The fourth industrial revolution, dubbed Industry 4.0, introduces the use of Cyber Physical Systems (CPSs) in production processes, where the industrial internet of things (IIoT), machine learning, and big data and analytics play key roles. Adopters of Industry 4.0 push for a more connected and efficient production that in turn boosts their competitiveness in the market. The interconnected nature of Industry 4.0 drives digital transformation in manufacturing, as information technology (IT), operational technology (OT), and intellectual property (IP) all converge to support the realization of so-called “smart factories.”
Apart from introducing opportunities, however, Industry 4.0 comes with its challenges. Integrating the organization’s IT infrastructure with the OT and IP sides of the business means that the attack surface increases significantly. Threat actors will find more weak points to break the security of the production. Attacks designed to target industrial control systems (ICSs), in particular, pose threats to production facilities.
While the traditional IT approach is focused on protecting data integrity, confidentiality and availability, SEC-OT is focused on cyber security for controlling physical operations. To this end, SEC-OT defines control system security as: protecting the safe and reliable control of physical operations from attacks embedded in information
Operational Technology (OT) networks play a critical role in manufacturing, defense, emergency services, food and agriculture, financial systems, and critical infrastructure, just to name a few. OT networks and devices include supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS). They might be deployed anywhere – inside an automated manufacturing floor, outside a chemical processing plant managing valves and switches, on a rig in the middle of the ocean, or out in the arctic monitoring oil and gas pipelines. OT systems often perform simple yet essential tasks, such as monitoring a valve and shutting it off when a certain value is triggered. As a result, they can perform their tasks with little change for years. Which also means they sometimes run on aging operating systems and obsolete hardware using home grown applications. Since the goal for an OT system is to run exactly as designed, even patches are only applied if they do not hinder the process of the OT system.
These systems can be notoriously delicate. Something as benign as an active system scan can cause these devices to fail. And any failure or compromise can have serious if not catastrophic results. These systems have traditionally been kept separate from IT networks, and are even often owned, managed, and operated by a different team inside the organization. That’s because OT systems are often tasked with monitoring and managing the highly sensitive processes associated with critical infrastructure or manufacturing process..
Enterprise vs Industry
The most fundamental difference between the technologies is perhaps the most important one. The two technologies operate in different environments and serve different purposes. Briefly, IT is the world we all know. Computers, keyboards, screens, and mice. IT environments involve common environments and solutions (the cloud, servers, firewalls, antivirus, etc.), they communicate over known protocols (HTTP, SSH, RDP), and so forth.
Conversely, OT includes completely different components that can be found primarily in industrial environments. These components are often screenless (machinery, PLCs), they communicate over industrial protocols that are never seen on IT networks (e.g., Modbus, Ethernet/IP, Profinet), they lack security tools (firewalls, antivirus), and they are even programmed differently than “normal” computers.
IT Prioritizes Confidentiality, OT Focuses on Safety
Because IT primarily involves storage, retrieval, manipulation, and transmission of digital information, data and confidentiality are a top concern. IT security is crucial in every organization in order to keep its data secure and under control.
In OT, the safety and availability of equipment and processes dominate. Dealing with physical systems that must maintain stable values, such as temperature and RPM, requires meticulous control. Lack of control can lead to extensive financial losses due to temporary halts in production or even result in direct physical harm. For example, a ransomware attack that blocks access to operations can lead to a few days of inactivity where each day may be worth millions of dollars.
IT Incidents are More Frequent, OT Incidents are More Destructive
While OT incidents may lead to more destructive outcomes, IT has more ways in which it can be manipulated. Simply put, IT has more touch points with the internet. These gateways pose higher security risks because each one can potentially be a hack waiting to happen.
OT has a lower number of gateways, making it comparatively safer. However, the potential magnitude of compromised physical equipment tends to be greater than that of a data breach. Even slight OT cyber-incidents can lead to huge financial losses and have damaging ramifications that can affect the general population, such as water contamination and power outages.
Security Patching - Every Week vs Every Ten Years
IT components advance so fast and have relatively short life spans, that a network can look completely different only several years apart. In fact, IT security updates are so frequent that many IT vendors have a designated "update day of the week" or "Patch Tuesday".
Security patching does not work the same way in OT. Since patching OT components requires complete shutdowns that halts production, vendors running OT networks rarely patch their components, if at all. Since OT components are rarely updated, they may have many more public vulnerabilities when compared to IT computers. This means that the probability of a successful exploit on an OT system is exponentially higher than on an IT system.
No matter what your network architecture, industry or level of security sophistication, there are four steps you can take now to achieve a robust security posture to protect critical industrial control networks.
Step 1: Classify Networks
Classifying cyber assets establishes a starting point to align your site with SEC-OT principles. The goal of classifying networks is to identify the cyber assets that are essential to safe and reliable physical operations. Asset classification follows a framework of the most control-critical assets to the least control-critical assets. France’s ANSSI has written one of the most thorough and robust guidelines for ICS security and describes network classification in their Classification Method for Cybersecurity for Industrial Control Systems.
Step 2: Group Network Assets
The next step to protecting an ICS is deciding how to group control-critical cyber assets into sets. When defining ICS sets, group assets with similar functions, communications, and security needs. A control-critical network is defined as a set of ICS networks whose cyber assets worst case compromise results in unacceptable physical consequences. When defining control-critical networks, minimize the volume and complexity of information flows into critical networks from external less-trusted networks.
As SEC-OT requires physical segmentation of control-critical networks from noncritical networks, software-based segmentation may be used between network assets of the same classified control-critical network, but not between control critical networks and other networks of less control criticality. So it is important to identify any pre-existing software-only protections running between these interconnections.
Step 3: Physically Segment Networks
After identifying, classifying, and grouping ICS network assets, physically separate each control-critical network from all external networks. This physical separation is a prerequisite for physical protection and therefore a SEC-OT best practice.
Additional physical separation also simplifies certain physical protection mechanisms. Such separation reduces opportunities for errors and omissions that might otherwise result in physical cross-connections between control critical and noncritical network wiring and equipment.
Step 4: Control Information/Attack Flows
With a tentative plan in place for the physical separation of control systems from other systems, start considering all information flows in your network – both offline and online – that bring information/attacks into your control-critical networks. This comprehensive survey may inspect as-built documentation, physical devices and wiring, firewall rules, control system software configurations and other sources. Remember the basics, defining critical networks has no value if you are not minimizing the volume and frequency of information flows into control-critical networks.
The convergence of IT and OT networks introduces device classes into the IT network that are either outdated or possibly vulnerable. This calls for IT administrators to work with process engineers and equipment operators to accomplish certain tasks: auditing new equipment, identifying the underlying operating systems and platforms, and figuring out the required ports, protocols, routing, and services to adequately secure IIoT systems as they are connected to the IT network.
Lastly, the consequences of a successful security breach in an Industry 4.0 environment goes far beyond the immediate cost of outbreak containment and the corresponding cleanup. Destructive attacks such as those involving ransomware can halt the production line and incur significant monetary losses. If you are anyone would like to discuss this or other cyber topics please feel free to contact us here!