Four cybersecurity technologies, concepts can reduce industrial network risk
Explore the qualities and benefits of zero trust, principle of least privilege and other methods of improving cybersecurity. Four key technologies and security concepts are highlighted.
Learning Objectives
- Operational technology (OT) systems are more vulnerable to cybersecurity attacks.
- A zero-trust approach is very demanding, particularly for brownfield applications, but it is also the most secure.
- Active and passive network monitoring, principle of least privilege and SIEM integration also can help keep OT networks secure.
Cybersecurity Insights
- Companies need to ask how they can adapt to the cybersecurity landscapes and provide support without slowing down the company’s initiatives.
- More operational technology (OT) networks are connected thanks to the Industrial Internet of Things (IIoT), which creates greater vulnerabilities from a cybersecurity standpoint.
- The end goal is to reach a zero trust posture, which is considered the best program because it demands the most attention and awareness from everyone in a company. Getting there requires a lot of time and consistency from everyone involved.
Cybersecurity used to be something in the information technology (IT) realm. Those folks with computer science degrees would batten the hatches, lock down the precious goods and keep intruders out of the IT network. Since the IT network was seen as the only way into the operational technology (OT) network, this was deemed sufficient for a lot of companies.
Lurking threats remained on the fringes of OT networks. Malware from an engineer, physical access with someone plugging in a USB key or plugging a device into the network, or occasionally wireless access may let a bad actor in. While serious, these incidents were rare, and the risk was deemed acceptable for many companies.
New OT network architectures: 4 technologies, concepts
In recent years, OT networks are more connected than ever. Some organizations are running a flat network topology (“Kansas” networks), while others are adding Internet of Things or Industrial Internet of Things (IoT/IIoT) devices and systems that communicate with the cloud. These newer OT setups have caused significant changes by bypassing network layering or Purdue models.
Companies need to ask how they can adapt to these changing landscapes and support these networks without slowing down the company’s digital transformation initiatives. They also need to ask how they can achieve desired business outcomes while remaining vigilant on the cybersecurity front.
Using the right technologies can reduce risk. There are four key technologies and security concepts companies and users should be familiar with today.
- Zero trust
- Principle of least privilege
- Passive and active network monitoring
- Security information and event management (SIEM) integration.
1. Zero trust.
One of the most important security philosophies to have emerged in the last decade, this is seen by many as the new gold standard of the security space. It’s been adopted by industrial companies and military networks around the world. The idea of zero trust is assuming an attacker could already be on the network, undetected. Because of this, companies should have no trust in any communication coming into devices, servers and software.
The philosophy operates as a catch-22: If you don’t trust the communications, how can you communicate at all? In a zero-trust network, all systems must prove their identity as a first step in communication. The proof of identity is often done through a few mechanisms such as encrypted traffic using accepted standards, username and password authentication and sometimes additional credentials in the form of client certificates or secret keys. The key part of this is a system is responsible for proving who it is. Appearing as if it’s on the local network can’t be used in security decisions, as any bad actor could also appear to be on the local network.
Zero trust is hard to implement for brownfield industrial networks. Many programmable logic controllers (PLCs) and remote terminal units (RTUs) have communication written in a way that leaves all their windows and doors open. Talking to a controls engineer, it becomes obvious which PLCs are insecure by design. If users can connect to a PLC or RTU from a supervisory control and data acquisition (SCADA) system with a native protocol, using just its IP address, chances are it’s insecure. It’s reasonable to assume many PLCs and RTUs are insecure by design, including most being produced today.
If companies are securing these networks and want to employ a zero-trust philosophy, there are two options. One is replacing the existing PLCs. The other is eliminating their insecure communication, normally by isolating them behind devices that can be secured. Many folks are using simple industrial PCs running edge software to keep these systems off the main controls network and to provide data and communication from them using secured protocols like MQTT Sparkplug and OPC UA.
The situation is much easier for greenfield networks. Some modern PLCs with a security focus are locked down and support a zero-trust strategy by default. Protocols like MQTT Sparkplug and OPC UA and software like Ignition have strong authentication and security built in. Using modern devices, protocols, and software, while configuring security settings, makes it simple to employ best practices and truly achieve a zero-trust architecture.
2. Principle of least privilege.
This principle is simple in concept. The idea is a user’s account should only have access to the things the user needs to do. Many organizations have engineering teams who have admin access to all the systems. If a company is following this principle, then that won’t be the case. A junior engineer will only have access to a limited number of systems and a limited set of functionality. Managing this takes more work, but it also reduces risk if a user’s account is compromised or a disgruntled employee decides to take actions that might harm the business.
3. Passive and active network monitoring.
Many IT teams have monitoring tools for the IT network. It can be a good idea to employ these on OT networks as well. An intrusion detection system (IDS) provides passive monitoring, which means it watches network traffic without adding anything to the network itself. These systems are often backed by artificial intelligence and machine learning (AI/ML) to identify patterns and attempt to locate anomalies.
Sometimes an IDS also employs active network monitoring, which sends communication on the network and attempts to talk to devices as part of its monitoring. Active monitoring systems are sometimes pointed at PLCs or other devices to monitor when they change or what the contents of those changes look like.
If a zero-trust system is in place and working well, it’s likely a bad actor won’t be able to do anything once they’re on the network. However, these monitoring systems are intended to help IT identify those bad actors and kick them off the network to keep them from trying to find a vulnerable system. Some of the active monitoring can also identify unexpected changes and flag those, as well.
4. SIEM integration.
Most companies’ IT departments use a security information and event management system. It’s easy to overlook these tools on the OT network, but they can be valuable for several reasons. As a log analysis system, they can help identify hot spots and trace back problems that happen. These systems are focused on security, but they also are sometimes useful for general troubleshooting and IT support for live systems. If a company has a SIEM, and the OT systems aren’t sending a secure feed, it would probably be worth exploring adding the SCADA or other OT systems as contributors to the SIEM.
Security is a complex topic and moving toward zero trust and better security in general is needed for manufacturers today. The more familiar companies and users are with the concepts highlighted here, the better decisions we can all make together. Most companies have a long way to go, but better security is a marathon, not a sprint. In the end, better security on the industrial side helps everyone.
Kevin McClusky is co-director of sales engineering at Inductive Automation, a CFE Media and Technology content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, cvavra@cfemedia.com.
MORE ANSWERS
Keywords: cybersecurity, zero-trust approach
LEARNING OBJECTIVES
CONSIDER THIS
Which of these cybersecurity approaches have you implemented in your facility and what were the results?
Original content can be found at Control Engineering.
For more cybersecurity coverage and information check out our sister site, Industrial Cybersecurity Pulse.