By Craig Burland, CISO, Inversion6
Computer-controlled devices are all around us. From delivery robots to smart buildings to shipping and transportation, computer-controlled devices that affect the physical – not digital – domain are embedded in our daily lives. This Operational Technology (OT) connects and automates the factory floor, manages cutting-edge buildings, navigates ships across oceans, and will soon outnumber human drivers on our streets and highways.
OT also offers tremendous opportunities to mine data about systems that can directly translate into profits. Unfortunately, these computer-controlled devices carry steamer-trunks full of technical debt, raising a host of cybersecurity concerns that threaten to negate the upside and potentially create enterprise-wide disasters. The collision of the Information Technology and Operational Technology worlds has arrived.
OT security debuted on the world stage in 2010 when the, now infamous, Stuxnet virus infected the Programmable Logic Controllers (PLCs) managing the centrifuges of an Iranian nuclear weapons facility, causing an operational incident that derailed Iran’s weapons program. The worm unintentionally spreads far beyond its intended target and infected thousands of other devices worldwide, bringing attention to the threat imposed by OT. More recently, Russia included attacks on unsecure UPS devices as part of its war on Ukraine, returning the spotlight to the flaws in OT security.
Four interconnected issues make securing OT a serious and challenging cybersecurity problem:
- Uptime is king
- Productivity is queen
- OT was built for the manufacturing lifecycle
- Cybersecurity was not part of the design process
OT solutions are designed for environments where uptime was the main requirement. Machines going down means that products are not being built, directly impacting customers and revenue. The need for multiple 9s of availability crowds out requirements like patching or dynamic protections. Manufacturers often employ extreme measures to avoid operational outages, going as far as stockpiling and cloning obsolete equipment like Windows XP PCs to avoid accommodating dynamic elements in the environment. This is why the Wall Street equivalent of “Cash is King” on the manufacturing floor is “Uptime is King.”
Productivity, for the operators and engineers, falls a close second to uptime for similar reasons. More efficient workers produce more products for the same labor cost, generating more profit. Friction like entering a username and password is viewed as lost time. Increasingly, standardized automation systems are supported by engineers and designers that don’t have physical access to the devices, but remote in to pull data or optimize machine parameters. For the organization, this maximizes efficiency. For cybersecurity, this maximizes the attack surface.
Devices in the manufacturing world are built to last decades and often cost millions of dollars. Maintenance on the factory floor means periodically shutting machines down to calibrate sensors, change the oil, tighten bolts or refurbish parts. It does not mean applying monthly security patches to the HMI or PLC. This is not an inconsequential miss. The lifecycle of these devices can be 15 to 20 years, not the 3 to 5 years of an IT asset which puts a considerable burden on the cyber and IT organizations.
The last challenge — the absence of cybersecurity requirements in the design process — is more than the simple derivative of technology designed to maximize uptime, productivity and long lifecycles. It underscores a lack of awareness or understanding of the threat. Unlike phishing or malware incidents, OT compromises rarely make headlines. They fall into an unaddressed quadrant of a standard heatmap – highly unlikely, but potentially catastrophic – typically leaving them as an unaddressed item on the priority list.
But despite these hurdles, organizations have options to reduce risk. These options must be employed smartly, recognizing that some control is better than none and understanding that too much friction will backfire. They must also be employed specifically, acknowledging that OT is not IT. Forcing strong credentials and Mult Factor Authentication (MFA) onto the machine operator won’t work. Your preferred Endpoint Detection and Response (EDR) won’t run on a PLC built with a custom version of Windows7. That standard GPO locking forcing a session timeout will disable a domain-connected Human Machine Interface (HMI).
The single most important control to employ is segmentation. To borrow a tagline from Las Vegas tourism, “What happens in OT, stays in OT.” Establishing a boundary between the IT and OT environments is essential to gaining visibility, identifying risk and exerting a measure of control. In many respects, this mimics the barrier between a private network and the Internet. It’s unthinkable for an organization to have unmanaged access to the Wild West of the Internet given its ungoverned nature and unknown threats. Considering the hygiene of a typical OT environment, it should be equally unthinkable to allow unfettered access between IT and OT.
With a capable boundary in place, deploying other core elements of cyber defense becomes possible. In the world of cyber, Visibility (not Cash) is King. You can’t defend what you can’t see. Capturing traffic moving into and out of the OT segment can reveal surprising risks, but also opens the door to controlling those risks. Lots of SMB traffic moving into the OT segment? Find out why. Find out who. 3rd parties remoting into the OT segment. Find out who. Find out why. Devices beaconing out to known C2 sites? Well… just stop those. Then capitalize on the incident to build a comprehensive strategy to defend OT that runs the gamut from awareness to asset management, from procurement to active prevention, from cyber requirements to remediation.
Protecting OT is complex and unique because of its primary drivers – uptime, productivity and extended lifecycles – but not impossible. The principles cyber defenders use to protect information technology can be applied to operational technology; the tools used can be successfully adapted. While the worlds of IT and OT are coming together, a well-planned cyber response can help merge these worlds instead of causing a crash.
About the Author
Craig Burland is CISO of Inversion6. Craig brings decades of pertinent industry experience to Inversion6, including his most recent role leading information security operations for a Fortune 200 Company. He is also a former Technical Co-Chair of the Northeast Ohio Cyber Consortium and a former Customer Advisory Board Member for Solutionary MSSP, NTT Global Security, and Oracle Web Center. Craig can be
reached online at LinkedIn and at our company website http://www.inversion6.com.
;
We are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.