OPERATIONAL TECHNOLOGY (OT) AND CYBER-PHYSICAL SECURITY CHALLENGES

WHAT IS OT SECURITY

WHAT IS OPERATIONAL TECHNOLOGY (OT)?

OT is everywhere around us. It enables modern society, by delivering critical infrastructure such as electricity and water, managing complex transportation networks, delivering advanced health care capabilities, manufacturing our goods, producing and distributing our food and medicines, and regulating our environments. OT uses specialised hardware and software to monitor and control physical processes.

OT however cannot stand up to basic cyber threats when connected to traditional IT networks. IT cybersecurity responses simply do not work in OT environments due to the different design principles for OT that favour availability and safety over confidentiality and privacy which are often top concerns in the IT space.

WHAT IS OT SECURITY?

OT Security aims to ensure the Safety, Reliability, Availability, Integrity and Confidentiality of Industrial Processes from cyber related risks.

Depending on the industry, OT design principles historically catered to environmental, chemical, electrical, mechanically and similar induced failures. Intentional attacks and collateral damage from cyber incidents can however cause major damage when spilling into the OT environment, as these threats were never anticipated until IT and OT networks started connecting and converging.

WHAT ARE THE COMPONENTS IN OT NETWORKS?

Components on OT Networks – also referred to as nodes or assets – come in many shapes and sizes, and are referred to under different names depending on the industry and discipline. These range from Human Machine Interfaces (HMI), Programmable Logic Controllers (PLC), Distributed Control Systems (DCS), Supervisory Control and Data Acquisition (SCADA), Building Management Systems (BMS), Data Historians, Biomedical devices, Industrial (and commercial ) IoT devices and the like.

For Manufacturing, asset owners often refer to this as the “plant network”. In Healthcare it may be called the Biomedical device network (although Picture Archiving and Communication Systems (PACS) and Operational Control systems such as Nurse Call, Transport tubing, HVAC etc may also be overlooked areas of Healthcare OT Networks). Mining and Critical Infrastructure may simply call this the SCADA network, and so on.

Industrial Automation And Control Systems

Industrial Control Systems (ICS or IACS) is used to manage processes such as food processing, packaging and manufacturing.

SCADA

SCADA Networks are usually distributed over large geographical areas.

PLC / DCS

Programmable Logic Controllers are in widespread use, driving machinery and robotics in Industrial settings. In larger environments, co-ordination is often managed by a Distributed Control System.

Biomedical, IOT And Embedded

Over the last decade, all sorts of non-traditional IT equipment has made its way into Industrial Networks. With the uptake in Edge computing, traditional IT equipment are also gaining additional capabilities to connect to industrial systems over ICS protocols.

WHY ARE OT SECURITY CHALLENGES DIFFERENT FROM IT (CYBER) SECURITY?

In order to understand OT security and its challenges, it helps to contrast it with traditional IT security. In terms of objectives, IT security is geared to ensure that confidentiality, integrity, and availability of information (the CIA triad) are maintained, with privacy considerations pushing the confidentiality requirement to the top. In OT networks, safety, reliability and availability are of primary concern. This turns the CIA triad upside down, as human life, asset protection and outcome are often tied to the uninterrupted functioning of OT-managed processes.

As a simplified model, the risk tied to cyber-physical exposure can be considered as follows: Threats may exploit vulnerabilities in assets, systems or processes to create an undesirable impact. This risk may be managed by eliminating the threat, reducing the vulnerability or lowering the potential impact. In practice (both IT and OT), responses usually revolve around reducing vulnerabilities. This is also where the main similarities between IT and OT are found, ie. in the vulnerability part of the equation. Both IT and OT are based on technology and as such are exposed to code vulnerabilities, configuration vulnerabilities, weak identities and insecure protocols.

Mature IT practices can address these vulnerabilities in IT networks through patching, configuration hardening, identity management tools and replacing insecure protocols with secure encrypted alternatives. In many OT environments, these practices are not possible. Patches may not be available where legacy devices are in play, or it may not be desirable to apply such patches due to the potential negative impact on availability. Configuration hardening may break interoperability between vendor components, identities are fragmented across devices with embedded or even hard-coded authentication that cannot be centrally managed, and insecure Industrial Control protocols are commonplace.

