This post is also available in: עברית (Hebrew)
By Or Shalom
OT (Operational Technology) networks continue to challenge cybersecurity experts. These networks are critical networks in various sectors, e.g. energy infrastructure, production lines (of weapons, vehicles and robotics, food, pharma, etc.). They operate as operational networks integrated into the command and control systems (such as suitcases conveying in airports), building management systems (BMS) for tenants’ operation and well-being, and more.
The operational complexity, the variety of components and different protocols require creativity in planning cybersecurity controls.
The Stuxnet event proved that even when it comes to air-gap and supervised networks there is still an ability to bypass, infiltrate and even modify software and components and mock operating personnel, such as in a scenario of intervention with adversary command in operational files. This is based on the attacker’s understanding, that in addition to the difficulties in screening operational files, there is also the concern that these files might be damaged.
So is the understanding that the vendors or the companies themselves use DOK and USB devices in order to transfer files to the operational environment. From there, impersonating the manufacturer and soliciting updates through DOK is a short distance.
Moreover, technological advances in general, such as dedicated smart components integrated in classical operational settings that are also connected to the internet (such as IIoT – Industrial Internet of Things), and the consequences of changing work habits since the Covid-19 crisis, have made the task even more complex. For example, the need created during the crisis for remote support or the flight suspension, which affects decisions regarding equipment purchasing and redundancy, as will be elaborated below.
Risk Management in OT Environment
Risk management in operational arenas bears serious significance. The reason is that it is not always possible to conduct a penetration test at operational arenas due to concerns regarding intrusive intervention, damage to the system, security aspects, and above all – the fear of shutting down the system’s operation and activities.
Therefore, the risk management process must be tailored to the mapping and identification of risks in the operational arena and in relation to the sector itself. A risk survey in the operational arena of a production line environment for pharma is different in essence from a survey of a production line for weapons. Each one of these is different from a risk survey for operational networks in the railway world.
The risk management process must be comprehensive in addressing significant issues in operating environments, including risks along the supply chain, vulnerabilities in protocols, software update issues, connectivity between components (software and controllers), risks emanating from supporting systems (such as generators), taking into account outdoor components, Including physical damage that will lead to computing damage as well as operational aspects.
ENISA organization has recently published a comprehensive recommendation document dedicated especially to cyber risk management in the railway sector. As part of a validation process, it is directed at the relevant assets (Railway Assets and Services) and includes also an integrated and influential scenario bank covering the area between the OT and IT arenas.
Possible scenarios include damage to the signaling system and impact causing an accident by capturing and taking over the components and creating false information, sabotage of the control systems, etc. The document associates each scenario with a list of controls (later in the document) which will enable to decrease the attack surface. The import of prior intelligence regarding assets, weaknesses of controllers in use and attack patterns in OT arenas are significant as part of risk validation.
Designing Cyber Protection Controls According to Purdue Layer Model – As Process Ensuring Lateral Protection
The OT environment attracts the attacker both due to the environmental complexity, which creates broad attack opportunities, work processes involving reduced interfaces and involvement of IT personnel in working and manufacturing operating environments and due to the difficulty in monitoring operational networks because of the presence of multiple components from different manufacturers and protocols.
In recent years, some interesting directions and technological capabilities have been proved, enabling monitoring processes in operational environments. These also include the ability to import and read different types of protocols into a single, unified screen for cross-referencing and alerting to unusual events. Improving the monitoring capability of OT networks will help better cyber control and protection in operational networks.
The key to planning controls wisely in the face of risks should be based on the analysis of the network’s typology. The most popular among them is the Purdue model, another model is the Triangular model (based on ISA 95).
The advantage of analyzing the typology is the ability to associate controls to layers according to the network’s hierarchy and also enables a picture of the state of controls in relation to each layer.
One of the trends in recent years is the ability to monitor Level 0, connected with the ability to measure the end physical action. This capacity enables separation and independence in computing and software processes and the ability to manipulate through them. It also enables to base on the final result as a measure and control for the process as a whole.
The adversary’s modes of operation reflect advanced attack competencies, creativity, which is also based on the gathering and utilization of technologies and tools for preliminary intelligence gathering, self-organization abilities, commerce in attack tools on the darknet, and zero-day attack capabilities. All these require from the defender creativity, active protection processes that acknowledge the attacker’s capabilities (in order to know the gathering methods, such as the use of Shodan, Foca and the like for creating adequate controls that would thwart the gathering capabilities), hunting and honeypots even outside the boundaries of the organization’s networks.
Involvement of Management and Board and Preparedness to Cyber Crisis Situations
The cyber crisis resilience ability is measured, among other things, by the period of time and the ability to return to productivity at the work environment after the attack. This is the guideline based on prior preparations with software and backup procedures, Golden Images, as well as redundancy of critical equipment, such as hardware, controllers, machinery, and human resources expertise in fixing the malfunction and re-installing the system.
Cyber preparedness and coping with flaws were also influenced by the Covid-19 crisis. If until now, there was an understanding that the vendor could supply equipment or a replacement for a defective component at short notice of up to 4-5 days (in some cases), then the Covid-19 crisis gave us experience in a world flight suspension and the understanding that there is a need for local supplies and redundancy in the vicinity of the facility, installation or site. An issue like this sharpens the understanding and need for executive involvement to improve and enhance recovery capacity.
The recovery of an Industrial Control Systems (ICS) environment (as a classical OT environment) is much more complex than in the case of IT, and has to be executed in controlled processes and with the involvement of engineers and process monitoring experts. A cyber crisis exercise also aimed at the organization’s management, with hands-on derivatives in actual practice for the operations personnel, will improve the processes, readiness and speed of recovery. For simulation of such a crisis is close to reality and simulates the needs, constraints, malfunctions and possible problems and on the other hand, strengthens the interfaces even vis a vis the IT teams in the organization.
Alongside the cyber aspects, and sometimes as part of the understanding that cyber-attack is complex (network air gap, etc.), there are attempts to perpetrate physical attacks. Therefore, beyond the response to cybercrime and issues of denial of access, synergies and balances must also be made vis-à-vis the entities in charge of physical security in OT-based facilities (with an emphasis on critical infrastructure). This is in order to prevent the possibility of damage to supporting systems (such as outdoor components, generators, etc.), including protection against missile threats, UAVs, drones (Aramco facility event 2019) or responses and environmental detection against technological operations for cyber attacks involving a closer radius (attacks based on RF, Side Channel attacks, etc.)
Or Shalom – Security and cyber expert and consultant to government ministries and defense industries, international business development consultant for companies in the fields of HLS and cyber and leads centers of excellence and advanced training programs in Cyber and HLS for various organizations in the civilian, security, industry, and academic sectors. He holds a master’s degree, as well as civil and national qualifications in the realm of HLS and Cyber Security. He has experience in security, innovation, planning and characterization of technological security systems, HLS, and Cyber preparedness.