We have been dealing with industrial IT security for years (now identified as OT Cyber Security), or how to protect networks and factory automation systems, process control, supervision and remote control from IT risks.
Especially in recent times we are increasingly asked the question: "What should I do to secure my application from all the risks we read about in newspapers and on the web today?".
Ok, let's start from the assumption that it is not possible to cover "all the risks", that is, there are technical and economic limits beyond which it is not possible to reach.
Let's try to give an example: which of you would buy a chain with a 100 euro padlock so as not to have the 80 euro scooter left outside the school of your children/grandchildren taken away? While we would use the same chain and padlock to tie up a new 6.000 euro motor scooter.
Or who would be willing to pay a security guard to guard the garage every night where we leave our car (clearly not a Bugatti or a Ferrari collector's item...).
We introduce the risk/value variable with which we have to start to deal with, or rather the ROI or "Return on Investment" of the security, or if we also want the BIA or "Business Impact Analysis".
Perhaps for our reasoning it is better to focus on "what can we do to lower/mitigate IT risk?", or find a good balance on how to raise the level of protection of our factory network or even just our SCADA-PLC application, to protect the plant, the operational continuity of our plants, not stop production (if we are talking about an industrial company) or the provision of the service (if we are in the utility sector).
Let's try to line up the points to follow for a correct protection.
1) So here we are at the first point: identifying the perimeter of what we want to protect
Is the purpose of our intervention to protect the entire factory network or just the SCADA-PLC application we are talking about? We need to make this clear and highlight it, as effort and budget can vary a lot. Let's put it on paper and move on.
2) Do we have a clear understanding of the network in question and what transits on each branch of the network?
Here too, let's arm ourselves with pen and paper and try to draw up a network diagram, or network branch, with the knowledge we have and put everything we know on paper: what is connected (PC, PLC, switch, terminal of I/O, sensors, etc.), what are the communications and protocols we expect to find. Sometimes, to do all this accurately, it will also be necessary to "get your hands dirty": go around the production departments, open the electrical automation cabinets, check what is inside, check the sockets (the holes in the switches ) where the connectors are connected and where the network cables run, etc. As? With a tool that possibly does it automatically. In this regard, we at ServiTecno have two tools that we can offer and that we currently use.
3) We check if what we found in our previous inspection is true
The first tool is simpler and also "free": it is about Scrutiny of Bayshore Networks company whose products are distributed and supported by ServiTecno. Scrutiny is the survey tool and visualization of OT assets di bayshore: in practice it allows you to carry out an Asset Inventory passively and automatically, without affecting normal activities. It allows operators to create a schematic of all devices on their industrial network, with information regarding ports and protocols in use and communication flows to reach or be reached by different factory devices.
A second tool, much more performing and complete is SCADA Guardian by Nozomi Networks, another solution distributed and supported by ServiTecno. This solution of Nozomi Networks Identify all network devices, validate details and provide accurate descriptions. It also monitors and analyzes the metadata of each connected resource in real time, collecting attributes such as:
- Device name, type, serial number, firmware version and components
- Asset and subpart properties: site, name, IP address, MAC address, and status
- Embedded devices such as PLCs and their internal components/boards
- Subsystems of logical nodes such as switches and switches
- Measuring points/sensors
- PC operating system and installed software applications with version numbers
- All protocols used by communications and their versions/anomalies
The logical views provided by the application make it easy to view, search and drill down on device information. Industrial operators can easily add further details such as location, description and site.
4) We begin to "design" the protection for our SCADA-PLC application
At this point we should have a clear picture of our factory network and/or of our SCADA-PLC application and we have the terms on which to start thinking about what and how to protect against IT risks.
Do we have a “flat network” in front of us or is it adequately segmented as recommended by the IEC-62443 standard?
We must realize that a "flat network" where all network participants are on the same network, without distinctions or physical or logical interruptions, is more subject to possible contaminations that can be propagated on the network: without barriers, malware has free rein to infect everyone devices on the network. Hence the need to divide the network into "zones" and identify the connections or "conduits" necessary to transmit information between one "zone" and another.
