Addressing Known and Unknown Operational Technology Threats

Article By Alain Penel, Regional Vice President – Middle East, Fortinet.

The Fourth Industrial Revolution is a convergence of technologies that is blurring the lines between the physical and digital worlds, known as cyber-physical systems. And it is utterly transforming the technology systems that support things we don’t usually see, like manufacturing, transportation, energy production and distribution, water and waste management, and city and building automation.

Understandably, awareness of operational technology (OT) and critical infrastructure system security is rising. The journey to protect and secure OT systems is well under way but requires both vigilance and the recognition of the need to build in security. The ability to implement security solutions that deliver visibility, control and real-time situational awareness are the differentiators enabling safe and more efficient operations.

The Risk of OT Convergence

Traditionally, OT networks operated autonomously, fully isolated both from the internet and the IT network operating in the same organization. Ironically, one of the hallmarks of OT digital transformation is the push toward convergence with the IT network. Workflows, business applications and data need to flow seamlessly across and between networked systems, from consumers to manufacturing. Access to real-time data in an OT environment can have a significant impact on everything from energy production to distribution processes or affect the output of a manufacturing floor. Such access enables organizations to respond to consumer demand for desired goods and services with greater agility and efficiency.

OT system managers, however, are rightly concerned about the impact of IT/OT convergence, which is one of the reasons why OT networks were historically air-gapped in the first place. Such an approach limited attack surface concerns, since the OT environment didn’t extend to external networks. OT environments converged with IT are not only highly susceptible to traditionally IT-focused cyberattacks but also vulnerable to basic IT functions like the active scanning of network devices, which can disable a primitive device or, worse, bring an entire system down.

Most OT environments tend to integrate substantial, high-value assets performing high-end processes to produce a consumable and, as a result, can only tolerate minimal downtime. It is important to remember that system availability of OT networks is about much more than merely protecting assets. It is also about protecting those resources that are critical to our daily lives, such as water, gas, transportation and electricity. So, unlike IT networks, the top priorities in OT environments—especially those that provide critical infrastructure—are safety and availability, with security usually ranked no better than third.

The proper approach to securing OT environments, therefore, is to build security directly into the network architecture to ensure that that the preservation of safety and system availability are paramount. While this resembles a traditional security strategy approach, do not be fooled. It requires specialized solutions and strategies adapted to OT’s unique requirements.

Addressing Known and Unknown OT Threats

As OT and IT networks converge, implementing an active network defense at the IT/OT boundary is critical, not only to defend against bad actors but to also protect delicate, high-valued infrastructure from accidental damage caused by normal IT activities. This includes three steps:

• Address known and reasonably expected threats by applying secure gateways at the edges of the OT network, and then implementing signature-based solutions to recognize and stop known threats. However, care must be taken to identify and implement solutions that are fluent with or support OT protocols, applications, devices and processes. Many traditional off-the-shelf NGFW and IPS solutions, for example, are just not equipped to provide security that won’t also represent a risk to OT environments through such actions as active device scanning, traffic denial or turning off ports or protocols.
• Address unknown threats. This begins by defining the attack surface and baselining normal activity in order to detect behaviors that are either zero-day, existing malware you’ve not seen before, operator errors or coerced actions by a trusted operator. In the latter case, an operator may have historically earned trust but for whatever reason is either now behaving in a perceived malicious manner or their access has been compromised by a malicious actor.
• Trust assessments need to occur in real-time. The value of continuous, real-time trust assessment is that it enables the detection and analysis of malicious behaviors before they can affect live operations. Why is that important? Employing the Purdue Model to illustrate the OT network architecture reveals that penetrating below level 2 affords an attacker access near the plant floor, where operational physical actions are happening continuously. If an attacker can trigger failure at that root level, processes can fail – or worse, systems can spiral out of control. For example, in a manufacturing environment, process failures can escalate quickly and, if undetected, cause catastrophic damage where lives are at risk and high-value assets are destroyed.

Layered Segmentation and Multi-Factor Control

One essential OT security function is to behaviorally recognize and control communication and network traffic at every single level of the Purdue architecture. Accomplishing such awareness requires integrating security controls into every layer. A recommended approach to realizing this level of security control across a layered architecture is through client authentication.

A preferred method to control access in an OT network architecture is to implement layered segmentation with a multi-factor authentication scheme. That way, if a trusted operator is working at the SCADA layer, the ability to influence the OT process and accomplish the assigned mission is restricted to the immediate environment. Access controls prohibit access and the execution of actions that would influence adjacent north/south or east/west OT segments within the network architecture.

Adopting an authentication scheme that delivers layered segmentation is crucial, especially in a critical manufacturing domain where the network architecture spans multiple lines of production. Operators and end users alike can be bound by layered segmentation and multi-factor authentication and restricted by rule to their exclusive OT environment. By design, this approach defeats the ability to cause harm, either directly or indirectly, through malware propagation to any areas outside of the immediate zone of control.

Real-Time Network Security Analysis

Across any OT network architecture, accomplishing at-speed recognition of any known malicious code, unknown code or irregular instruction is imperative. The ability to detect, analyze and neutralize any potential threat depends upon a real-time analysis of all the instructions that are being executed. The implementation of this practice ensures that live operations are protected at all times and that system security is accomplished with transparency while adeptly blocking any behaviours or instructions that are outside of policy.

Real-time event analysis affords consistent protection regardless of intent. It is impartial and affords detection through at-speed analysis that protects against well-orchestrated attacks, as well an operator who carelessly commits an error while executing OT processes. This approach disregards assumed trust and instead seeks to protect the highly valued assets of the OT system and the enterprise. So, even in the instance of a platform compromise through the use of social engineering and a bad actor eventually masquerading as a legitimate user, the real-time detection of the security event precludes any impact to live operations.

Extending this practice below level 2 of the Purdue model is equally important and ultimately requires the recognition of bad instructions that may otherwise look authentic. An intruder’s ability to subtly inject new instructions into a system or influence unique OT protocols could cause real financial and even physical damage that may escape normal levels of inspection. This is why detecting anomalies below level 2 of the Purdue model for OT require deep packet inspection in order to understand behaviours at the protocol level, which is the language spoken exclusively in the OT domain at its most fundamental layer.

The at-speed analysis below level 2 entails recognizing malicious behaviours that impact Process Controls or the Physical Plant Floor. Drilling down below level 2 of the Purdue model entails understanding the OT-specific protocol behaviours that regulate communication to PLCs or RTUs. While these are more primitive kinds of communication, OT systems depend on them, and identification of malicious behaviour at this level must be identified and stopped before those communications can reach their intended target. This requires a level of responsiveness that most IT security strategies and solutions simply don’t provide.

Summing Up

Understanding and monitoring OT networks, control systems, commands and device behaviours across all Purdue Model OT network architecture levels is the only way to deliver the safety that’s required to protect continuously running systems while also ensuring the preservation of security and availability.

Success in such efforts, however, can be realized for OT systems as security is integrated across the network architecture to deliver visibility, control and security designed for the OT environments. This is the primary line of defense essential for protecting critical assets and sustaining safe operations. The journey forward to protecting and securing otherwise fragile but highly valued OT system assets depends on a proactive strategy that leverages advanced solutions and recognizes the need for defensive persistence.