Industrial Cybersecurity Pulse
  • SUBSCRIBE
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
SUBSCRIBE
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
Industrial Cybersecurity Pulse
Subscribe
Industrial Cybersecurity Pulse
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • IT/OT

How to solve legacy OT security challenges

  • Chris Bihary
  • October 11, 2021
Courtesy: CFE Media
Courtesy: CFE Media
Total
0
Shares
0
0
0
0

In the course of everyday life, many of the decisions we make about information technology (IT) in a business context are simpler than they may seem at first glance. If people are buying mobile phones or tablets to help employees stay in touch with the office, they may be able to choose between a variety of brands (Samsung, Motorola, LG, Apple and so on), but on a deeper level, they’re choosing between just two platforms: Android or iOS.

Likewise, if someone is buying personal computers (desktop or laptop) for administrative use, they can choose from a wide variety of manufacturers (Dell, Lenovo, Hewlett-Packard, Apple and so on). However, the number of operating systems offered is generally limited to just Windows and macOS (or perhaps Linux). Similarly, the IT Network applications and tool vendors are designed for a specific network environment of routers, switches and servers.

The situation in the operational technology (OT) realm is quite different.

More OT platforms and systems, less compatibility

There are multiple reasons for the differences.

One of the reasons is that OT systems tend to use a larger range of communications protocols. As Tenable, the company that created the Nessus vulnerability scanning solution, explained in a blog post, OT vendors have not followed IT vendors in sticking to just a handful of pre-defined platforms. Instead, individual vendors often develop their own software and communications protocols, many of which are proprietary and vendor-specific. And few are actually compatible with each other.

This is true even when different vendors are working to meet the same standard. As Tenable points out, if OT users buy programmable logic controllers (PLC) from multiple vendors, they are likely to find that each vendor has taken a different (and proprietary) approach to upholding IEC-61131 standards. As a result, if those vendors don’t provide adequate documentation of their approaches, users will have a difficult time monitoring critical activities.

In practical terms, this means OT systems engineers often have to learn to use, monitor and troubleshoot as many types of software and communications protocols as they have vendors. This is already a tall order, but the complications don’t end there. The software and communication protocols in question aren’t just incompatible with each other but also, in many cases, incompatible with the modern security solutions that become necessary when OT systems are connected to the internet.

Links between legacy and security vulnerability

This incompatibility is often a function of age.

OT systems are designed to have a much longer lifespan than IT systems. The devices referenced above – mobile phones and personal computers – typically remain in service for a few years and are then replaced, partly because they’re not built to last for long periods of time, partly because of marketing campaigns that highlight the increased capabilities of newer machines and partly because the cost of such devices has gone down over time. This is not the case with OT systems. These are usually designed to remain in operation for decades, at full capacity, with little downtime and with reliability and safety in mind.

As a result, OT systems are much more likely to include components that are 20-30 years old, or even older. Some systems may be so old that they predate any and all concerns about cyberattacks, and other systems may simply have inadequate security measures (such as air gaps that have been effectively bridged by the deployment of connected monitoring devices).

Alternatively, they may still be using older software that is less secure and/or no longer supported. Many OT workstations still rely on legacy operating systems, such as Windows NT or Windows XP, for which support is no longer available.

As a result, they can be difficult to integrate with modern security solutions. When companies work to integrate their legacy networks with modern security platforms, unmanaged switches with no switch port analyzer or port mirroring (SPAN) option or managed switches that lack the resources to support SPAN capabilities hinder even basic network visibility that security tools need to protect the network.

NIST’s Guide to Industrial Control Systems (ICS) Security cautions that ICS operating systems (OS) and applications may not even tolerate IT security practices, and ICS systems that usually run at slow speeds on legacy networks can easily be overwhelmed by the volume of traffic generated during active testing. Underscoring the unfortunate fact that when legacy equipment is pushed to transfer data outside of these proprietary systems, the industrial network is opened to security vulnerabilities.

Network downtime has become a security threat

Unfortunately, the challenges of incompatibility and age aren’t easy to overcome. OT users have an incentive to keep their existing assets in place even if they aren’t a good fit for modern security solutions because their guiding principle is to avoid downtime.

As this blog post from F-Secure explains, ICS’s can’t be taken offline whenever their operators hear about a new patch or update. If these systems are being used to run power plants, sewage systems, hospitals or other components of critical infrastructure systems, downtime can pose unacceptable risks to public health and safety (and perhaps even national security). If these systems are being used to run manufacturing facilities, downtime can disrupt business continuity and lead to significant financial losses.

As a result, industrial automation engineers and other employees that work with OT systems have every reason to argue for keeping existing ICS’s in place and leaving them alone as much as possible, even if they are known to be vulnerable. At the same time, IT and cybersecurity specialists have every reason to argue for applying the updates and patches that are needed to eliminate or mitigate risks.

