Six tips for a secure OT environment

Networking is a prerequisite of digital transformation: The areas of IT (information technology), OT (operational technology) and ICS (industrial control systems), which are moving ever closer together, are no longer isolated from the rest of the company. As a result, the exposure to cyber threats in running systems is growing and a successful attack could mean massive damage to production, security and system availability. The specialists from Kudelski Security have therefore compiled six recommendations for action that lay a solid foundation for effective risk mitigation and a secure OT environment.

Strategy 1 - Raise end-user hazard awareness 

Users in IT environments face the same security threats as in OT environments: Phishing attacks, weak passwords, lack of hardware device security. However, the main focus of an OT engineer is to keep the system running. This means that cybersecurity threats are not the focus for him.
Against this background, it proves useful to focus on the risk to the overall business. Companies should frame the discussion of cybersecurity in the OT context in terms of the risk of production disruption. It can be helpful to give OT engineers and operations managers access to security tools so they can visualize all of their assets and see how a single vulnerability could affect production overall.

Strategy 2 - Identify the true assets in the company

Asset discovery is a critical security component for IT and OT environments, and also one of the most difficult. OT systems notoriously lack visibility. Many organizations simply do not know their assets.
The first step is therefore comparatively simple: companies should develop a detailed understanding of the resources that exist in the OT network. This means documenting the operating systems, the firmware layers, the software installed, the libraries present, how the individual assets communicate with each other, and - perhaps most importantly - the importance of the assets to the overall OT system.

Strategy 3 - Systematic network segmentation

As more IT elements are introduced into the OT environment, the air-gap model that so many OT networks depend on as the primary security element is eroding. For example, an OT engineer might want to check email via a Human-Machine Interface (HMI) on the factory floor, so he adds a second Network Information Center (NIC).

To enable secure interaction between IT and OT infrastructure, it is important to think through network segmentation requirements before access becomes necessary. In an emergency, it is better not to create new connections, but to establish system-to-system connectivity in a Purdue model. It's also a good idea to set up firewalls and firewall controls to create a hierarchy in the network. The Purdue model for controlling hierarchy is a framework commonly used by vendors in various industries. It is helpful in understanding how data typically flows through networks and how to secure each of the network zones and their respective elements accordingly.

Strategy 4 - Consistent threat monitoring and 
Incident Management

Visibility is the critical first step to effective real-time cyber threat monitoring. It is essential for organizations to know what assets are in their environment, how assets are connected, how network segmentation is or is not set up, and what vulnerabilities exist. Once visibility is established, it is important to determine how the network will be seamlessly monitored around the clock. The following questions need to be answered: What to do if there is an alarm? What standards should be used to validate and intervene? What should be done in the event of a security incident?
Given the security challenges of an OT environment, an incident can be extremely damaging in a short period of time. IT security strategies such as threat monitoring and tracking and incident management can help, but they require real-time collaboration and coordination between security and OT teams. From the third-party security operations center (SOC) or managed security service provider (MSSP) to the operations manager to the OT engineer, roles and responsibilities must be clearly defined.

Strategy 5 - Connectivity and access controls

While there are established practices for identity and access management for IT environments, there is a need to catch up in many places in the OT area. Credentials are often shared internally and externally, and access is not limited to specific network devices or segments.
It is essential to assume "hyperconnectivity" and plan for it in advance to safeguard productivity and operations. The following basic principles apply here: Identity management, password requirements, multi-factor authentication, synchronization of access to Active Directory. Remote access capabilities can also be helpful. However, it should be avoided to use the same remote access solution for both IT and OT to reduce the attack surface and avoid downtime. In the event of an emergency, this makes it possible to clearly identify who had access to the affected system and cut the connection if necessary.

Strategy 6 - Vulnerability and Patch Management

Legacy systems, mission-critical frameworks, and the limited patch windows of OT environments typically make it difficult to develop a holistic threat mitigation and patch management strategy. Rather than patching through hundreds of vulnerabilities, users need to understand which potentially vulnerable systems are most critical to production. Ideally, security vulnerabilities are closed during the next regular maintenance - with the knowledge in mind that for many OT vulnerabilities, no patch or firmware update fix is available at all. This is where the use of compensating control mechanisms comes into play to limit the impact of a vulnerability in the event of an attack. These mechanisms include network segmentation and isolation, password management, and continuous threat monitoring and tracking (deep packet inspection). Ultimately, it's about balancing security effort and return on investment.

Source: Kudelski Security

Interested parties can also find out more about effective risk minimization and a secure OT environment in the Operational Technology Webinar October 6.