Despite advances, operational technology network cybersecurity still lags information technology cybersecurity.
Securing operational technology (OT) networks and increasing network durability are key to enhancing operational resilience, as OT network protection stillĀ lagsĀ information technology (IT) cybersecurity. This article explains the reasons behind the lag, how this gap manifests across different industries and outlines four steps OT operators can take to better protect OT networks from cyberattacks and enhance operational resilience.
New opportunities bring new threats
As new IT technologies and Internet connectivity become available to OT networks, many different opportunities areĀ openedĀ for greater productivity and efficiency. Although connecting OT networks to the Internet enables new possibilities, it also introduces new threatsĀ (see Figure 1).
With more people working remotely due to the COVID-19 pandemic, companies need to enable more remote connections to their business and production networks. Although these remote connections do enable employees to work from the safety of their homes, they also unfortunately open the gate to new cyberthreats.
Although IT networks are usually safeguarded with sophisticated cybersecurity countermeasures, OT networks still include many legacy devices and often have less protection. This is because the systems areĀ complex,Ā and it is quite difficult toĀ effectively implement cybersecurity measures. In addition, these networks often have long lifecycles, where legacy devices are not regularly updated with cybersecurity features. OT protocols are not usually encrypted and often lack authentication mechanisms.Ā Also, hackers are becoming more familiar with OT protocols, networks and devices, enabling them to targetĀ programmable logic controllers (PLCs),Ā human-machine interfaces (HMIs)Ā andĀ supervisory control and data acquisitionĀ (SCADA)Ā systems more easily.
Cybersecurity gap betweenĀ IT and OT
The reason for the discrepancy between the maturity of IT and OT cybersecurity is closely related to different business priorities that often conflict with each otherĀ (see Figure 2).
WhyĀ IT networks are better protected.Ā Enterprise IT networks prioritize confidentiality and focus on data integrity. IT assets include computers and servers located in climate-controlled office environments, and areĀ easyĀ to upgrade, patch or replace regularly.
WhyĀ OT networks lag behind.Ā Industrial OT networksĀ prioritize availability and focus on controlling processes that cannot tolerate downtime. Unlike IT assets, OT networks are made up of PLCs, HMIs, meters and other pieces of equipment that are difficult to upgrade or patch. These devices canĀ be inĀ harshĀ andĀ difficult to reachĀ environments,Ā and are often subject to extreme temperatures, vibrations and shocks.
Different demands in different domains
Industrial applications have different requirements that differ depending on the sector, as well as varying levels of cybersecurity maturity. Although industries inĀ the public sector are generally better protected than private manufacturing businesses,Ā mostĀ OT networks still lag behind their IT counterparts in terms of cybersecurity.
In general, IT departments administer the cybersecurity policies for OT networks, but those policies are merely at the IT level, which means they do not take into consideration the characteristics and requirements of OT networks. In addition, many also continue to lack segmentation between their IT and OT networks. Regardless of the industry, many OT networks lack sufficient security controls and are not managed by OT operators.
Factory automation
ManufacturersĀ typicallyĀ have lower levels of cybersecurity maturity and are primarily revenue driven and focused on maintaining availability and uptime rather than on security. Even though the level of security awareness varies depending on whether the manufacturer is traditional, transforming or modernized, IT and OT roles and responsibilities continue to be vaguely defined in factory automationĀ (see Table 1).
Power utilities
Cybersecurity for power grid applications is mostly driven by government policy. However, dedicated OT networks for power automation have low visibility of network assets, limited protection and are in the process of transformation fromĀ remote terminal unit (RTU)Ā to Ethernet technologies. These applications are primarily concerned with passing government audits and meeting international standards (IEC 61850, IEC 62351, IEC 62443 and ISO 27001), preventingĀ misconfigurations from operators, and preventing disruptions to power distribution.
