OT Security

Efficiency is key, and businesses are continuously pursuing ways to maximize the value they receive from the processes and systems controlled by OT/ICS assets. 
 
Competitive pressures, market dynamics, and cost control initiatives drive the continuous push to increase the flow of information to and from OT assets in order to more often, and more accurately measure operating parameters and manage operating configurations. This information flow necessitates the bridging of traditional air gapped networks and the opening of allowed communications, potentially exposing OT facilities and assets to additional threats from the corporate IT networks and even the Internet itself. 
 
This necessitates a purpose-built OT cybersecurity solution that can provide prevention, detection, containment, and response for unknown and emerging threats. 
 

OT assets control mission / life critical processes and systems. Any unplanned downtime or exploitation can have substantial financial, economic, health and social impact. 
 
Any solution to help secure OT assets must first “do no harm”. It can’t negatively affect the availability or reliability of the underlying process or system. And it must be able to match the level of redundancy and ruggedness of the OT assets themselves. 
 
At the same time, for both best-practice cybersecurity and OT security compliance concerns, detection-only solutions are no longer sufficient compensating controls for the new connectivity and interoperability required of OT assets to deliver increased business value. 

Patch management is an important and necessary tool in hardening OT devices in order to prevent known attacks from exploiting known weaknesses. However, the process is insufficient to protect against, and has little impact on unknown threats. And for many production, process, and control devices that are still operating but no longer actively supported by the manufacturer, patching isn’t even a possibility. 
 
Further, the simple fact is that for every existing and emerging compliance framework, an un-patched asset that is not protected by an effective and demonstrable compensating control is not compliant. Period. No matter the reason, or how difficult the circumstance. 
 
With the necessary visibility and context within the OT environment, policies can be developed that enable the attack detection surface area to be maximized while being distinguished from the normal and customary operation of the OT assets. 
 
By combining active proscriptive policies with prescriptive deceptive techniques and artifacts, unknown threats ranging from an unauthorized device plugging into the network to malware attempting to exploit systems or exfiltrate data can be effectively detected and contained. 
 

Efficiency is key, and businesses are continuously pursuing ways to maximize the value they receive from the processes and systems controlled by OT/ICS assets. 
 
Competitive pressures, market dynamics, and cost control initiatives drive the continuous push to increase the flow of information to and from OT assets in order to more often, and more accurately measure operating parameters and manage operating configurations. This information flow necessitates the bridging of traditional air gapped networks and the opening of allowed communications, potentially exposing OT facilities and assets to additional threats from the corporate IT networks and even the Internet itself. 
 
This necessitates a purpose-built OT cybersecurity solution that can provide prevention, detection, containment, and response for unknown and emerging threats. 

OT operators are constantly challenged with doing more with the same number or even fewer, less-well trained personnel. 
 
They need solutions that reduce their operational workload while increasing the security of their OT/ICS assets. Every cybersecurity practitioner knows that False Positives are the biggest driver and cause for “security fatigue” and Alert Hell is a real place. Alert overload often results in solutions eventually being ignored, baselined or even “squelched” to the point of ineffectiveness. 
 
Another aspect to scrutinize is the ongoing operation and maintenance of any potential solution. Realizing that many if not most OT/ICS operators are not cybersecurity experts, are the tools OT/ICS operator friendly. How much care and feeding beyond the initial implementation is this going to require. Solutions that can be self-sustaining and require little ongoing intervention are ideal.
 
Finally, how automated is the solution at actually stopping the threat and preventing it from expanding its reach into other OT assets or the corporate IT network. Chasing a moving and morphing threat through a critical environment that wasn’t designed with all of the design tactics, traps, and management tools common in most IT environments is challenging to say the least. 
 

In many critical infrastructure industry vertical markets OT/ICS assets and facilities are often geographically spread out, in remote locations, and often unattended. In order to secure these assets from cyberthreats it’s crucial that any proposed solution works with zero false positives, provides an automated incident response capability, and is able to contain the threat to only the affected facility. 
 
Containment ensures that remote assets don’t become a threat vector for a larger scale attack that can spread to other assets, up-stream plant / control facilities, business IT networks and beyond - even to suppliers, partners, and customers.

IT managers in datacenters seldom face the actual threat of a physical break-in. Due to diligent design, multi-layer controlled access, and 24x7 human presence, it’s just not a threat vector that causes concern.? Strong physical security, biometrics, constant surveillance, 24x7 staffing, all provide substantial barriers to physical intrusions. 
 
Remote OT assets and facilities are often in isolated, minimally secured locations that have limited or no real-time surveillance capabilities. 
 
In addition, remote OT assets are often serviced by “rolling a truck”, manned by 3rd party service providers, or by vendor personnel that have full physical access to networks and devices and may overtly or inadvertently through human error introduce malware. 
 
For all these reasons, threats from a physical presence – in addition to the usual network or application level cyberthreats - are a realistic concern. In order to adequately address this, a security solution must have the capability to contain any breaches to the local OTR network and prevent further access and exploitation of other OTR sites or up-stream plant / control facilities. 

Many remote OT assets are exposed to harsh environments and subject to power and space constraints that don’t exist in a CO or datacenter environment. 
 
Humidity / temperature fluctuations require hardened devices, often mounted in NEMA 3R or above enclosures, to function reliably no matter the weather or season. Power availability and restrictions may dictate low-power-consumption devices able to operate within a DC only power network. And available cabinet space may constrain solutions to small form-factor, DIN rail mounted operating hardware that can tolerate the cold, and the heat and humidity that builds up in space-constrained unconditioned control cabinets. 

Often tools and capabilities available in traditional IT networks and facilities are impractical and unavailable in harsh and remote OT/ICS environments. 
 
Visibility, segmentation, and mirroring capabilities are seldom present in the unmanaged switches common within remote OT/ICS facilities. In addition, environmental constraints may severely limit the computing power (storage, memory, processor) available to run modern applications. Finally, low up-stream bandwidth can restrict the types of solutions that are possible to prevent causing network DoS issues for often time-critical communications.