Basic Principles of OT Security

The Challenge of Securing Windows 95-Based Devices

Industrial environments with their Industrial Control Systems (ICSs) are a special challenge for IT security. They are rigid and not open to changes. Typically, they are also full of misconfigurations and potentially risky communication paths. For example, OT workstations frequently communicates with the internet directly, despite the fact that a compromised workstation is an ignition cord of a disaster. So, how do you approach security design and protect industrial operations against cyber-attacks?

The Purdue Model for OT/ICS Security

Before we dive into security prevention tactics, let’s see how industrial devices (or operational technology (OT) devices) fit in the IT infrastructure.

One way to describe the OT environments is by using the Purdue model., which consists of 6 levels. The 5th level represents an enterprise network. This is where users are connected and where organizations have most of their endpoint devices. At the 4th level, business logic, operations, and planning are located. Here reside servers such as e-mail, intranet, and internal file servers. Between level 4 and level 3, there is the OT DMZ (demilitarized zone). IT DMZ and OT DMZ should not be confused. In IT DMZ, there are servers which are accessible from public IPs from outside the organization. On the other hand, OT DMZ acts as a barrier between the IT and the OT world. In the DMZ zone, there are the remote access, patch management, and application servers used by OT devices. On the level below (on the 3rd level) the OT network can be entered. Here, there are management workstations used for management of the SCADA (Supervisory control and data acquisition) systems. Of course, there is a firewall between OT DMZ and the 3rd level to block all traffic except the one which is needed by the OT network. This firewall should be tuned very well. On the 2nd level, there are SCADA and HMI (human-machine interface) systems that communicate directly with programmable logic controllers (PLCs). The 1st level consists of the basic, low-level controls that are used to operate robots and devices. These robots and devices perform the actual work located on level 0 of the Purdue model.

For a better picture, a schematic overview is given on the figure below.

Level 5 Enterprise network, connection of users, and the majority of endpoint devices,
Level 4 Business logic, operations, and planning,
OT DMZ Zone Servers as a barrier between the IT and OT world; remote access, patch management, and application servers used by OT devices.
Level 3 OT network; management workstations for the SCADA systems, a firewall for the OT DMZ zone (allows only the traffic required by the OT network, it must be tuned very well).
Level 2 SCADA and HMI systems that communicate directly with PCLs.
Level 1 Basic, low-level controls used to operate robots and devices.
Level 0 Robots and devices perform the actual work on this level.

Note: Be careful not to confuse IT DMZ and OT DMZ. In IT DMZ, there are servers accessible from public IPs from the outside of the organization. On the other hand, OT DMZ servers act as a barrier between the IT and the OT world.

The #1 security challenge of OT Networks

From the security perspective, IT and OT networks are very different. This difference is the most significant when it comes to patching security vulnerabilities.

Regular patching is crucial for reducing cyber risks since unpatched systems are among the most common causes of security breaches.

In IT, patching is rather simple (sic!). A patch management server installs patches on servers and endpoints and reboots them during predefined time-frames. On the other hand, patching in the OT world can be a nightmare. OT networks are designed to last. They are expensive, so stability is paramount. The fewer changes, the better. Once up and running, their lifecycle can easily span over decades. That doesn’t fit well with the ever-changing cyber threat landscape and flexibility of IT.

For example, many OT devices that take care of the critical infrastructure are not designed to work in pairs. They cannot be just rebooted. It is not a surprise that there are still plenty of Windows 95- and Windows XP-based OT devices in production. Because the devices might stop working, they never get updated and patched. And vulnerabilities remain.

So, how can you secure Windows 95-based devices?

In reality, management will not shut down a production plant just because a security engineer said you should update an old OS. But this doesn’t mean you can’t have proper security in industrial environments. Here are the fundamental security mechanisms every OT network should have in place. And they can be implemented without significant downtime and business disruptions:

  • Segmentation: One of the most efficient security mechanisms in OT networks is segmentation. It limits the communication options among different procedures and workstations. Of course, you have to also limit the possibilities of entering the lower levels of OT networks from the management workstations. You can achieve a very efficient network segmentation just by correctly configuring firewalls and the network.
  • Network Intrusion Detection Systems (NIDS): Strict firewall rules are a must. But some traffic and protocols have to be allowed to pass. That is why hackers typically try to use allowed protocols to transfer malicious data packets. To detect them, you should implement network intrusion detection systems (NIDS), which are optimized for OT networks. That means that they understand OT protocols and can recognize and label devices found in OT networks. By using NIDS, you can detect misconfigurations, abnormal traffic patterns, potential attacks, and malware. You can also create automatic responses to detected the attacks. Typically, the response includes a modification to the firewall rules.
  • Lock configurations: As mentioned, OT networks are a haven for legacy software because upgrades are so risky. One way to minimize the security threat on these “old” devices is to burn the current configuration of the OT management workstations in a way that cannot be modified. I also recommend deploying read-write rules in every folder wherever possible.  By doing that, you can stop the transmission of malicious files to the OT management workstation.
  • Secure USB: When the OS update is not an option, you also can’t use traditional anti-virus (AV) tools. However, there is a solution to this problem as well. There are AV tools on USB which can automatically scan the computer for threats when the USB is plugged into the computer as they do not need any installation of software. By using this method, you can also improve the security of your OT environment.

IT and OT networks in security harmony

OT and IT worlds differ from each other kind of like Asterix and Obelix. One very simple and flexible, and the other one a bit more rigid and clumsy, but together they can work in perfect coexistence. For securing OT environments, we rely on knowledge and experience gained in network and endpoint security. In OT, detection cannot be focused so much on the endpoints, but this obstacle can be tackled by burning the endpoint configuration into the disk and protecting it from being used for malicious actions. The same goes for best practices. As in IT environments, it is the same for OT; deploying proven security mechanisms will make your environment much more secure and more resistant to cyber threats.

At NIL`s SOC (Security Operations Center), there are experts in OT security which can help you understand the dangers in your environment and reinforce the strengths to be more resistant against any potential cyber-attacks. Do not wait too long, however, since there isn’t a famous magic potion to undo the damage when the attack has already happened. Rather, stick to the saying: “Better safe than sorry!”

How to secure ICS/OT/IoT environments with Cisco Cyber Vision?

Learn more about the key vulnerabilities and cyber-attacks in ICS environments and how to protect your operations with Cisco Cyber Vision.