The table below summarises the challenges in applying IT-type controls in OT environments:

IT Response
OT Challenges

Vulnerability Category	IT Response	OT Challenges
Vulnerability Category	Vulnerability Category
Code Vulnerabilities	Automated patching	Patches are mostly not available. Where available, patching requires firmware upgrades with the potential to disrupt availability.
Configuration vulnerabilities	Secure configurations out of the box	Hardening configurations break inter-operability with a high potential to disrupt availability
Weak identities	Single Sign-On, Multi-factor authentication, Privileged Access Management etc.	Identities are fragmented with different capabilities to secure depending on the vendor, often hard-coded or with inadequate role segregation.
Protocol / design vulnerabilities	Secure encrypted authenticated alternatives (e.g. https vs http, ssh vs telnet)	Pervasive unauthenticated and unencrypted ICS protocols, allow instructions to be sent to end nodes with only routable network access as a requirement.
		Buy Now

Lastly, the threat actors in OT networks also have a different profile from IT networks. Data breach investigations in IT frequently confirm financial gain and espionage as primary motivations for attacks on IT networks, mainly driven by Organised Crime. Although Organised Crime groups are shifting focus to OT networks with multiple cases of ransomware disrupting production lines and healthcare facilities, OT is also actively targeted by Hacktivists and Nation States in a much more persistent manner.

Based on these factors, a different way of thinking and approach to OT security is required. Cybersplice subscribes to the vulnerability shielding methodology. Vulnerability shielding disrupts the kill chain by removing the ability of the attacker to exploit vulnerabilities. This has proven to be an effective approach in OT environments where devices are inherently insecure due to the reasons described above.

AM I EXPOSED?

There are two prerequisites to effectively manage cyber-physical exposure: awareness and visibility

Awareness requires understanding threat capability and intent, vulnerabilities, the potential impact on assets, environment and human well-being, as well as the options available to manage risk (i.e. to reduce the likelihood of these elements connecting or to reduce the potential resulting impact).

Although visibility is required across the elements mentioned above, visibility into vulnerabilities as well as whether these vulnerabilities are actively being targeted is key to detecting and responding to attacks, in order to minimise potential damage from a security compromise. Visibility could mean the difference between an incident with a minor impact and a catastrophe.

Cybersplice provides professional assessment services to assist our clients to understand cyber-physical exposure. We provide risk and threat assessments, control capability maturity assessments, and assessments against industry standards. We bring visibility to assets and asset behaviours on the OT network using Splice. These elements are matched to understand exposure and prioritise actions into a tailored roadmap.

Cybersplice’s methodology to measure Cyber-physical Exposure and improve Cyber-physical Resilience is depicted in the diagram below:

DOWNLOAD THE BROCHURE

SCHEDULE A CONSULTATION

CYBER-PHYSICAL EXPOSURE ASSESSMENT

To facilitate the visibility required during Cyber-physical exposure assessments, Splice zero-touch or rapid deployment options are leveraged.

CYBER-PHYSICAL INCIDENT RESPONSE

When dealing with a cyber-physical attack, time is of the essence. Unless organisations planned for and test response capabilities up front, the situation may be overwhelming. Cybersplice guides customers through the response process and assists with understanding the depth of compromise, appropriate action to reduce the potential impact, and eradication options to restore Operations to a known state.

Get in touch via the contact form for assistance.

In addition to on-demand Incident Response assistance, Cybersplice also facilitates developing and exercising the Incident Response capability through tabletop and hybrid simulations.

HOW CYBERSPLICE OT SECURITY WORKS

Our methodology to protect your OT Network is based on our easy to follow OT Resilience Roadmap. Step 1 provides for rapid visibility of the OT Network environment and behaviours. Step 2 is geared to mitigate avoidable risks, and step 3 shields and protects inherently insecure devices.

Same day visibility and monitoring

Zero-touch

Rapid deploy

Virtual, light and deep probes

Secure access edge

Identity shielding

Secure remote access

Full vulnerability shielding

In-path protection

In-core and edge isolation

Insecure protocol wrapping

WHY USE CYBERSPLICE FOR OT SECURITY

Cybercriminals are shifting focus to Operational Technology networks, but many businesses are ill-prepared with limited visibility in this area. IT security responses do not work in OT networks, due to inherent design differences, interoperability requirements and functional limitations of specialised equipment. Most current responses are expensive, complex, difficult to implement, and at best only tell you where to look whilst you are still being hacked.

Cybersplice provides a cost-effective alternative, switching the lights on to provide security visibility for your OT network with a rapid deployment architecture, based on zero-touch, virtual, and optional deep hardware probes. This allows our cloud-based analytics engine to become intimately familiar with your OT network behaviours, and to stand guard alerting on outliers and anomalous activity.

Cybersplice can also transition to in-path mode, shielding vulnerable OT equipment inside an encrypted overlay network, and disrupting the kill chain for would-be attackers. Cybersplice builds mitigations into the communication layer, allowing vulnerable equipment to continue to operate without exposing the entire operation.

Cybersplice is the logical alternative to air gaps, firewalls, data diodes and old-school thinking.