5) We must adequately "segment into zones" the network and secure communications in the "conduit" between one zone and another
Segmentation is designed to prevent problems that occur in one part of the network from spreading to other areas and even the entire network. Normally this segmentation takes place with the use of switches that support subnets and VLANs and with special firewalls designed for industrial networks and connections, which support architectures and protocols typical of the OT world.
Precisely for these uses, ServiTecno proposes the devices OTfuse from Bayshore Networks: OTfuse is an intelligent self-configuring industrial security device and intrusion prevention system (IPS) designed for use on factory floor networks in SCADA-PLC applications. OTfuse sits at the cabinet level in front of critical endpoints, can have multiple ports to which network branches connect, learns and enforces factory communication rules for the plant environment, and proactively eliminates cyber threats to OT assets in real time. It also protects the OT network from unauthorized configuration changes, resets of PLC devices, data extractions and readings from the PLC device, updates of logic, setpoints and message values.
There are versions of OTfuse specifically designed to protect applications with SCADA Ge Digital iFix and Cimplicity: an industrial firewall that automatically analyzes industrial network traffic, proposes its own firewall rules, enforces normal operations for each plant environment, and actively mitigates threats to OT assets in real time, with native support for iFIX 6 protocols .x and Cimplicity 11.x. And a “light” version of OTfuse is also available for small applications at an entry-level price point.
6) Are we using all the security tools we have available that are included in the hardware and software we have installed and are already in use?
For example: Have you checked if your PLCs support encrypted communication? Newer PLCs and many more up-to-date factory devices are born with support for SSL encrypted communications and better still with TLS. Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are encrypted protocols used in the field of network connections that allow one secure communication from source to receiver (end-to-end) over TCP/IP networks providing authentication, data integrity and confidentiality operating above the transport layer.
Even the most recent versions of GE Digital iFix and Cimplicity SCADA support encrypted communications: there are special instructions to follow to enable them and make your application more secure quickly and easily.
Many PLCs and many SCADAs have native functions for password access control and even multi-factor: consult the documentation and make it more difficult for unauthorized persons to access.
7) How do we control remote access and operations for the maintenance and management of the SCADA-PLC application?
To allow controlled access to the SCADA-PLC application by remote operators and for maintenance to be carried out by Suppliers and System Integrators, it is necessary to have a private secure access solution, specific for OT, for controlled access to designated OT goods and services, with easy user management.
OT access by Bayshore Networks, distributed and supported by ServiTecno, is a remote network access product defined with support for encrypted microtunnels, multi-factor authentication, Microsoft Active Directory users and groups, and specific endpoint access capabilities (SCADA and PLC) oriented to the security requirements of the OT network. OTaccess provides content-based in-session policy enforcement for certain defined rule sets and the list of available policies will automatically expand without user intervention.
OTaccess is a competitive alternative to both generic enterprise VPN products and software-defined networking tools. It offers native policy controls for OT protocols and supports a single pane of glass administration via the customer's private cloud instance of the management portal.
Here are some of the features and benefits of Bayshore Networks OTAccess:
- granular and secure remote access, more precise than a VPN
- controlled access per protocol + per activity + per unique seat for your environment
- Ensures that OT assets and network cannot be remotely manipulated out of line of sight
- Available as a local hardware device solution or as a Cloud service
- Minimizes the attack surface and enables the most secure option for remote operators or third-party vendors to access endpoints within the OT network
8) If it is necessary to "extract" data from the OT network, in a critical application we evaluate the adoption of a "Data-Diode"
In today's converged OT/IT networks it is essential to create a secure network segment to protect and isolate the most critical areas, sensitive networks and data from cyber attacks and misuse. You must be able to transfer data from trusted OT networks (plant) without exposing SCADA-PLC machines to an IT network. Unidirectional Diode-to-Data functionality provides an air-gap bridge, which only allows data to flow from a network, but not into it, thus cutting off an important attack vector. While this may not affect everyone, a data diode can ensure that there is no communication from the outside to a specific network branch or piece of equipment.