Water treatment
Similarly, water treatment applications are comprised of dedicated OT networks that have lowĀ assetĀ visibility. The abundance of legacy devices as well as a lack of access control and network segmentation indicate a need for strengthening cybersecurity beyond government audits and deploying firewalls and intrusion prevention systems (IPS).
Intelligent transportation systems
CybersecurityĀ in intelligent transportation systemsĀ (ITS) is also primarilyĀ government driven. ITS applications are characterized by distributed networks with various devices and systems at each traffic intersection. Although each device often uses a different network, security is centralized at the IT level.
Although ITS applications follow prescribed government guidelines and areĀ pretty goodĀ at establishing cybersecurity policies and deploying firewalls, they are still concerned about cyberattacks on traffic signals and sensors, as well as the possibility that someone could breakĀ intoĀ an equipment cabinetĀ relatively easily and gain direct access to the network that way.
Four steps to resilience
Considering how different IT and OT networks are, how can we bridge the gap between these two domains and secure OT networks from cyberattacks? To enhance operational resilience, OT networksĀ mustĀ ensure their cybersecurity measures are as mature as thoseĀ used in IT networks. The following four steps describe howĀ usersĀ can secure OT networks and increase resilience.
1. Manage OT networks.Ā UsersĀ cannot protect the assetsĀ theyĀ do not knowĀ theyĀ have. Thatās why the first step to enhancing operation resilience requires OT operators to monitor everything on their networks in a similar way to how IT network administrators often have complete visibility. Is everything that should be onĀ theĀ OT network actually there? Is there anything onĀ theĀ network that should not be there?
For example, OT operators can start to determine who can and cannot access the network by leveragingĀ access control lists (ACL)Ā or other authentication mechanisms.Ā Also, there are simple mechanisms OT operators can set up to define which PLC can be connected to the network by port access control or sticky MAC. In other words, everything on the trusted list is allowed to go through the network, and anything not specified on the trusted list is blocked. ManagingĀ theĀ OT network (instead of relying on the IT department) also allows OT operators to respond more quickly to downtime and troubleshoot issues more rapidly.
2.Ā Segment OTĀ networksĀ
Unlike IT networks that can be segmented by dividing the network into different departments with their own set of permissions, OT networks are essentially one giantĀ intranet where everything is connected. This makes OT networks more difficult to segment, but not impossible. There are two waysĀ usersĀ can segment an OT network:
- Vertical segmentationĀ involves addingĀ an industrial demilitarized zoneĀ (IDMZ) between the IT network and OT network. Although this separation should be mandatory, many companies still have not segmented their OT networks from their IT networks.
- Horizontal or lateral segmentationĀ involves creating and separating cells, zones and sites on the OT network. A cell is essentially a tiny place where all equipment is stored, such as a cabinet. Several cells can form a zone, and multiple zones can form a site.
Segmenting OT networks using either method, or both, allows operators to prevent cyberthreats from spreading to other parts of the network.
3.Ā PatchĀ vulnerabilities.Ā Since equipment and devices running on OT networks cannot be upgraded or replaced as frequently as endpoints on IT networks, OT networks still have many legacy devices that may even be running on operating systems as old as Windows 95. Many legacy OT devices remain unpatched and are relatively easy for hackers to exploit. If no patch is available from the original equipment vendor, consider putting a virtual patch on a device that goes in front of legacy devices.
4. Secure remote connections.Ā Protecting the data transmitted fromĀ theĀ plant or remote site back to the monitoring and control center is absolutely crucial. Ensure each remote connection toĀ theĀ OT network is authenticated and encrypted.Ā āAuthenticationāĀ verifies the identity of the user requesting access,Ā whereasĀ āencryptionāĀ ensures the data transmitted is securely encoded and cannot be easily deciphered by prying eyes.
Final thoughts
Besides managing and segmenting OT networks, OT operators also need to ensure their systems are properly patched and remote connections are secure. These steps not only help reduce the gap between OT and IT departments, butĀ also protect industrial control systems, which are increasingly being connected to the Internet, from cyberattacks.
