Securing operational technology (OT) networks and increasing network durability are key to enhancing operational resilience, as OT network protection still lags information technology (IT) cybersecurity. This article explains the reasons behind the lag, how this gap manifests across different industries and outlines four steps OT operators can take to better protect OT networks from cyberattacks and enhance operational resilience.
New opportunities bring new threats
As new IT technologies and Internet connectivity become available to OT networks, many different opportunities are opened for greater productivity and efficiency. Although connecting OT networks to the Internet enables new possibilities, it also introduces new threats (see Figure 1).
With more people working remotely due to the COVID-19 pandemic, companies need to enable more remote connections to their business and production networks. Although these remote connections do enable employees to work from the safety of their homes, they also unfortunately open the gate to new cyberthreats.
Although IT networks are usually safeguarded with sophisticated cybersecurity countermeasures, OT networks still include many legacy devices and often have less protection. This is because the systems are complex, and it is quite difficult to effectively implement cybersecurity measures. In addition, these networks often have long lifecycles, where legacy devices are not regularly updated with cybersecurity features. OT protocols are not usually encrypted and often lack authentication mechanisms. Also, hackers are becoming more familiar with OT protocols, networks and devices, enabling them to target programmable logic controllers (PLCs), human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems more easily.
Cybersecurity gap between IT and OT
The reason for the discrepancy between the maturity of IT and OT cybersecurity is closely related to different business priorities that often conflict with each other (see Figure 2).
Why IT networks are better protected. Enterprise IT networks prioritize confidentiality and focus on data integrity. IT assets include computers and servers located in climate-controlled office environments, and are easy to upgrade, patch or replace regularly.
Why OT networks lag behind. Industrial OT networks prioritize availability and focus on controlling processes that cannot tolerate downtime. Unlike IT assets, OT networks are made up of PLCs, HMIs, meters and other pieces of equipment that are difficult to upgrade or patch. These devices can be in harsh and difficult to reach environments, and are often subject to extreme temperatures, vibrations and shocks.
Different demands in different domains
Industrial applications have different requirements that differ depending on the sector, as well as varying levels of cybersecurity maturity. Although industries in the public sector are generally better protected than private manufacturing businesses, most OT networks still lag behind their IT counterparts in terms of cybersecurity.
In general, IT departments administer the cybersecurity policies for OT networks, but those policies are merely at the IT level, which means they do not take into consideration the characteristics and requirements of OT networks. In addition, many also continue to lack segmentation between their IT and OT networks. Regardless of the industry, many OT networks lack sufficient security controls and are not managed by OT operators.
Manufacturers typically have lower levels of cybersecurity maturity and are primarily revenue driven and focused on maintaining availability and uptime rather than on security. Even though the level of security awareness varies depending on whether the manufacturer is traditional, transforming or modernized, IT and OT roles and responsibilities continue to be vaguely defined in factory automation (see Table 1).
Cybersecurity for power grid applications is mostly driven by government policy. However, dedicated OT networks for power automation have low visibility of network assets, limited protection and are in the process of transformation from remote terminal unit (RTU) to Ethernet technologies. These applications are primarily concerned with passing government audits and meeting international standards (IEC 61850, IEC 62351, IEC 62443 and ISO 27001), preventing misconfigurations from operators, and preventing disruptions to power distribution.
Similarly, water treatment applications are comprised of dedicated OT networks that have low asset visibility. The abundance of legacy devices as well as a lack of access control and network segmentation indicate a need for strengthening cybersecurity beyond government audits and deploying firewalls and intrusion prevention systems (IPS).
Intelligent transportation systems
Cybersecurity in intelligent transportation systems (ITS) is also primarily government driven. ITS applications are characterized by distributed networks with various devices and systems at each traffic intersection. Although each device often uses a different network, security is centralized at the IT level.
Although ITS applications follow prescribed government guidelines and are pretty good at establishing cybersecurity policies and deploying firewalls, they are still concerned about cyberattacks on traffic signals and sensors, as well as the possibility that someone could break into an equipment cabinet relatively easily and gain direct access to the network that way.
Four steps to resilience
Considering how different IT and OT networks are, how can we bridge the gap between these two domains and secure OT networks from cyberattacks? To enhance operational resilience, OT networks must ensure their cybersecurity measures are as mature as those used in IT networks. The following four steps describe how users can secure OT networks and increase resilience.
1. Manage OT networks. Users cannot protect the assets they do not know they have. That’s why the first step to enhancing operation resilience requires OT operators to monitor everything on their networks in a similar way to how IT network administrators often have complete visibility. Is everything that should be on the OT network actually there? Is there anything on the network that should not be there?
For example, OT operators can start to determine who can and cannot access the network by leveraging access control lists (ACL) or other authentication mechanisms. Also, there are simple mechanisms OT operators can set up to define which PLC can be connected to the network by port access control or sticky MAC. In other words, everything on the trusted list is allowed to go through the network, and anything not specified on the trusted list is blocked. Managing the OT network (instead of relying on the IT department) also allows OT operators to respond more quickly to downtime and troubleshoot issues more rapidly.
2. Segment OT networks
Unlike IT networks that can be segmented by dividing the network into different departments with their own set of permissions, OT networks are essentially one giant intranet where everything is connected. This makes OT networks more difficult to segment, but not impossible. There are two ways users can segment an OT network:
- Vertical segmentation involves adding an industrial demilitarized zone (IDMZ) between the IT network and OT network. Although this separation should be mandatory, many companies still have not segmented their OT networks from their IT networks.
- Horizontal or lateral segmentation involves creating and separating cells, zones and sites on the OT network. A cell is essentially a tiny place where all equipment is stored, such as a cabinet. Several cells can form a zone, and multiple zones can form a site.
Segmenting OT networks using either method, or both, allows operators to prevent cyberthreats from spreading to other parts of the network.
3. Patch vulnerabilities. Since equipment and devices running on OT networks cannot be upgraded or replaced as frequently as endpoints on IT networks, OT networks still have many legacy devices that may even be running on operating systems as old as Windows 95. Many legacy OT devices remain unpatched and are relatively easy for hackers to exploit. If no patch is available from the original equipment vendor, consider putting a virtual patch on a device that goes in front of legacy devices.
4. Secure remote connections. Protecting the data transmitted from the plant or remote site back to the monitoring and control center is absolutely crucial. Ensure each remote connection to the OT network is authenticated and encrypted. “Authentication” verifies the identity of the user requesting access, whereas “encryption” ensures the data transmitted is securely encoded and cannot be easily deciphered by prying eyes.
Besides managing and segmenting OT networks, OT operators also need to ensure their systems are properly patched and remote connections are secure. These steps not only help reduce the gap between OT and IT departments, but also protect industrial control systems, which are increasingly being connected to the Internet, from cyberattacks.