Most cyber security professionals take for granted the information technology or IT nature of their work. That is, when designing cyber protections for some target infrastructure, it is generally presumed that protections are required for software running on computers and networks. The question of whether some system is digital or even computerized would seem to have been last relevant to ask in 1970. We all presume that everything is software on CPUs.
The problem is that not everything is software that CPUs control. Cars include mechanical parts that can get only so hot; airplanes have wings that can bend only so far; factories include assembly lines that can go only so fast; and power plants include fluid piping that can only handle so much. These tangible entities consist of solids, liquids, and gases, rather than 1’s and 0’s, so their management requires a different type of component called an industrial control system or ICS.
The supporting ecosystem that enables industrial control is referred to collectively as operational technology or OT, and this introduces a new set of cyber security concerns. OT protection is particularly intense, because the physical consequences of compromise may be completely unacceptable, and because many of the security mechanisms that are second nature on IT networks can in fact impair physical operations as badly as a cyberattack. This leads to both puzzles and headaches for cyber security engineers.
Cyber security engineers have thus begun the journey of trying to determine how to apply the best elements of IT security, learned through practical experience over the past three decades, to the OT management and monitoring of ICS. In many cases, IT insights are directly applicable to OT/ICS security; but situations do emerge where the nature of industrial control infrastructure introduces novel malicious threats that require innovative new cyber solutions.
Safety and security in IoT
The intimate relationship between security and safety concerns in OT environments cannot be understated. Recall, in contrast, that IT security experts will reference the traditional confidentiality, integrity, and availability (CIA) model of threats. The goal of IT security thus becomes putting functional or procedural controls in place that will cost-effectively reduce the CIA-type risks to data assets.
OT experts have a different set of objectives in mind. Obviously, they must deal with the goal of preventing information leaks, malware infections, and availability attacks; but their primary mission emphasis is on safety. That is, to an OT security professional, the most critical objectives involve assurance of safe, sound operation of OT infrastructure in a manner that avoids human casualties and lost production for large, costly physical assets.
The emphasis on safety concerns tends to influence OT technology protection in ways that might differ from traditional IT. A commonly cited example is change management, which is important for assuring application of security updates. An IT security team will often prioritize rapid deployment of such updates over all else, where an OT engineer might be more concerned with the risks that software changes pose to worker safety and to uninterrupted physical operations.
Purdue model of OT/ICS
To explore options for how OT/ICS infrastructure might include proper mitigation of cyber risk, it helps to use a common model of OT – and the most popular choice is the Purdue Enterprise Reference Architecture, established over two decades ago. The hierarchical model specifically includes four layers of networks to support decision-making and control for industrial applications in the context of both OT and IT monitoring and support.
Before reviewing the model, some brief encouragement for traditional IT security experts trying to navigate OT/ICS: While the terminology of manufacturing control, plant management, and industrial operations might look different and daunting, you should have little trouble extrapolating your own understanding of how an enterprise runs with these newer concepts. Don’t get hung up on aspects of the model you might find confusing. Just move on.
Purdue Enterprise Reference Architecture
Level 0 includes the physical processes for industrial application. Level 1 includes the basic instrumentation that controls physical layer systems. Level 2 includes supervisory control and data acquisition (SCADA) functions and human interfaces. Level 3 includes support for site manufacturing and industrial operations. Level 4 supports business planning, logistics, and other management considerations. Level 5 involves enterprise IT and network systems.
As an overlay to these six ICS functional levels, four zones of operation are identified in the model: Levels 4 and 5 are referred to collectively as the enterprise zone; Level 3 is referred to as the manufacturing zone; Levels 2, 1, and 0 are referred to collectively as the cell/area zone; and a fourth safety zone is defined that includes air-gapped systems that monitor and manage physical Layer 0 systems. None of these levels or zones are hard and fast; they are a guide.
It is worth emphasizing that references to safety in the context of OT/ICS infrastructure cannot be understated. Traditional safety procedures and mechanisms have become an essential component of the emerging cyber security programs. For example, if an administrator notices evidence of malware in critical control systems, then procedures for safety-focused emergency shutdowns are not only practiced, but might even be required by local laws.
Physical and perimeter security for OT/ICS
Unique security challenges emerge at each layer in the Purdue model. First, it is obvious that any physical devices or systems must be locally protected against on-site physical tampering or hands-on sabotage by compromised staff. Motivation for such attacks can range from nation-state guidance to employee disgruntlement. While hands-on attacks do not cascade and cannot be done remotely, this does not make them any less dangerous when they do occur.
As a result, ICS infrastructure generally includes mature, well-developed, facility controls. Personnel are carefully vetted and authenticated before given access to equipment and systems. Buildings, factory floors, equipment rooms, and physical plants are typically accessible only to badge-carrying personnel, and well-policed by on-site security guards with the authority to act if necessary. For these reasons, most people see physical controls as essential to overall ICS security programs.
