OT/IT Convergence and the Need for Secure Device Ecosystems
What is OT?
Industrial control systems are found in energy, utility, manufacturing and other operations where process automation is found. This technology has been around for decades and described with terms such as SCADA, Machine-to-Machine (M2M), Distributed Control Systems (DCS) and more recently IoT, or more specifically IIOT (Industrial Internet of Things). What started as closed, proprietary automation systems are increasingly becoming computerized and connected.
Automated industrial environments do everything from mixing chemicals to diverting natural gas and package food. Inputs from sensors are fed to decision making controllers that respond by sending commands to actuators. Regardless of the level of complexity or criticality of the environment, this flow of data and commands between sensors, controllers and actuators are the basis of industrial control systems.
Cyber Security Incidents in ICS?
In figure 1
, according to the European Union Agency for Network and Information Security, there were 245 cyber security incidents in 2014. In figure 2
, US-CERT reported that the number of incidents in the US was 231, but climbed to 486 in 2015. These numbers would probably surprise the average person outside of the cyber security industry and shows importance of securing ICS environments.
IT Solutions Do Not Neatly Fit OT Environments
High Availability of the process and safety are the main focus of OT. ICS systems have separate safety Instrumented systems whose sole purpose is to maintain safe operations. ICS systems have additional infrastructure like fault-tolerant or redundant devices to manage the availability and reliability of equipment in a plant. Even when intellectual property or credit card numbers are stolen in IT environments it would rarely affect physical safety. The term ‘critical’ when referring to infrastructure highlights the importance of safety to ICS processes. It also refers to the criticality of uptime.
Uptime is vital to the viability of an OT business. While IT systems suffer downtime on a regular basis, whether planned or unplanned, OT environments are built to run without downtime. Even short downtime can cost millions of dollars in lost revenue. Some processes by their nature are not easily restarted. Some critical infrastructure is deemed so important that it is watched carefully by regulators and any downtime is considered dangerous to national security. Outside of safety, plant managers are tasked with keeping their operations running smoothly above anything else. Device reboots for software security updates ‘need not apply’ in OT environments, requiring very different thinking to IT environments.
Compliance to regulation affects OT more often than IT. While PCI affects enterprises that accept credit card payments, regulations such as NERC-CIP and CFATS have wide and costly implications to entire industries.
Enterprises utilizing IT are typically highly connected. OT environments are traditionally closed systems, but increasingly becoming connected. Organizations that operate ICS will always be asset-intensive environments, but they are pressured to become digital businesses. Business value is unlocked by allowing data out of critical, real-time systems. But how do we do that securely?
OT environments have a very wide range of device and network capabilities. IT environments typically have endpoints with a high degree of capability relative to the average OT environment. Purpose built devices meant for uptime and low bandwidth usage limits the available security solutions. OT networks can be limited by bandwidth, on-time or, in some cases, reliable connectivity. Security systems for devices on these networks need to work with this limitation.
From serial cables to industrial Ethernet, there are a very wide range of data transport mechanisms and protocols in OT environments. Many protocols used in modern ICS are repurposed serial protocols where security concepts do not exist, or are an afterthought. This protocol diversity and complexity is high enough that translator systems exist to communicate between human machine interfaces (HMIs) and controllers. These translator systems are themselves vulnerable to attack as shown by Black Energy
and other attacks.
OT environments can span large geographical distance. IT environments need to control their wireless access points, but usually within a controlled campus. Even the largest enterprise campus is much smaller than the footprint of an energy plant or its pipelines.
Patterns of Risk in Operational Technology
What have we learned from security research and successful attacks on ICS systems? Technical journalism is motivated to make each story seem unique so that readers click on their articles. Reading past the headlines, the attacks follow patterns suggesting that there are common weak points in ICS security.
