IT Security in an OT World

Before we had the Internet of Things (IoT), ubiquitous wireless access, high speed data pipes, or even core internet protocols including HTTP and TCP, we had industrial automation. Operational Technology (OT) is the latest umbrella term to encompass functionalities such as industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, programmable logic controllers (PLCs), and building automation. This term also applies to a host of embedded systems that support everything from running the robots that assemble automobiles to controlling the generation and transmission of power. OT systems play a part in baggage handling at airports, oil drilling rigs, pipelines and refineries, and manufacturing plants. Even your local organic dairy farm might be using a robotic milking system. Our entire modern way of life depends on automation and control systems.

From a security perspective, these systems are terrifying in their wide distribution, variability, and range of “security thinking.” Many of these systems are built on unsecured, open communication protocols. Many use technology that cannot be patched or updated. Many are increasingly exposed to the internet and access unintentional damage and malicious tampering. To make matters worse, exploits of industrial systems are also nightmare scenarios with significant impact on human life and happiness. In real world examples such as Crash Override, industrial system exploits are fully capable of taking down large power grids. Even an attack as common as ransomware now has the capability to infect and disrupt OT networks, as we saw with WannaCry in 2017.

Approaching security in an OT environment might be intimidating. However, as with all security, there is a solution.

Approach 1: Classic Security Modeling

The classic approach to security can be loosely generalized as defining what it is you are securing, defining the risk involved, and then taking appropriate mitigation steps. This approach can be considered as working from the “outside-in.”

There are some models and methods that help with this approach:

  • Existing compliance standards: For some OT environments, there are existing compliance regulations such as NERC-CIP and ISA/IEC-62433. Even if these standards do not apply to your industry, they will often provide a great starting point for understanding risk analysis for OT. You can also utilize various standard framework concepts and compensating controls for more generic compliance frameworks, such as the CIS Critical Security Controls.
  • Existing frameworks: OT systems are built by engineers who, although not necessarily IT or security professionals, know how to make documentation! Check out the Purdue Enterprise Reference Architecture and its variants to gain insights into the underlying design of these systems. Not many OT systems will follow the Purdue model, but it is the equivalent of understanding the OSI model. You can also read up on Industrial Cyber Security and initiatives including Smart Manufacturing and Industry 4.0. These initiatives are not directly tied to cybersecurity, but may provide a way to inject security thinking in other modernization and computerization efforts.
  • Existing mindset: In security, most people start with the Confidentiality, Integrity, Availability (CIA) model. In OT systems, the mindset more often begins with the Reliability, Safety, and Availability (RSA) model. If you approach OT environments knowing that they were built on RSA instead of CIA, you can work through a lot of issues very quickly.

Naturally, there are many implementation challenges when using an “outside-in” approach to security.

  • Outages are real and impactful. Outages of any kind in an OT or ICS world have a real, direct, and tangible impact on the business. Potential major business impacts include: disrupting a factory floor, turning off electricity for large sets of customers, failing to monitor oil in a pipeline, and interrupting core communications systems. Any action you take in the OT environment must account for the extra risk. Even simple security tasks such as an antivirus scan can disrupt critical timing.
  • Security isn’t always the goal. Remember you are often dealing with highly distributed systems that are critical to your business. The business impact of an outage (for any reason) may be on a different scale and involve different stakeholders than those you typically engage.
  • You are the outsider. As a security professional, you will have to learn the language, systems, and normal pressure points of OT environments.
  • You can’t always do much. Many OT systems are obsolete, proprietary, very tight on resources (CPU and memory), or otherwise unsuitable targets for classic security like antivirus systems or monitoring agents. Even regular patching is problematic with the significant amount of custom software deployed on OT environments.
  • Pen testing can be physically dangerous. Active penetration testing has the potential to do great harm even by accident. OT environments are almost always connected to large physical systems capable of large-scale industrial accidents. You wouldn’t want a pen test to take down a power grid, halt monitoring of an oil pipeline, or destroy millions of dollars of industrial robots.

Approach 2: Passive Discovery and Analysis

Another method to your OT security is passive discovery and analysis, and can be thought of as an “inside-out” approach. Instead of trying to reverse engineer a security model on top of your OT environment, try using baselining and passive observation to create compensating controls.

The advantages of passive discovery and analysis overcome many of the challenges faced with a classic security approach:

  • You aren’t interfering with the environment. When using a network monitoring tool (such as LogRhythm NetMon), you can tap into the network traffic and start classifying many OT protocols, including CIP, COAP, ENIP, Modbus, OPCUA, and Profinet. More importantly, NetMon can help you see anything that isn’t a recognized OT protocol.
  • Whitelists work. Fortunately, most OT environments are still on isolated or mostly isolated networks. Using LogRhythm AI Engine (AIE) to passively baseline from NetMon or firewall data, you can rapidly discover which systems are normal and expected on the environment. These systems also tend to have an older networking style. For example, you might find fixed IP addresses in these systems. Because the environments are comparatively static, a whitelist approach works well.
  • Unusual is bad. In an OT environment, unusual activity is highly suspicious. Following the Purdue model, anything below level 3—including control systems, intelligent devices, and physical processes—should be “one purpose only” and have easily, definable, regular behaviors. Systems operating in level 3 and 4, such as manufacturing operations and business logistics systems, are more likely to be either classic operating systems and software, or otherwise exposed to wider ranges of user interactions and internet access. However, in all levels, non-OT traffic should be very limited and easy to classify as safe or suspicious.

Approach 3: Machine Learning

Because OT environments are focused on reliability, machine learning techniques are likely to be highly successful. The pattern of access to OT systems should follow well-known schedules of shift changes, maintenance cycles, and other highly scheduled activities. The peer groups of users should be very limited, because there are few actions peers can take to create deviance. That means detecting abnormal behavior through machine learning should be highly effective.

Machine Learning, particularly for OT environments, is still in its infancy. At LogRhythm, we’re actively investigating both User and Entity Behavior Analytics (UEBA) and Network Traffic and Behavior Analytics (NTBA) to see if they offer OT a rich area of information.

Securing Your Operational Technology

Today, initiatives like Smart Manufacturing and Industry 4.0 drive digital transformation in Operational Technologies. All the while, increasingly risky cyberthreats and well-publicized attacks with direct impact—such as WannaCry and the Ukraine power outage—are occurring. If you work in any business that touches Operational Technologies, you may possess a unique opportunity in which you can start injecting cybersecurity into OT environments. Whether you go for a classic compliance-driven security approach or a discovery approach, you should take time to consider what you can do with your security tools to make Operational Technology safer!

One Compliance Module to Rule Them All: Consolidated Compliance Framework

Building and Implementing a Next-Gen SOC

Enabling 24x7 Monitoring and Response Using Automated Playbooks

More from Rob McGovern

Using Deep Packet Analytics to Detect Packet Signatures

Identifying PowerShell Tunneling Through ICMP

Analyzing ICMP Traffic with Network Monitor