The challenge is that with the introduction of automated control and management, ICS security inherits the vulnerability challenges of remotely accessible software. Specifically, potential security exploits emerge across the so-called OT/IT interface that exists just beneath the highest layer in the Purdue model. It is this interface that connects traditional hackers with computers on IP networks and the OT-based devices in an ICS ecosystem.
For this reason, most implementations of the Purdue model now include a separation function, expressed as a demilitarized zone or perimeter network, at this OT/IT interface. This separation includes firewall, intrusion detection, filtering, and other traditional network security functions. The implementation is usually generic, using addresses, ports, and protocols, but the control at least offers some opportunity to separate functions and enforce policy.
Purdue Enterprise Reference Architecture with DMZ
The challenge with this perimeter-based security zone – as you would expect – is that IT security experts have already determined that software-based perimeters don’t work. Sadly, this conclusion extends to OT/ICS environments as well. Service exceptions, compromised insiders, and unavoidable traffic entry and exit make perimeter firewalls look more like network cross-connects than traffic cops. This is no longer a controversial claim; everyone agrees.
Advanced, modern cyber security for OT/ICS
The challenge for modern cyber security engineers working in the OT/ICS area involves modernizing the weak or missing protection controls in existing infrastructure toward more advanced and effective solutions that will stop malicious actors. The good news is that many of these controls can be extended from mature IT security, but in the lower layers of the Purdue model, some new situations emerge that require new types of cyber risk management.
An important consideration in practical OT/ICS contexts is the practical belief by many industrial experts that traditional IT security – including patching, anti-virus software, and password management – is simply inadequate to the serious consequences associated with industrial systems. This is a promising balance to the often-cited shortcomings in OT/ICS staff in their expertise and training in modern cyber security.
It helps to first partition OT/ICS into two categories – namely, (1) OT infrastructure consisting of non-traditional computing components such as analog signaling and electromechanical operation, and (2) IT infrastructure consisting of traditional computing components such as application software, physical and virtual servers, and packet networks running the TCP/IP protocol suite. OT/ICS threats exist within each of these domains, or across their boundary.
To ensure protection of these domains and the OT/IT interface, three basic security objectives provide optimal design guidance:
- Strong Entity Authentication – This involves strong validation of reported identities by OT devices in IoT or ICS settings. No security architecture can possibly work without such assurance and for IT-exposed systems, multi-factor usage is becoming more the norm than the exception.
- Domain Separation – This involves the creation of strongly separated architecture domains that can enforce desired policies. Unidirectional gateways are emerging as a useful technique to ensure provable separation between domains.
- Activity Monitoring – This involves gathering information about observable activity for threat analysis, compliance monitoring, and report generation. Nearly all compliance frameworks demand activity monitoring functionality, and this includes OT/ICS.
The achievement of these basic security objectives within OT is by far the greater challenge, simply because any change in OT must be analyzed and tested so very extensively, while IT security best practices evolve at a rapid pace to stay ahead of our attackers.
Two important caveats are worth mentioning with respect to these security objectives: First, in the presence of strong entity authentication, administrators might need workarounds to deal with emergency situations that require immediate unimpeded access to safety systems that can save lives. OT/ICS security design must therefore account for this important consideration, if only because of the unique role that safe, assured operation plays in industrial systems.
Second, it should be recognized that domain separation – and perimeters, in particular – play a much more vital role in OT/ICS security design than enterprise IT infrastructure. This follows the common specificity associated with the input and output command and traffic requirements for an OT/ICS domain. Unlike enterprise IT systems, these industrial requirements are more tractably supported by perimeter controls.
The prospect for achieving the three basic security objectives are much more promising within and across the IT/OT interface. Subsequent articles in this series will explore specifically how modern cyber security controls can be embedded in this aspect of the OT/ICS model to reduce cyber risk. Highlighted results of this application for the next four articles in the series are listed below:
- Article Two offers an insight into how hackers have had success to date breaking into operational systems
- Article Three outlines the SCADA vulnerabilities associated with typical industrial control system architectures
- Article Four covers how innovations such as unidirectional gateways can be used to separate industrial networks from Internet-exposed IT networks
- Article Five provides a glimpse into the future of OT and SCADA systems in critical infrastructure.
The insights offered in these articles are intended to provide guidance for both traditional IT security experts, as well as OT engineers who might be new to cyber protection solutions. The optimal staff arrangement in any OT/ICS environment would optimize the OT experience and expertise of the engineers with the cyber security insights of the traditional enterprise IT security expert. These articles are intended to help both types of expert.
Contributing author: Andrew Ginter, Vice President of Industrial Security at Waterfall Security.