Strengthened cyber defenses for OT environments

Although awareness of the relevance of cybersecurity in IT is growing, OT environments still receive too little attention - with potentially fatal consequences, as serious ransomware incidents against critical infrastructures, both in the cloud and on-prem, are increasing worldwide. Attack tactics and techniques are constantly evolving and targeting OT systems, increasingly in areas such as building automation and production. The fatal part is that OT systems are also part of critical infrastructures, for example in the healthcare, transportation, energy and utility sectors. In contrast to the digital world, physical damage here is often irreversible and can even endanger human lives. Especially in recent months, numerous cyberattacks have been perpetrated, partly due to vulnerabilities in widely used systems that have been known for some time: Log4j, Microsoft Exchange, Linux, Apache, Remote Access, etc. The attack possibilities on OT systems have thus increased considerably due to the growing threat landscape.

Critical infrastructures

Although the physical OT world requires different security approaches than virtual IT, they are moving closer together. New technologies from IT correlate with developments and modernizations in OT. In industry, self-learning robots manufacture complex products; in building automation, integrated sensors deliver data such as temperature, humidity, utilization or performance of equipment to a central cloud platform; in electrical engineering, measurement systems are increasingly networked, intelligently controlled and monitored. Two worlds are merging, new security risks are emerging. The vision is comprehensive connectivity and exploitation of synergy potential. The reality, however, is that these two worlds often have complex, sometimes outdated or buggy interfaces, making secure merging difficult. Cyber criminals exploit the vulnerability and manipulability of such OT systems, which were previously designed for stability rather than security and offline.

While IT classically focuses on confidentiality, information security and data protection, OT focuses on the availability of OT systems (machines and plants) and the protection (safety) of employees and the environment. Ensuring this safety is not only necessary due to the safety-critical environments, but also mandatory from a legal perspective. Accordingly, clear guidelines exist here and elaborate assessments are carried out - but not for OT safety. However, IT and OT are both integrative components and should therefore be included in both operational and business risk assessments. Since attacks on OT systems can jeopardize physical security, securing them should be a top priority. Necessary measures are, on the one hand, the sensitization of employees with regard to specific risks and, on the other hand, the development of know-how and competencies for OT components and protocols. Furthermore, a multi-layered approach (defense-in-depth) that combines all levels is essential. This includes a comprehensive security architecture with integrated security solutions to correlate data and respond to distributed threats, systems such as IDS/NIDS or in-line detection, attack detection, XDR, threat management, etc.

IEC 62443 has established itself in the OT environment for the establishment, implementation, review and continuous improvement of an information security management system (ISMS). This represents an efficient method for secure industrial automation and control systems (IACS) - taking into account all important aspects, such as the safety of employees and production, ensuring availability, increasing the efficiency and quality of production, and protecting the environment. This enables companies to identify potential weak points in the control and instrumentation technology at an early stage and initiate sensible protective measures. However, a comprehensive, forward-looking approach goes even further and takes into account the traditional IT landscape, development IT and even production IT. Proactive vulnerability management should not be forgotten. This should not only focus on vulnerabilities that have a certain CVSS value, but also on those that are actively exploited by cybercriminals. Rapid action is key here. Last but not least, risk and ICS/SCADA security assessments and corresponding controlling are part of a comprehensive security approach.

From Defence-in-Depth to Zero Trust

Defence-in-Depth, i.e. the explained multi-layered approach, has an important status in IT/OT security. This minimizes the risk that cyber attacks - or otherwise triggered incidents - can spread like a domino effect and cause major damage. However, to keep up with new threats, organizations must also adopt zero trust models and automation. Zero trust is a strategic approach to security that focuses on the concept of eliminating inherent trust; that is, minimizing permissions and access to minimize risk. All resources are considered external in this approach. Trust is neither binary nor permanent. Zero Trust establishes trust for every access request, no matter where it comes from, while enforcing device trustworthiness. Automation, on the other hand, uses current threat data to inspect traffic, apply zero trust policies, and block attacks in real time.

For the well thought-out implementation of a security concept, it is necessary to improve the security functions of all systems, products and solutions involved. But guidelines, processes and ultimately employees must also be taken into account appropriately so that various measures can be established. After all, if one protective measure is bypassed, the next one continues to provide protection. This principle makes a lot of sense, because often the systems and components involved are not at an up-to-date security level due to a lack of updates and permanent availability.

Even if the requirements are high nowadays: This is the only way to achieve strategic cybersecurity goals, minimize risks, meet regulatory requirements and guarantee safety and security in complex IT/OT environments.