Automated Cybersecurity for Converged IT/OT/ICS Manufacturing Environments
For decades, IT and operational technology/industrial control systems (OT/ICS) were seen as separate entities within organizations. In keeping with practices first defined by the Purdue Enterprise Reference Architecture, the two systems were entirely air gapped to never impact one another. While this separation kept OT networks more protected, it is no longer practical.
Today, manufacturers rely on flexible, build-to-order production methodologies that improve efficiency, reduce errors and cut costs – but also introduce greater cyber risk through the convergence of OT, IT and Internet of Things (IoT) networks. Ransomware attacks make headlines, but day-to-day network or process misconfigurations, operational errors, resource usage spikes and other anomalies are far more likely to threaten productivity than outside attacks.
Unique OT/ICS security challenges
OT/ICSs are complex, multi-vendor environments, often with geographically distributed resources and management systems. Each system has its own proprietary protocols and industrial applications, security requirements, and specific risk mitigation policies. OT operators and security teams must manage an increasing number of remote connections and transient assets – OT/ICS and SCADA engineers, system integrators or OEM vendors all connect to the OT networks, both locally and remotely, to support management and maintenance functions.
No wonder the classic IT security approach doesn’t work in OT/ICS environments. Most SCADA systems or controllers do not support authentication mechanisms, and traditional routers and firewalls cannot enforce security policies based on the content of network traffic, such as dangerous commands or unexpected process values. Nor is it enough to depend on security at the edge. More protection is needed inside the network, where different OT and IoT assets and systems must communicate with each other and often rely on connections to other industrial subsystems to run a process.
Additional cybersecurity challenges unique to manufacturing include:
- Security as an afterthought – Because OT assets were never connected, they were not built with security or even integrity in mind. Adding security later can be exceptionally difficult. For example, many assets cannot accommodate an agent. Some leading manufacturers are finally implementing “secure by design” principles to newer technology, but as Vedere Labs’ OT:ICEFALL vulnerability disclosure underscored, that is still the exception.
- Long refresh cycles – It’s not uncommon for IT organizations to refresh technology every few years as new hardware, operating systems and applications evolve. In contrast, OT systems are built for reliability, remain relatively static and have long lifecycles. Some OT assets may not get a refresh for up to 30 years.
- Exponential growth of IoT – The use of IoT devices in manufacturing environments is also exploding, for the same reasons as OT: to further reduce costs and deliver more value to customers. IoT devices are used to collect real-time data on production processes. This data flows into IT or even cloud services to enable better scheduling, forecasting and overall performance against metrics. IoT assets are also used to manage facility systems such as building access control, HVAC, lighting and fire safety systems.
Together, these issues roll up to two imperatives for manufacturers: 100% visibility into all assets and their connectivity, and the ability to detect any threat to operational continuity and prioritize response.
Cybersecurity best practices for manufacturers
The NIST Cybersecurity Framework outlines how to identify, protect, detect, respond and recover from threats. The following recommendations align with this framework. They are based on more than a decade of industrial threat research and experience protecting many of the world’s critical infrastructures, manufacturers and government organizations.
- Identify – Complete security starts with an accurate inventory of all connected assets, where they are and what they’re communicating with. Unfortunately, the discovery approaches that work for IT and IoT might not work for sensitive OT devices given safety rules, vendor interoperability issues, industrial process requirements and other considerations. To avoid downtime or service disruption, they require agentless techniques or non-intrusive network monitoring such as deep packet inspection (DPI). OT networks also include many IT assets, so hybrid techniques are necessary.A system specific for OT/ICS networks must understand dozens of industrial protocols and be able to prioritize detected threats. The Forescout Continuum Platform employs more than 30 non-intrusive passive and active discovery techniques to identify assets, extract details and detect anomalies. They include DPI of 250+ IT, OT and IoT protocols to query infrastructure and selected endpoints for complete device visibility, well beyond SPAN.
- Protect – Manufacturers must understand both the cybersecurity and operational risks of each asset. This requires cooperation between traditionally siloed SOC teams and OT operators. SOC teams need visibility into security risks such as the use of default credentials and insecure authentications and protocols, vulnerabilities, poor segmentation policies, and, of course, actual cyberattacks. OT engineers, meanwhile, need to quickly spot issues such as unauthorized firmware or PLC logic changes, critical device failure, unstable process values, incorrect process measurements, and any signs of misconfiguration or malfunction.As with discovery, there are several ways to non-intrusively determine the vulnerabilities of OT assets, while most traditional IT assets can be actively scanned. Risk assessment should also be automated and continuous, checking the asset against a database of OT/ICS-specific Indicators of Compromise (IOCs) and Common Vulnerabilities and Exposures (CVEs) as well as continuous network monitoring for behavior changes and anomalies.
- Detect – To avoid costly downtime, threats to operational continuity must be detected and investigated as early as possible. Asset discovery and risk assessment produces a flood of information about potential threats and vulnerabilities, not all of it urgent. To cut through the noise, OT engineers and security teams need a monitoring and detection system that prioritizes critical alerts based on both operational and cybersecurity risk and potential impact, with drill-down into details that help them make informed decisions about how to respond.Forescout Continuum provides a unique Asset Risk Framework that continuously calculates an impact-based cybersecurity risk score and operational risk score for each asset. The scores are continuously evaluated using detected events associated with the asset, proximity to other potentially infected assets, communication links and behavior, known vulnerabilities and other details.
- Respond – Any risks and vulnerabilities identified above must be mitigated and, ideally, remediated, using the right technique based on all available information. While in IT the common approach is to patch, this may not be possible for OT. In manufacturing environments, response actions range from automated initiation of remediation activities, such as creating a service ticket for an engineer to check a malfunctioning device or to tighten a firewall rule, to more drastic measures, such as access control and segmentation.Vulnerable and critical systems, including unsupported legacy systems, should be segmented from the rest of the operations, and logical segments should be implemented where possible. For example, a security camera doesn’t need to connect to the process control server or data historian, and a robot arm doesn’t need direct internet access.
- Recover – Nowhere is cooperation more important than recovery. Tensions may arise when OT asset owners primarily concerned with safety and productivity must now balance operational and cybersecurity risk, especially if it means shutting down operations. To break down silos, security policies, from assessment and alerts to mitigation actions, must underscore communication between IT and OT teams. For example, how can the SOC security analyst inform the right OT engineer at the site?Automation is also critical to ensure timely response, especially given the global shortage of skilled cybersecurity resources. Many actions, from modest to stringent, can be initiated automatically without risk to OT systems, such as tightening firewall rules that don’t touch process control communication and assessing the security posture of contractor laptops before granting access to a production network.
Industrial-strength cyber resilience
With industrial environments increasingly dependent on digital systems for production, automated cybersecurity is essential. Occasional networking and operational issues are inevitable in any manufacturing environment, but they needn’t result in significant downtime. All cybersecurity begins with knowing what’s on your network. Beyond connectivity, manufacturers must know what cyber and operational risks exist across sites and be able to detect and prioritize response to threats, automatically.
Building cyber resilience is a cost of doing business – a small price to pay for the many benefits of industrial digitalization.
Hear Vedere Labs researchers unpack OT:ICEFALL – 56 vulnerabilities affecting devices from 10 OT vendors caused by decades of insecure-by-design practices in OT.