The story goes that while giving a keynote speech, a software executive made an observation: If the automobile industry had progressed at the same rate as the computer industry, we would all be driving cars that only cost $25,000 and got 1,000 miles to the gallon.
Not to be outdone, the executive of a large automobile manufacturer put out a press release stating that the software executive was correct, but mused, “Who would want to drive a car that crashed twice a day?”
It seems that the computer industry and the manufacturing industry have always approached things a bit differently. This contrast in styles is clear in the way both industries view networking. Information technology (IT) departments have worked on making their resources as widely available as possible since the Internet was introduced in the late ’80s. Operational technology (OT) on the other hand, focused on system reliability and keeping devices secure through physical isolation. The often-overlooked cousin of IT, OT is the hardware and software used in production environments to detect and create changes through monitoring and/or control of physical devices (e.g. valves, pumps, sensors). OT typically focuses on processes and events in asset-centric enterprises.
OT network background
The OT networking model worked well for years, but the allure of remote monitoring and the remote control that IT systems offer is tempting OT departments to change their ways. OT departments are starting to tie manufacturing systems into the corporate LAN and Internet to gain access to all of the manufacturing, monitoring and control tools used today (e.g. Distributed Control Systems Supervisory Control and Data Acquisition systems).
For years, industrial systems that relied upon proprietary software were manually managed, physically monitored and not connected to the public Internet. In those days, conducting an attack was only possible by getting physical access to devices, not an easy task in self-contained environments.
The OT design and physical separation were based on the Purdue Enterprise Reference Architecture. This architecture was created in the mid-1990s and is now the standard reference architecture of industrial control systems.
The Purdue model consists of six levels, with industrial control systems (ICS) spanning the first four levels (levels 0-3). Traditionally, the industrial network had no connection to the enterprise LAN at level 4. If communications between the ICS and the Enterprise LAN are needed, a unidirectional data diode enables one-way communications from the industrial network toward the enterprise LAN but does not allow data to flow into the ICS.
OT environments are now looking to become more open, connected and accessible to leverage the advantages of IT. Cloud services, 5G, Big Data and smart analytics are invaluable tools for the OT world. To take advantage of these technologies, the ICS must open itself up to bi-directional traffic. Allowing incoming traffic generates new security risks that hackers are already actively targeting.
With this new architecture, an Industrial Internet of Things (IIoT) gateway is needed to provide remote access from the Internet into the ICS. The IIoT gateway has become a critical security concern because a successful attack and compromise of a gateway could open the entire OT infrastructure to an attack. Once beyond the gateway, there are very few security parameters in place for the legacy infrastructure.
In addition to updating the network configuration, OT departments are also rapidly evolving in terms of software and hardware uses. The table below shows some of the evolution of these components.
Just as changes at the network level increase security risk, these changes to hardware and software can create extra attack space for hackers if the changes are not deployed correctly.
Network security
When looking at network security, there are three main elements that network managers must consider:
- Confidentiality
- Integrity
- Availability
IT security has typically focused on integrity and confidentiality, while OT security has focused on availability. Since OT environments have always been isolated, little effort was put into network security beyond providing physical safety. Due to its dependence on physical security, OT networks typically have numerous vulnerabilities such as lack of authentication, lack of encryption, buffer overflow and backdoors that allow easy unauthorized access.
As OT networks started to become more open, the frequency of large-scale attacks on OT networks has increased. The first large-scale OT attack was Stuxnet, uncovered in 2010. Stuxnet was a worm that traveled on USB sticks and spread through Microsoft Windows computers. Since then, the number of attacks has increased exponentially. In fact, these types of attacks have increased globally by about three to five times in the last few years, per a recent report by cybersecurity firm, Mandiant.
Now with the potential of millions of IoT devices being deployed and with the physical perimeter disappearing, the attack surface of ICS has greatly increased creating a new security paradigm for OT. Fortunately, there is a straightforward, if not always easy, path that OT departments can follow to create a secure network. There are four key steps that OT departments should take to harden their networks.
4 key steps to harden OT department networks
- IT has had decades to mature security practices and minimize exposure. As OT environments become more open, they must start to learn from the IT model. However, managing security and risk in OT environments have requirements that could be very different compared to IT. These differences mean that IT security best practices cannot simply be seamlessly imported into the OT system. One of the key problems with only porting over IT practices is that OT technology obsolescence periods are much longer than for IT. Legacy systems have been in place for 20 to 25 years in many OT environments whereas in the IT world, equipment rarely lasts more than five years. These outdated endpoints within the OT environment lack the computing power to support current patches and updates leaving them as a security risk.
- A complete inventory of all equipment must be completed. A key step in improving OT security is having an up-to-date inventory of assets and applications running on the network. This can be accomplished via a mix of solutions of VMware software and professional services to identify network traffic and devices. Once a complete list of devices is available, device profiles can be created based on the device characteristics, behavior and vulnerabilities.
- A Zero Trust architecture (ZTA) should be set up to help protect the vulnerable elements. A ZTA simplifies security for critical infrastructure and solves key challenges. A great example of where a ZTA can help is securing remote access for ICS systems. Using a ZTA creates a protective surface for each device, and therefore does not require a cumbersome physical segmentation at each layer. The National Institute of Standards and Technology (NIST) proposed the Zero Trust architecture for industrial and enterprise networks and stated “Perimeter-based network security has also been shown to be insufficient since once attackers breach the perimeter, further lateral movement is unhindered.”
- OT departments must set up control access by user, by device and by application. Users, devices and applications should be authenticated before they can access OT network segments. Often overlooked, secure authentication is critical. Many of OT’s most damaging security breaches were due to compromised user accounts and passwords. The damage is further exacerbated due to providing corporate users with unnecessary levels of access.
If these steps are followed properly, OT can confidently start to deploy new technologies to leverage the many benefits that remote access and the IIOT provide.
Though the steps outlined above are straightforward, they are not always easy. If implementing new OT security seems daunting, VMware Professional Services can help. VMware’s team of consultants are experts in implementing networking security in a variety of environments, using industry best practices by working with world-leading companies.