In an environment where we’re seeing increasing demand for connectivity between operational technology (OT) and IT, security teams have to dispel the air gapping myth to acknowledge that IT influences can exploit OT connections.
The air gapping approach was used for a long time to prevent any impact on ICS systems. But it’s wishful thinking to believe it is a reality considering that today, any system managed by an actual user requires end-to-end connectivity. There are three core steps organizations need to take in order to evolve beyond the air gapping myth, so that they can better identify potential attacks and provide stronger security for SCADA networks.
Expose the myth of IT/OT separation
First, organizations that use industrial control networks need to expose and dispense with the myth that IT and OT are separate entities. In most cases, there really is no separation, and because of that, air gapping is no longer realistic. The lack of separation is clear in everyday operations; for example, if a technician wants to monitor a mission-critical process after hours, nearly all of the tools that enable this rely on having a connection between IT and OT, and, at times, even through an Internet connection via VPN into the OT network.
Air gapping fits into the traditional narrative that there was a need to isolate IT and OT, but organizations must let go of this wishful thinking in order to protect SCADA networks. In reality, all of the SCADA attacks we’re seeing today are coming from the IT world, whether the path is through spear phishing, malware from email attachments, infected USB sticks, social engineering, a vulnerability related to a standard IT environment, or some other source. And facility managers rely on Internet connections—the conduit for many threats—to communicate with their systems.
Organizations make a number of mistakes in IT/OT convergence, and one of the most common is allowing two-way communication from or to the OT network. A German steel mill learned this the hard way, when it suffered an attack after permitting two-way instead of one-way communication with an interface for monitoring. The company had bi-directional communications that were not providing alerts.
Another common mistake is having a false sense of security regarding industrial networks because of the presence of antivirus software and firewalls. These do no prevent every kind of attack. Most of the SCADA world is still not protected; fails to take basic precautions, such as changing passwords on PLCs; and is not aware of the risks. Furthermore, firewalls are not designed to deal with ICS protocols, and do not fully understand the content of the ICS payload to its last bit.
SCADA security: What can organizations do now?
Now that we’ve exposed that OT and IT are converging, it’s time to address the security issues. Organizations can live safely in this new reality, and there are several ways to address the challenges of convergence. It’s important to keep in mind that the bulk of securing converged IT/OT environments depends on tapping the people who understand OT details, the constraints of critical systems, and what’s possible to observe via IT.
Critical systems as a rule can’t afford any offline time, and in many cases can’t support an influx of new security products that would impact operations. Organizations need to learn how to protect systems without affecting their performance.
The key is to embrace innovation. Deploy tools that enable you to find the right place in the network where you can monitor relevant traffic. The critical systems themselves are not central; they’re distributed between different sites, often in completely different regions. So finding the right spot to find the right traffic and observe it is vital. Another important step is mapping IT and non-IT components. That requires deploying an OT security solution that provides a clear visual mapping of the OT network, including all sensitive OT/IT touchpoints.
Unlike IT networks, operational networks are often hard to map. By using appropriate OT security solutions, ICS owners can visualize and understand their networks by observing the relations between the ICS entities, in some cases functioning in a non-IT world (PLCs that don’t have IP address, for example), and receive alerts about situations such as bi-directional communications between the OT and IT networks, allowing them to reconfigure as needed.
But don’t leave IT network security best practices behind. Consider using tools and approaches that provide forensic business intelligence (BI). These allow you to visualize SCADA activity by means of pie charts and graphs, so in case of an attack, you have a means of looking back to see what affected the system in the first place, which can help with future prevention. Finally, embrace new advances, such as deep packet inspection to investigate ICS communication in-depth and identify anomalies and malicious activity that may be invisible at the packet level.
There are countless security technology vendors in the market, but relatively few that offer the solutions needed to address the unique security challenges of the IT/OT environment. If a vendor doesn’t have extensive experience in this area, you can’t be sure that its solutions will provide what’s needed to protect these vital corporate assets.
Look for the ability to visualize your OT network and analyze it to create a baseline and detect anomalies. A lot of ICS organizations don’t have the manpower to be continuously monitoring critical systems, so that’s where having the right support from an outside vendor is vital.
Most of the SCADA world is still not protected because of the illusion that they’re air gapped. Few actually are. However, when critical infrastructure organizations recognize this fact, take precautions and investigate new solutions to protect themselves, they can significantly reduce their risk.