuck with managing and securing many legacy machines, systems and applications that can span 30-plus years.
The reason IT and OT must better understand each other is they must collaborate to sufficiently protect OT as part of the much larger and increasingly digitalized business enterprise. That’s especially true as OT starts incorporating such technologies as edge and cloud computing, the Industrial Internet of Things (IIoT) connectivity, remote asset performance monitoring and diagnostics, and much more.
1. Conduct a detailed site survey to create an accurate inventory of networks and networked devices
A basic cybersecurity dictum is you can’t protect what you don’t know exists. That’s why it’s important to document every OT network and attached device. Most industrial operations today have deployed a mix of wired and wireless networks, with best practices involving the segmentation of those networks.
Segmentation makes it easier to contain initial cyber intrusions, minimizing their spread and threat to an entire plant. Start with documentation from existing project files, preferably as-built, if it exists, not as designed. The latter often will differ over the former because the physical or logical environments were different when a network or various connected assets were deployed—or, they’ve been changed since their deployment. With this documentation in hand, assign an engineering intern or technician to walk down the network and redline the diagrams, documenting every port and their attached cables while also labeling them.
Of course, if no diagrams exist, as could be the case for years- or decades-old plants, then the intern or technician will have to draw the diagrams and should do so using a capable 2D CAD tool (versus hand-drawing), so the resulting files will be digital, which will make them much more useful and versatile. As a critical part of this project, a network verification scan should be done to ensure all device ports are identified and categorized.
One of the most popular free, open-sourced scanner tools is Network Mapper (Nmap). These tools need to be employed with caution in SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control Systems) networks because they could cause inadvertent interruptions of field devices. This is another reason that IT and OT groups need to collaborate and educate each other. Tools like Nmap might be safe to use for scanning purely IT network environments but could cause problems if misconfigured for OT ones. ICS forums can provide a wealth of guidance on the proper use of network scanners in OT environments. Going forward, be sure any future project RFPs (Request for Proposal) require network diagrams with physical or scanner verification before the project start and after site acceptance.
2. Optimize currently deployed network components
Next, disable all unused services, features, and ports, and change default logins and passwords to complex, hard-to-crack, alpha-numeric ones that include symbols. Set up user-specific, policy- and role-based logins and passwords, providing user privileges based on Identity and Access Management (IAM) best-practice principles. Many software packages provide integration with Microsoft Active Directory, the world’s most widely used directory services platform for Microsoft Windows domain networks. Finally, industrial enterprises should enable all security-related logging, sending login histories to a Syslog server, so user activities and alarms can be traceable if forensics is needed.
3. Implement comprehensive and automated data protection
Having proactive safeguards in place is important, but it’s also critical to have effective reactive procedures ready to respond to intrusions, especially to quickly restore the integrity of operations, applications, data, or any combination of the three. Key ICS and SCADA functions should be backed up with hot standbys featuring immediate failover capabilities should their primary counterparts be disrupted.
For data protection, automated and contemporaneous backups are preferable; or at least they should be done at a weekly interval. Ideally, the backup storage will be off-network and, even better, offsite, too. The former protects backup data in case malware, such as ransomware, succeeds in circumventing defense-in-depth and network segmentation measures and locks it up.
In the NotPetya ransomware attacks of 2017, the global shipping giant Maersk almost had to start completely from scratch until they found an active directory server in Africa that was offline due to an unrelated network equipment failure. The latter protects data backups from the physical damage to storage servers that can be caused by natural or man-made disasters, such as hurricanes, tornadoes, explosions, and fires. Keep in mind that backups are useless if the OT/IT staff doesn’t know how to restore them, lacks the right tools to do so, or if the backup system is misconfigured and can’t restore the needed system data.
Three facets of restoration must be part of an effective, response-ready recovery strategy:
- OT/IT staff must know how each unit of software and hardware is licensed and the procedure to recover and reinstall those licenses. For example, reinstalling a virtual machine or hard drive image may not work, if the license is tied to old hardware, especially if the hard drive serial number is part of the system fingerprint.
- As authentication by certificates becomes more prevalent, it’s important to understand which devices require certificates and how to renew, reinstall, and, if needed, reimport those certificates.
- Backups must be tested regularly to ensure they can be restored. To do this, pick a system to restore during every scheduled outage or downtime period. This assures backups are operational and gives the OT/IT team practice with restoration procedures. It also allows detailed written procedures to be developed, updated and improved.
4. Think about cybersecurity like safety
Like plant health, safety and environment (HSE) programs, cybersecurity should be considered alongside them as a required mainstay risk-reduction program with support from executive management, owners, and the board of directors. The steps outlined above should become regular routines and add to preventive maintenance (PM) schedules. This ensures that they join other OT PM routines conducted regularly, with assigned resources and responsibilities if they’re not already being done continuously as with backups.
That’s why they need to treat cybersecurity as a matter of business continuity—just as they would a natural disaster or fire—with plans, training and regular drills, all at regular intervals at least twice yearly. It’s also why companies with doubts about the maturity of their industrial cybersecurity should get started on evaluating their safeguards right away and strengthen them if necessary.
Written by: Chuck Tommey, P.E. GICSP CEH, and digital connectivity/cybersecurity executive at Siemens, for Industry Week.