Both the likelihood and consequences of cyberattacks to OT/ICS components continue to grow for modern industrial operations. While current advances in OT/ICS cyber security are impressive, new approaches are needed to gain defensive advantage over already-capable cyber adversaries, to keep up with new OT/ICS technologies, and to serve business risk management needs in increasingly-demanding, competitive environments.
In all these cases, progress only comes when both IT and OT stakeholders can (1) correctly assess current and emerging risks to industrial operations, (2) correctly assess the strength and benefits of candidate threat mitigation measures, and (3) convince business decision-makers of the correctness of these assessments to commit funds to business process and security modernization initiatives. All three of these cases are essential, but also have their corresponding pitfalls to avoid.
In practice, IT stakeholders often underestimate cyber threats to industrial operations, and overestimate the effectiveness of software-based security measures. OT stakeholders are often less predictable, sometimes underestimating threats and resisting investment in improved security posture, while other times overestimating threats and raising safety concerns that impair modernization efforts. In all cases, communicating threats, defensive postures, and the need for change to business decision-makers can be difficult.
To address these challenges, we discuss below three specific areas in the context of both improved enterprise operational effectiveness, and enhanced security for industrial control systems:
Industrial Internet of Things (IIoT) – Internet-based cloud services for industrial automation promise significant benefits to industrial enterprises, while dramatically increasing industrial attack surfaces.
Universal Security Monitoring – Modern enterprises rely on Security Operations Centers (SOCs) and Security Information and Event Management Systems (SIEMs) with limited visibility into their industrial operations.
Tamper-Proof Forensics – Since no defensive posture can ever be perfect, strong support for incident response and recovery is a high priority, especially for industrial networks that may be targeted by sophisticated threat actors.
These three cases highlight the types of considerations that many OT/ICS security engineers are working on today. Each is discussed in more depth below.
Industrial Internet of Things
The emerging Industrial Internet of Things (IIoT) consists of edge industrial devices connected directly to cloud systems on the Internet. Significant advantages stem from aggregating and analyzing large amounts of data from many sites and/or clients. Many industrial vendors are investing significant resources in new product offerings in this realm. The security result though, is a significantly expanded attack surface where threats can use known and zero-day vulnerabilities to pivot from one customer, through cloud sites, to sensitive industrial networks at other sites and enterprises. This, and related risks, are impeding the adoption of IIoT technology at many sites.
Waterfall’s Unidirectional CloudConnect is a solution that preserves the benefits of cloud-based big data analytics in the IIoT without the increased attack surface for industrial control networks. Unidirectional CloudConnect is an industrial control device having a local unidirectional gateway through which it can gather data from a wide variety of industrial data sources. Translation capabilities are included so that data can be exchanged between the OT and cloud domains. This allows direct connections from sensitive OT networks to the Internet.
OT devices connected directly to cloud systems on the Internet
This general issue of reducing risk in the IIoT will be one of the most important areas of cyber security in the coming years, especially as more ICS devices are integrated with IT-based or Internet-based cloud services – often for cost reduction. Unless these risks are properly addressed, the consequence implications for OT/ICS infrastructure can be significant.
Universal security monitoring
The Waterfall Security team has observed that while intrusion detection and security monitoring disciplines are mature on IT networks in most enterprises, the discipline tends to stop at the IT/OT gateway in industrial enterprises. In part, this is because few SOCs are equipped to properly gather and interpret telemetry and logs from OT/ICS networks.
An additional issue, however – and this might seem ironic, is that deep monitoring of certain OT/ICS devices is often seen as too sensitive to be installed into a given operational environment. That is, where OT devices are critical to correct and continued operation of important industrial processes, a management decision might be made to avoid installing intrusion detection probes and security monitoring systems for fear that new security risks might be introduced through connectivity with IT-based or Internet/cloud-based SOCs.
This is an unacceptable situation because security engineers can only secure what they can observe and measure. To address this need, intrusion detection and security monitoring engines are starting to support a much wider variety and depth of industrial systems than was historically the case. To address the security concerns stemming from connectivity with these engines, industrial sites are again deploying Unidirectional CloudConnect or other unidirectional monitoring capabilities.
In a sense, progress here mirrors the problem and progress in the IIoT realm. Both are examples of both risks and benefits stemming from increased connectivity between industrial networks and central IT-based or cloud-based systems. Unlike the emerging field of IIoT big-data analytics though, safe, increased coverage for central security monitoring systems is seen by most industrial sites as a current and urgent problem.
With widespread adoption of the NIST Framework by industrial enterprises, many enterprises are seeking to develop robust industrial cyber incident response capabilities. One challenge with industrial incident response is access to reliable forensics. Industrial enterprises increasingly seek to defend their industrial networks against even the most sophisticated attacks. Sophisticated attacks though, frequently involve the intruder modifying, deleting, and erasing evidence of their attacks. This might even include accessing distantly hosted SIEMs and log analyzers if they can be located. Sadly, many of these systems share mutual trust across laterally traversed LANs, which is consistent with most APT methods.
The Waterfall Security team supports this challenge with its BlackBox solution, which includes a unidirectional gateway, and which gathers forensic data from a wide variety of industrial and IT device sources. The collected data is pushed through the one-way hardware into an encrypted and otherwise isolated storage system. The result is a securely stored, protected forensic log that cannot be tampered with by an adversary.
Waterfall Security has also developed a transportable version that response teams can carry to a given site if necessary. The device can be quickly configured to gather reliable forensics, in case the attackers are still active in the compromised network, and might be trying to actively interfere with the investigation. When the team has collected sufficient forensic evidence, analysis can be performed off-line.
There are far fewer industrial control system networks in the world than there are IT networks, and far fewer ICS security practitioners. Historically, this has meant that many well-meaning practitioners take inspiration from IT networks, and apply IT-centric solutions universally to both IT and OT networks.
Fortunately, this is changing. A recent whitepaper by the Gartner Group for example – Demystify Seven Cybersecurity Myths of Operational Technology and the Industrial Internet of Things – points out clearly that IT methodologies are not appropriate to calculating risks and assessing threats on OT networks, and that IT cybersecurity designs are not adequate to OT security needs.
Unidirectional Gateways and related products are one of the OT-centric security technologies that Gartner and other experts and authorities are recommending be evaluated for OT security needs, and become part of many OT security solutions.
Articles in this series
- Article One Provides an overview of the OT landscape, including an outline of the influential Purdue model
- Article Two offers an insight into how hackers have had success to date breaking into operational systems
- Article Three outlines the SCADA vulnerabilities associated with typical industrial control system architectures
- Article Four covers how innovations such as unidirectional gateways can be used to separate industrial networks from Internet-exposed IT networks
- Article Five provides a glimpse into the future of OT and SCADA systems in critical infrastructure.
The insights offered in these articles are intended to provide guidance for both traditional IT security experts, as well as OT engineers who might be new to cyber protection solutions. The optimal staff arrangement in any OT/ICS environment would optimize the OT experience and expertise of the engineers with the cyber security insights of the traditional enterprise IT security expert. These articles are intended to help both types of expert.
Contributing author: Andrew Ginter, Vice President of Industrial Security at Waterfall Security.