There is too much reliance on perimeter security. The term ‘air gap’ implies that a computing system is not connected to a network, and is not accessible from the public internet. The stuxnet
virus is an example of a successful attack against computing systems assumed to be isolated. The Shodan
search engine highlights the fact that there are thousands of sensitive ICS devices exposed to the public internet. The PwnPlug
device, created by security researchers is an example of a stealthy device that can be installed into ICS networks, effectively punching a communication hole through a firewall. How many workstations in ICS environment are connected to the IT layer and/or the public internet in order to meet legitimate business requirements of plant staff? That number is probably greater than zero, meaning that those workstations can be at risk of becoming a malicious gateway into the system. As we know from the IT world, social engineering works and ICS staff are not immune.
Devices, applications and people should all be able to establish trust between each other. ICS Devices are currently too trusting. Stuxnet, Black Energy and other malicious software used against ICS systems work because of a lack of devices being able to uniquely identify each other. Authentication is required. The ineffectiveness of perimeter security discussed previously means that devices need their own ability to know who they are accepting commands from. They also need to know who they are agreeing to send data to. For people, it is common practice to give over privileged VPN credentials to sensitive ICS systems. There are better ways to give fine grained access control to device networks.
Is that printer authorized to send a firmware update to a chemical mixing controller? Probably not. The controller should only accept commands from devices that are authorized to do so. The complexity of ICS protocols is not a guarantee that attackers cannot simply re-issue commands that they see floating across the network, from any device that they have been able to compromise. Authorization is required in ICS systems to take away options from attackers who have established a malicious beachhead in your operational network.
How do we protect data integrity for data? SSL/TLS have thankfully made its way into IoT standards, but it is still early days to implement it into ICS network communications and it needs to become more widespread.
What about devices that will never be capable of cryptographic functions necessary for authentication, authorization or TLS? Brownfield devices will be with us for the rest of our lives. It is very important to secure these devices with controlled and isolated network addressing. Gateway devices can be used to accomplish this.
Secure Device Supply Chain and Choosing a Security Technology Partner
The above security solutions are ideally implemented early in the supply chain of devices installed in ICS systems. ICS device manufacturers should be working with a security technology partner so that trust can be extended not only across devices, applications and people, but also across the third parties that are responsible for the devices at the center of the ICS operations.
For system integrators who might be managing multiple ICS companies, or be providing DevOps services, they should be working with security partners that have a long pedigree in third party trust models.
A security partner shouldn’t lock you into any specific vertical stack of technologies. You have an existing set of protocols and enterprise repositories that need to remain in place. Security should not disrupt this, or need to ask you to rip and replace existing solutions that work.
Ideally, identity based solutions should have flexible deployment models that take into consideration that unique constraints faced by industrial organizations. A security partner should support both on-premise and cloud implementations and make it seamless to move between them depending on needs.
Finally, choose a security partner that works with you for the long term. The longevity of devices in ICS means that the security partner in the supply chain must have a proven track record and can handle updating devices without interfering with uptime and reliability.
Security Provides Opportunity
Organizations operating Industrial Control systems are becoming digital businesses. Beyond simply mitigating risk, OT is increasingly being tasked with using technology to reduce costs and improve operational processes. Predictive maintenance requires systems to have sensors emitting data to analytics systems, which are likely to the cloud. This requires a network boundary crossing from critical real time networks to the public internet. Some industrial organizations will seek new business models and share device access with DevOps teams and service integrators. The importance of authentication, authorization and secure data becomes vital for risk mitigation brought by OT business innovation.
Compliance has always been a limiting constraint for OT environments. Guidance and regulation are not static especially in light of the recent increase in cyberattacks against ICS systems. How do our prescriptions for OT compare against federal guidance and international regulation?
Mapping Risk Patterns to Guidance: An Example
Below is a sample mapping between the controls discussed above and federal guidance and international regulation.
[table id=58 /]
OT has been around a long time and has specific needs and constraints. ICS systems are indeed under attack and there is a need for comprehensive security. Security based on managed identities should be an important part of a defense-in-depth strategy in ICS. Uniquely identifying, authenticating, authorizing those devices and securing the data are ideas that are shared by federal guidance and international regulation. When choosing a partner to help secure your industrial control systems, seek a long term partner who understands the unique needs of OT environments. You can find out more about how we are helping to secure the industrial IoT ecosystem by viewing our infographic