Blog

Why Existing OT Security Tools Fall Short

Why Existing OT Security Tools Fall Short

The pressing need for effective OT security solutions, highlighted by several high-profile incidents over the past few years has driven a marketplace of potential solutions geared specifically for use in OT environments.

Often endorsed by familiar OT system and device vendors; they can seem like they might be just the answer OT operators and CISOs are looking for –  the comfortable, safe choice.

But here are some considerations to take into account.

Firewalls / UTMs

Firewalls and UTMs are not OT specific tools per se, but they are often the only information security tool of any type implemented in OT infrastructures.

Just like in IT environments, OT implemented firewalls and UTMs should be configured by certified, experienced engineers.  A firewall is only as good as the individual or the team configuring and supporting it. But those engineers need to be informed by the operating personnel about the purpose and requirements of the networks, OT systems and devices that they are protecting as discussed in Part 3 of this blog series: How To Bridge The OT/IT Knowledge Gap.  

Unfortunately, it seems this is rarely the case.  And without full visibility into the network no matter how good your infosec team is, the firewall is going to be configured in broad strokes that fail to provide the level of granularity, or have the necessary context to enable the highest level of detection and protection.

Finally, firewalls consist of static policies that are unable to adapt or respond to potential attacks.  Attackers can try to circumvent firewalls for an unlimited number of attempts and each time the firewall will politely deny them and allow them to continue.

UTMs have all the concerns that exist with firewalls, with the additional concerns brought upon from built-in IDS functionality (false positives) or additional functionality that although paid-for cannot be utilized (threat intelligence that requires an Internet connection to function properly) efficiently.

But the biggest way that firewalls and UTMs fall short is that they are unable to detect, identify, and respond to unknown attacks.  If it fits into one of the statically defined rules then it's allowed.

Micro-Segmentation (Zero Trust)

Micro-segmentation includes both solutions like Tempered Networks and good old-fashioned network segmentation with switches and firewalls.

For a period of time micro-segmentation was touted as the way forward in OT security.  Proper segmentation certainly does have value in mitigating risks and reducing threat profiles, but it does come at a cost.

In addition to the additional devices and network infrastructure to support the many segments required, there is a substantial increase in the brittle-ness of the infrastructure overall.  Making any changes now becomes additively complex based on the number of segments involved in the necessary communication flows.

Getting overall visibility into the communications taking place between networks, systems and devices can be difficult, requiring the piecing together of disparate flows taken from multiple vantage points on the network.

The IT counterpart of micro-segmentation, zero trust, has been something organizations have been pursuing for years.  For the most part they have run into the same issues including increased complexity and more encumbered innovation.

Data Diodes

Data diodes, like Owl Cyberdefense, are used to segment and defend networks, and transfer information in one direction. They allow data to be sent from a secured network/segment to external systems and users (e.g. the cloud, a remote monitoring facility, regulatory bodies), without creating a threat vector back into the secured network. 

Like human waste plumbing all network traffic goes in the same direction: away.

The biggest problem with data diodes, besides the issues of complexity and brittleness that plague other micro-segmentation style solutions, is the impact they have on business value.  Increasingly, to extract more business value from OT infrastructures–one of the driving forces behind the need for OT security solutions–the ability to have true two way communication is a requirement.

Relying on only “Receive” or “Transmit” doesn’t allow for the kind of real-time adjustments, inputs powered by feedback, and analysis loops necessary to the business.

Asset Profilers

Asset profilers, like Tenable, are used in an attempt to perfect the knowledge of the OT systems and devices that are contained within the OT infrastructure with the belief that aggressive vulnerability and patch management are the key to securing OT infrastructure.

In order to achieve this, they need to either passively (through a mirror (SPAN port) or network tap) or actively scan and analyze the network traffic and packet contents that are being communicated.  As pointed out in Part 4 of this blog series: Why "Catching Up" to IT Security Is a Bad Strategy in OT, vulnerability management in OT is problematic.

Active scans can be disruptive to legacy OT systems and devices, and passive scanning may require managed switches or network taps that don’t exist and may not be economically viable for hundreds or even thousands of remote locations.

In addition, the analysis of either network responses or traffic dumps is both computationally and storage intensive.  As stated previously, in an IT environment these may not prove to be obstacles of note, but in OT they often can prevent the deployment of these solutions to where they are needed most – remote, often unmanned, locations.

The other issue is that these solutions can be “chatty”, not only requiring an upstream connection to the IT infrastructure or even the cloud (a no-go in air gapped environments), but they may overwhelm cellular communications used in many remote locations.

Continue on to Part 6 of this blog series:  How a Dynamic, Contextual, Preventative Solution Can Deliver OT Security. 

PacketViper OT360 is a dynamic, contextual, preventative solution that can deliver OT security. It can work on the OT/ IT boundary of an organization's infrastructure, within plant facilities to provide protection internally and between the plant and distributed assets, and within remote OT locations to provide prevention and containment.