ServiTecno proposes the devices Netwall by Bayshore Networks, such as Diodi-Data, with these features:
- NetWall transfers data from a secure OT network (the field) without exposing machines and plants to an exposed network (corporate IT, Enterprise network)
- Unidirectional Diode-Data functionality that provides an industrial air-gap bridge to limit and enable communications from sensitive and confidential assets
- Guaranteed delivery from source to destination with provable verification, unlike most one-way gateways that use relay methods
- Alleviate the cost and complexity of physical-only access or data diodes with a more effective and efficient connectivity solution
9) We evaluate the adoption of an IDS/IPS tool with "Anomaly Detection" functions for the OT network
To prevent network access and attacks, the most common firewalls on the market are equipped with IDS (Intrusion Detection) and also IPS (Intrusion Prevention) functions, and we have seen that these firewalls are essential at the perimeter level and to further segment the network.
Today there are protection devices for the OT network that also provide "Anomaly Detection" functions: a big step forward towards the "verification of your infrastructure" with the detection of all devices on the network (even those not tracked, as indicated above in point 3): in practice, when the system is put into operation, it starts by creating an image of the network, mapping PLC, SCADA Server, SCADA Client, historicizers, sensors and mobile devices…in short, everything that is connected to the OT network.
After this initial mapping of the OT network has been performed, the behavior of the architecture and network traffic are subsequently analyzed in order to detect, when fully operational, the following anomalies:
- Process and network anomalies: devices that suddenly change their behavior, overload or load reduction in communication.
- Unknown devices on the network: external personnel or third-party devices that are not authorized for use in the operational network perimeter.
- Devices connected directly to the public network: data modems, IP cameras, IoT devices.
- Obsolete Firmware and Operating Systems: no longer supported and not updated with the latest security features (service packs, SIMs, Patchs, etc.) subject to CVE vulnerability
- Lack of Authentication: Lack of passwords or weak passwords (eg admin/admin or admin/123456) can lead to unauthorized access and changes in the configuration of a critical system.
- Lack of encryption: communications in the clear, unencrypted, easily intercepted and manipulated
- Backdoors: SCADA, PLC and ICS can be exposed to attacks through standard communication networks but also through industrial protocols which are often inherently unsafe.
- Buffer overflows: Buffers can be subject to specific attacks that can lead to data exfiltration and even system crashes.
Such vulnerabilities can be easily identified by adopting specific Vulnerability Detection systems for OT environments such as Guardian with the Nozomi Networks Vantage solution, proposed and supported by ServiTecno.
10) Remember: we must know what we want to protect
Only if we have a clear and complete vision of how our OT network is made and what "circulates above" will we be able to notice if "something is wrong". We must always keep our knowledge up to date and constantly reassess the risk and what are threats and vulnerabilities.
A periodic reassessment of the network and its documentation to check if there have been additions or changes is to be scheduled, checking if everything is up to date and/or if maintenance activities are necessary to adjust the level of protection. Evaluate any Threat/Vulnerability Assessment both with internal audit and also delegated to third parties specialized in OT activities.
Conclusion
Some CISOs keep asking themselves the same question they get every day from their bosses and colleagues: “How safe are we?”
Despite the simplicity of the question, the answer is not so simple and sharing an Excel sheet with the vulnerabilities found and addressed during the last week is not enough. Quantifying and communicating an organization's level of cyber risk in a way that other managers can understand remains a challenge for CISOs, and can make it difficult to obtain the cybersecurity investments necessary for a growing or wanting organization. stay on the market for a long time.
The Cyber InfoSec (which also includes the OT one) it must become a company strategy, exactly like the hygiene rules that tell us to keep our distance, wear a mask and wash our hands often to avoid contagion. This can only happen if CISOs understand their “true” attack surface: according to recent analysis, today only half of them have a holistic understanding and assessment of the entire enterprise attack surface and less than half use contextual threat metrics to measure your company's cyber risk: This highlights the limitation of their ability to analyze cyber risks and prioritize remediation based on business criticality and threat context.