This post is also available in: עברית (Hebrew)
Written by Or Shalom
OT (Operation Technologies) is in charge of physical operational processes for different needs in various sectors. They function as production lines in critical infrastructures (like the production of electricity, oil, and energy), heavy industries, and weaponry production, but also as production lines in the automotive sector, pharma and food industries, and so on. Unlike the IT networks to which the opponent can inflict significant damage by harming information processing or manipulating the information itself (data encryption or leakage), then the implications and consequences in the operating sectors can be the cost of human life, safety implications, environmental impacts, and more.
Thus, as the attacker sees it, the trigger it is aiming for is the penetration of these networks to disable or damage systems, equipment and infrastructure, and even human life and/or the environment. This process can be carried out in various methods by continuously skipping and grasping the network to establish itself, and gaining the ability for functionality-changing processes such as changing commands through the HMI systems or changing values in the controllers themselves. Therefore, the traditional concept of differentiating OT from other environments (including the Internet) is a significant tiebreaker and makes it mostly difficult for the opponent to fulfill his goals (including continuous grip).
COVID-19 and the lockdowns dictated requirements and accelerated the need for out-of-enterprise connectivity for ongoing remote control operations. Furthermore, the Industry 4.0 trends meant to smartly manage factories and industrial processes enable cost reduction features, rapid deployments in streamlining and optimization processes, which are based among other things on rapid processing and calculation processes. These trends also push the market for out-of-business solutions and connectivity, like cloud services or based on IIoT (Industrial Internet of Things) components. Although these solutions have significant operational benefits (like remote control and over-the-air updates), some risks stem from the dependence on networks and out-of-enterprise environments.
Therefore, the solution is careful planning for secure architecture and advanced capabilities to prevent the exploitation of opportunities for unauthorized access to potential attack surfaces. Such planning requires using secure protocols and ensuring legitimate communication within the operational environment, between components, and outside the network. These will significantly accelerate the solutions to ensure differentiation.
Solutions for Controlling Direction and Communication Traffic Through FW Systems and Single-Direction Diodes:
The requirements for implementing FW solutions in OT networks have increased significantly in recent years. This is partially due to the need to merge IT environments and the integration of IIoT components. This implementation is based on logical separation by determining file type protocols and by defining types of content that will pass through or be blocked on the network. However, the concept of using a logical separation solution is still troubling in light of the need for firewall rules and the possibility of manipulation, changes, or possible attacks on the management interface (both as an internal threat and human error and as advanced cyber capabilities like the power behind the attacking entity). The use of one-way diodes is also popular because it allows the conversion of communication into optical protocols in a way that does not allow a reverse reaction against data flow (unless the attackers achieved physical access to hardware- the diode itself). The market of diode solutions, which enables hybrid use in both local environments and the cloud, has expanded in recent years and incorporates software that allows the integration of an additional security layer (apart from the physical one) by logical settings for protocols, volumes, content, and time types. This solution allows for greater flexibility by using double diodes, because raw data needs to be exported and imported from external environments to the OT. For example, the dependency of a manufacturing plant on organizational systems (like ERP) for order management and preparing for scheduled transport, enables the automation-based secure data transfer process between the networks. The logical implementation allows control over the types of files, content, format, and configuration of the types of information characteristics (like XML encoding).
Matching the Solutions to Zero Trust Architecture:
The complexity of IT in OT environments, hybrid environments (including the cloud), and the use of IIoT components alongside many assets, computing infrastructure and entities all require a zero-trust network design. The concept of zero-trust architecture involves the realization of zero trust with any future entity and computing component that comes into contact with the network. This approach at its core has been directed to IT networks and less to OT networks characterized by various components from different manufacturers, different protocols, safety considerations, and immediate operation. As complementary solutions, some technologies enable visibility within OT environments to ensure trust between them and the network. The need faced with today’s difficulty to implement the Zero Trust architecture in operational environments will accelerate the solution market and the need to implement controls that ensure these capabilities.
The need for monitoring in different layers:
Connectivity to IT environments as well as connectivity between layers in the OT network requires monitoring processes to detect an attack. The numerous components and protocols, and the difficulty involved in monitoring processes (setting rules, etc.) all direct the market, among other things, to AI and ML-based monitoring processes (the monitoring in OT environments is also used for operational purposes). Therefore, the implementation of AI and ML-based monitoring brings operational benefits in predicting and foreseeing possible malfunctions (based on computational models, cross-referencing, and statistical cutoffs). Another trend lies in the critical importance of monitoring the zero layer which is based on monitoring end physical action (electrical fluctuations) as part of a reliable process for verifying or refuting an attack (at the last layer). The ability to conduct behavioral cross-sections between the different layers (for example Layer 0 vs Layer 3), as well as integrate AI-based capabilities, will enable accurate metrics, and efficiency, and will prevent noise in the monitoring processes.
Getting the Full Risk Picture:
The variety of components such as PLCs, IIoT components, computer software and infrastructures all create a complex process when it comes to risk management, vulnerability updates and more, since they are all connected to external environments and exposed to the Internet. Therefore, a system that maintains a regular snapshot based on risk calculation processes in regards to the component itself and its influence on the network has an added value – it lets the operating teams and CISO prioritize the activity based on the critical vulnerabilities and the mitigation recommendations and adjust the overall network risk value accordingly. However, if the environment can be connected to the cloud, it would be better to manage in compartmentalization and without connection to the network itself (in partition, on another domain, or as On-Prem).
Developing Honeypot Capabilities – to Locate the Opponent in Different OT Circles:
The assumption that an attacker could overtake all security layers or skip the vulnerability through support processes, supply chains, etc., is also directed at designing trap-based detection capabilities in different circles. The first possible layout option is an area in the network environment (like a fabricated designated area that exists before the network’s FW). Another possible layout is a separate network that simulates an OT network. This method enables the tracing of attack patterns in controlled areas (and without impact on the network) in a way that enables importing information for boosting the OT “immunity”. In 2020, Trend Micro published its insights from a honeypot experiment. As part of setting up a trap and virtual environment, the company built a virtual, fabricated industrial production line, including computers, robots, and various controllers and control systems with Internet connection. The researchers speculated that the attackers would invest their efforts in gathering intelligence and OSINT during the collection stages before the attack. Accordingly, they built a fictitious company website (a solution provider for security industries) that contained names and fake images of job owners, emails, numbers, and telephone lines with an automatic answering machine, etc. This is a classic example of a method for validating or denying hypotheses or defense concepts. While the researchers speculated that the attack efforts would be against the command and control systems and the controllers themselves, the efforts were aimed at exploiting the network’s resources for cryptocurrency mining and two ransomware attacks. The maintenance of honeypots requires creative thinking, changes, and maintenance (sometimes even of several environments). Therefore, even here the integration of AI has implications in the ability to build attractive environments and to discover attackers.
The author is a security, cyber and HLS technology expert and consultant to government ministries and defense industries. He holds a master’s degree, as well as civil and national qualifications in the realm of HLS and Cyber Security. He has experience in consultation and business development for security companies and groups in matters of planning and building defense, innovation and security technology, exercises, and training in security and cyber.