Suzanne Gill posed the following question to a variety of cybersecurity experts: What is the best piece of advice you can offer end users keen to ensure that their connected operational technology (OT) devices do not offer a potential attack surface for bad actors?
Massimiliano Latini, a founder at H-ON Consulting said: “There are three main steps to achieving the overall goal of protecting plants against cyberattack. Paradoxically, the first relates to a well-known issue in the industrial context – safety. Until now, safety and security have been regarded as separate matters with little in common. But this viewpoint is now outdated, and the ‘safety no longer exists without security’ approach is being adopted in many industrial concerns.”
Latini believes that traditional risk analysis alone is no longer sufficient, arguing that cybersecurity needs to be an integral part of a device throughout its lifecycle to ensure it is fully secure.
“The second step concerns decision making control and the need to make choices as objectively as possible with regard to cybersecurity,” he said. “Everyone is aware of its importance, including in the industrial field.
“A management framework should be set out before entering into the details of the technical solution. This should enable end users to establish priorities for the various operations, and make an object assessment of impacts and costs, so they can allocate time and resources where necessary.”
According to Latini, the final step relates to cybersecurity certification. “It is now increasingly important to be able to ensure that a device, system or plant meets certain universally recognized criteria, and this will provide a major competitive advantage in future years,” he said. “The only way to achieve this is to apply for a form of certification, whose long-term validity is guaranteed by certain accredited bodies.”
In conclusion, Latini believes that end users need a regulatory structure that indicates the objectives to pursue, leaving them free to choose the most appropriate technical solutions. There can be no doubt about the best choice: The leading standard is IEC 62443, which has become to all intents and purposes the de-facto standard for OT cybersecurity.
Taking responsibility for connected OT devices
Edward Kessler, executive lead for cybersecurity at EEMUA also believes that there are several steps to securing connected OT devices, arguing that it depends on the level of expertise and awareness of the end user. “Organizations really need to have someone with clear responsibility and authority for OT cybersecurity,” he said. “It isn’t something that can be taken for granted.”
In any case, before any actions can be taken, a number of questions need to be answered. These include:
- What do you have (hardware and software with multiple versions) and how many?
- What is it connected to, what must it be connected to and what connections should have been removed after installation or update, or never made in the first place?
- What does it depend on (data, control messages, timestamps, etc.) from elsewhere, and what depends upon it?
- What protections exist in the network? Segmentation by firewall? Whitelisting? Intrusion detection systems? Regularly updated antivirus software? Log collection and monitoring?
- Who are the privileged users, and are privileges maintained at the lowest possible level and revoked when no longer needed?
- Who is responsible for firewall rules and whitelisting? Are the rules appropriate to minimum required connectivity, up to date and updated for each change to required connectivity?
- Have all default passwords been changed to non-trivial and robust passwords?
- Is there a patching policy?
- Is two-factor authentication in use for any remote access?
- Is encryption used for links to remote sites, such as for monitoring and control equipment?
- Is information about all of the above stored securely in a cybersecurity management system with controlled access and backup?
- What controls exist to prevent unauthorized devices (USB sticks; mobile phones; personal, contractor or supplier laptops; mobile routers, etc.) being connected to the network?
- Do you share information with colleagues concerned with physical security?
“If you know the answers to these questions, then you can probably see the goal posts and can produce an implementation plan to suit what has been found,” explained Kessler. “Of course, there are other things to consider, which are by no means trivial – including staff awareness and training and control and monitoring of contractors and suppliers. Think like a poacher, not like a gamekeeper! It is important to know the answers to those questions and more long before the hackers do. Otherwise, there will be no time to act before they do.”
In conclusion, Kessler pointed out the importance of being aware that reducing the attack surface is only part of the problem. There is still an attack surface. He said: “It is also important to have a robust plan for what happens in the event of an attack, and beyond that, there needs to be clear agreement among the stakeholders on how you manage the priorities for recovery.”
Lacking security questions for connected OT
Even though many modern OT devices offer state of the art security that should be able to withstand cyberattacks, most OT devices lack in security questions, according to Dr. Lutz Jaenicke, corporate product and solution security officer at Phoenix Contact GmbH & Co.
“To attack a device via the network, the attacker first needs to be able to reach the device. Firewalls are very effective in preventing such access. Of course, if possible, only those services of an OT device should be activated that are strictly necessary for its operation. The network topology should be considered, as well. One central firewall between the information technology (IT), office and OT network is a major step. It does not, however, prevent an attack from spreading inside the OT network once a system from which to attack has been found.”
Any services made available should be protected by passwords or other authentication mechanisms. If the device does not offer secure communications, for example by using https or TLS, encryption of the communication using a VPN gateway can help protect the passwords against eavesdropping. In an internal network, traffic might also be encapsulated into its own VLAN.
“Unfortunately, once a communication is established, attacks can occur due to flaws in the implementation of the device,” he said. “This can even happen before any authentication has taken place. It is also possible to try to guess passwords, as many devices are not prepared to defend by limiting guessing attempts. Therefore, it is a good idea to restrict communication to specifically allowed systems or persons. A firewall, VPN tunnel or VLAN should be configured to support this restriction.”
An OT device should never be connected to the internet directly or via port forwarding, warned Jaenicke. “Attackers are constantly roaming the internet to find exposed services which they can take advantage of. Outgoing connections are less risky. It should, however, be considered that the external peer might be manipulated and thus be used to attack the OT device and starting from other assets. So outgoing connections should also be prohibited until explicitly cleared by the operator.
“If supported, the OT devices should be integrated into monitoring systems. Events and logs should be collected in central systems. One of the first actions attackers will take is to delete logs of their entry. Collecting logs in a special location keeps the information safe. Using a suitable log analysis tool or a security incident and event management (SIEM) system can lead to a timely detection of a security incident.”
In any case, and especially in the age of ransomware, Jaenicke advised that a backup and restore strategy is developed and deployed. Once a system has been compromised, it will most likely not reverse into a secure state by just rebooting. It may also be difficult to find out which manipulations were performed by the attacker. So the device will have to be completely reset with fresh firmware, and the configuration will have to be restored.
Original content can be found at Control Engineering Europe.