How TAP visibility can bridge the legacy gap

Together, these challenges – incompatibility, age and the need to avoid downtime – can make OT systems extremely difficult to secure.

OT security should also be combined with fundamental best practices in visibility architecture. That is, OT users should eliminate blind spots and vulnerabilities in their systems so that their security tools can optimize threat detection and response, as well as perform proper asset discovery.

Overcoming this difficulty is far easier with network visibility – that is, enabling a security solution that provides its operator with a complete visual representation of every component and threat within the entire system, because “You can’t secure what you can’t see.”

Many industrial companies turn to specialized network TAPs to bridge the legacy gap by connecting old media types like 100Base-FX or 100BASE-LX to Copper Gigabit, as well as speed conversion that easily connects varied 10M, 100M or 1G speed segments automatically.

Many legacy OT environments face unmanaged switches, with no SPAN option or managed switches that lack the resources to support SPAN capabilities. For these, network TAPs provide traffic access and packet visibility for the security platform.

For OT networks where SPAN is available, network TAPs are still best practice for visibility architecture, as they passively copy traffic for security tools without dropping or duplicating packets. As SPAN can also introduce vulnerabilities through bidirectional traffic, data diode TAPs provide unidirectional traffic ensuring threats do not reach the physical layer of the network. Many times, AggregatorTAPs are added to secure and aggregate multiple SPAN links into the security platform.

– This originally appeared on Garland Technology’s blog. Garland Technology is a CFE Media and Technology content partner.

Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.

Chris Bihary

Chris Bihary, CEO, Garland Technologies

Related Topics
  • CFE Content
  • Featured
Previous Article
The D2U model categorizes user data by capturing behavior in all open programs throughout a user’s day. Courtesy: Nathan Armistead/ORNL, U.S. Dept. of Energy
  • Strategies

ORNL cybersecurity put to the test

  • Oak Ridge National Laboratory
  • October 11, 2021
Read More
Next Article
Courtesy: Chris Vavra, CFE Media and Technology
  • IT/OT

System integrators’ role in the OT cybersecurity crisis

  • Robert Fairfax
  • October 12, 2021
Read More
You May Also Like
Richard Robinson, CEO of Cynalytica Inc.
Read More

Using Machine Learning to Protect OT: Expert Interview Series, Richard Robinson, Cynalytica

Courtesy: Industrial Defender
Read More

Six ways to strengthen OT security

Courtesy of: Verve Industrial
Read More

Four benefits of OT endpoint security asset management

Courtesy: CFE Media
Read More

Adapting XDR for OT cybersecurity

Read More

How Conti ransomware took down operational technology

As threat increases, college cybersecurity programs are more in demand
Read More

Dragos YIR report shows rise in threat groups, vulnerabilities and ransomware

Courtesy: CFE Media
Read More

Using defensive deception to prevent IT/OT manufacturing threats

Many wonder where to start when attempting to protect embedded systems in OT cybersecurity? Here are some great places to start.
Read More

How ‘Think Global: Act Local’ can help manage OT security through COVID-19

SUBSCRIBE

GET ON THE BEAT

Keep your finger on the pulse of top industry news

SUBSCRIBE TODAY!
VULNERABILITY PULSE
  • Berkeley Internet Name Domain (BIND) - May 19, 2022
  • Mitsubishi Electric - May 19, 2022
  • Apache - May 16, 2022
  • CISA - May 16, 2022
  • Joint Cybersecurity Advisory - May 17, 2022

RECENT NEWS

  • Throwback Attack: Hackers attempt to flood Israeli water supply with chlorine
  • Will CISA recommend securing industrial control systems?
  • How to implement layered industrial cybersecurity in volatile times
  • Throwback Attack: DDoS attacks are born in the Big Ten
  • Improve two-factor authentication system security

EDUCATION BEAT

Introduction to Cybersecurity within Cyber-Physical Systems

Cyber-physical systems serve as the foundation and the invention base of the modern society making them critical to both government and business.

REGISTER NOW!
HACKS & ATTACKS
  • Ron Brash Interview: Expert advice on finding the root of the ransomware problem
  • Throwback Attack: How the modest Bowman Avenue Dam became the target of Iranian hackers
  • Minimizing the REvil impact delivered via Kaseya servers
  • Key takeaways from 2020 ICS-CERT vulnerabilities
Industrial Cybersecurity Pulse

Copyright 2022 CFE Media and Technology.
All rights reserved.


BETA

Version 1.0

  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions

Input your search keywords and press Enter.

By using this website, you agree to our use of cookies. This may include personalization of content and ads, and traffic analytics. Review our Privacy Policy for more information. ACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT