Gartner defines Operational Technology (OT) as “hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events”.
OT is pervasive in many industries including Water Treatment Systems, Power Generation & Distribution Systems, Oil & Gas Exploration, Refining, Transportation Systems, Intelligent Traffic Systems, Hospital Diagnostic and Treatment Systems, and Manufacturing Systems.
And as cliche as it may be, Operational Technology security can literally be a matter of life and death along with being a crucial part of national security and the engine that powers our economy.
Several high-profile attacks against OT have made the news in the last few years. Objectively speaking, many of these attacks were preventable. But there are a number of issues that conspire to make securing OT networks and systems a challenge, even for an experienced and skilled IT security personnel.
Based on our experience helping to secure OT networks and systems, we’ve identified several topics that we believe will help orient traditional chief information security officers (CISOs) that have had the responsibility for securing OT added to their purview, as well as operational engineering members that are being asked to support new functionality and capabilities in their OT environments.
To better understand these issues, we have identified the following topics that will be covered.
- The OT infrastructure challenges
- The business drivers acting on OT
- How to bridge the OT / IT knowledge gap
- Why "Catching up" to IT security is a bad strategy in OT
- Why existing OT security tools fall short
- How a dynamic, contextual, and preventative solution can deliver OT security
Part 1: The OT Infrastructure Challenges
Originally, before Ethernet and TCP/IP became ubiquitous, OT networks were ore geared towards the transmission of information either through purely electrical On/Off signals or through point to point transmission of information using voltage regulation across a limited number of sending and receiving wire pairs. Standards like RS-232 were formulated by the Electronic Industries Alliance (EIA) to codify and standardize inter-device communications.
But there were many limitations including the need to designate each end of the communication as either Data Terminal Equipment (DTE) or Data Circuit-terminating Equipment (DCE). Voltage differentials could cause ground and communication problems, cable lengths were restricted to 15m or less, and there was no multi-point or multiplexing of communications.
Many of the limitations were overcome with the development of the RS-485 by the Telecommunications Industry Association and Electronic Industries Alliance (TIA / EIA).
Now industrial control system (ICS) networks could operate in electrically noisy environments, cable runs could be much longer, transmission speeds could be higher, and multi-point, multi-drop networking was enabled.
However, RS-232, RS-485, and other like standards only define the physical networking infrastructure. Protocols used to transmit information on such networks are not defined by these standards. This has resulted in protocols like Modbus, Profibus, and DH 485 to emerge. There are roughly 100 different widely recognized protocols for ICS type devices that exist.
Many of these protocols are proprietary to a specific manufacturer or a product family. Interconnecting devices from multiple manufacturers can face many challenges trying to find common communications ground thus needing specialized systems to act as translators or converters.
In comes Ethernet and TCP/IP to save the day! Suddenly, there are a multitude of choices available for inexpensive, high-performance networking of systems and devices. Using well defined, vendor neutral methods of communication across not only the 1000m possible with RS-485 but the 1000s of miles connecting networks across continents and to the cloud.
Consequently, this. new form of connectivity and openness has caused some problems. Prior to Ethernet and TCP/IP, all the limitations of ICS communications provided the illusion of and in some cases actual security of these networks and devices. Air gapped networks were a set of devices associated with a plant, control process, and remote locations not physically capable of communicating with anything outside of their little "clique". This complete isolation provided security for those devices and systems.
Prior to Ethernet and TCP/IP, having many protocols, some intentionally obscure or just poorly documented, meant that even if you got access to a physical network, there were significant challenges to understanding the information being communicated to either eavesdrop on it or to inject meaningful changes into it successfully.
Essentially, OT networks were dragged --
From a circumstance where a successful attacker:
- Would need to have physical access to the network
- Would likely need to have specialized equipment to connect to it
- Would need to have significant knowledge of the devices and specific communication protocols being used
To a situation where a successful attacker:
- Could potentially be located anywhere in the world
- Can use any laptop to connect to it
- Has an abundance of open-source tools available to them to capture packets, run protocol analysis, discover vulnerabilities, and exploit critical resources.
That does not mean that if Ethernet and TCP/IP are implemented in OT networks that air gaps automatically go away. However, when you combine it with the pressures discussed in part 2 of this blog series (forthcoming):
The Business Drivers Acting in OT, it's easy to see why the promise of greater ability to integrate OT networks into a larger IT infrastructure would be a strong siren song that leaves air gaps behind as wreckage in the name of progress.
And just because Ethernet and TCP/IP have been brought into the OT network space doesn't mean that the older devices, communication networks, and protocols have disappeared. Companies have made significant financial investments in this technology, and it has a proven track record of reliability, safety, and productivity. In short, from the electrical or a process engineer's perspective, it's not broken and doesn't require fixing.
So, in many cases you now have devices that were designed to run on closed networks using limited throughput and proprietary protocols attached to an Ethernet network capable of transmitting 1Gb/sec. As well we will discuss further in part 3 of this blog series How to Bridge the OT/IT Knowledge Gap, many IT tools can easily "knock over" or overwhelm legacy OT device because they weren't designed to handle the speed and amount of data that drives the IT environment.
Also, due to their age, many of these systems and devices have been declared end-of-life by a manufacturer that wants to give customers an incentive to buy the updated systems and devices. The manufacturer is no longer providing support and maintenance for these devices including security, resiliency updates and patches. One study published by the HIPAA Journal in January 2022 found that half of the medical devices have known but unpatched vulnerabilities. Clearly, an alarming discovery that needs to be looked at.
Therefore, we have comparatively fragile devices that may have unknown or know vulnerabilities which cannot be patched for a number of potential reasons:
- The process is critical, and the devices are working as desired
- The related costs of shutdown and startup of interconnected processes are very high
- The manufacturer is no longer supporting the device.
Finally, exposure in device management and security hygiene principles aren't limited to a lack of patching and updating. Account management has also been an issue. After finding administrator account credentials of a third-party company that provided security cameras and their access online, hackers breached thousands of security cameras deployed across multiple companies, jails, hospitals, and other organizations.
Afterwards, in some cases, the attackers were able to move laterally and gain access to other areas of the corporate networks within these organizations. As connectivity between IT and OT increases, the OT systems as a threat vector for the larger organization becomes more likely.
Coming soon: Part 2 of this blog series - The Business Drivers Acting on OT.
PacketViper OT360 & PacketViper OTRemote
PacketViper OT360 is a dynamic, contextual, and preventative solution that can deliver OT security. It can work on the OT/ IT boundary of an organization's infrastructure, within plant facilities to provide protection internally, and between the plant and distributed assets, and within remote OT locations to provide prevention and containment.
Please visit
here to learn more about OTR360™ and OTRemote™.