According to Gartner, OT (Operational Technology) is “hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.” OT is common in Industrial Control Systems (ICS), such as SCADA (Supervisory Control and Data Acquisition) systems.
Since the early 2000s, the number of OT attacks targeting corporate and governmental systems has been growing. However, OT attacks on a big scale bring massive damage to productivity and reputation compared to cyber attacks for individual targets. One of the most well-known OT attack cases is the Stuxnet hacking incident in 2010. Stuxnet is a malware that compromised over 15 nuclear facilities in Iran, and damaged reportedly over 1,000 nuclear centrifuges and heavily affected the efficiency of the Natanz uranium enrichment famicity. This was the first reported case of cyber marware’s influences on hardware and physical facilities. After the Stuxnet incident, OT security has become an important aspect that cybersecurity experts need to pay attention to.
IT security vs OT security
It is important to remember that the nature of OT systems are different from the one of IT systems. Generally speaking, an IT system infrastructure gets updated about every 4 years. On the contrary, OT infrastructure’s average update cycle is every 15 years. Even if we take a progressive measure and count it as every 10 years for the update cycle, it indicates that the OT systems installed around the time when Stuxnet attacks started would be updated now. Also, the cost for updating the OT systems is much more expensive than IT systems due to OT’s giant scale. Moreover, the infrequent update cycle means OT systems are vulnerable to the latest cyber attack methods. This is why OT security requires taking a careful approach with forecasts of the next 10 years at least.
Current OT security status
It is still common to see that there’s a lack of awareness in OT infrastructure threats and dynamic changes in OT environments. Moreover, we are seeing that the boundaries between IT security and OT security disappear due to the emergence of smart environments, such as smart factories. According to the SANS 2019 OT/ICS Cyber Security Survey, over 50% of the survey respondents said their organization’s risk profile as severe/critical or high. Also, many different protocols and outdated facilities around OT add more difficulties on adding proper security measures.
How to start OT security
OT security becomes a blind spot as it is often misunderstood that it does not exist on the public network. Moreover, it is difficult to gradually increase security measures because there are often facilities that were installed a few decades ago. Oftentimes, such facilities have an environment that is difficult to control and unable to conduct security diagnostic tests. Also, new devices and tools are added incrementally on the facilities without any new security measures.
Employees who work on the OT facilities tend to be well-versed in physical security but they are not familiar with cybersecurity. It is difficult to carry out OT cybersecurity strategies even for IT teams, which many don’t have OT security expertise. For example, if the OT facilities run 24/7, it is complicated to schedule a time for manual security analysis and remediation.
To effectively start OT security, we recommend using automated security analysis tools to save time and resources. There are already several security vendors offering OT security consulting services and solutions. Nozomi Networks and Tenable are some of the vendors who provide OT security, and other vendors are also gearing up to offer OT security services. Also, there are solutions that provide dashboards that manage and control overall OT security status. The dashboards are often provided as a web app for convenience, but it is important to remember that APIs or management consoles require extra security measures as they can be easily accessed by third parties. In addition to current monitoring and detection tools, it is expected that OT security tools will have more detailed offerings like sensor security protocols and network controls.
In addition to automated tools, there are standards and guidelines for OT security that organizations can follow. NIST (National Institute of Standards and Technology) of U.S. Department of Commerce provides guidelines and standards for OT security. ISA also introduced the ISA/IEC 62443 series of standards in 2018. It is a flexible framework for addressing and mitigating current and potential security vulnerabilities in industrial automation and control systems.
In order to build effective OT security strategies, organizations need to analyze assets and related risks, and then prioritize the critical ones. For instance, they can classify factory controls and data broadband, system process and equipment controls, and apply appropriate security measures. Also, based on the classification, organizations can gain better visibility on potential threats, and simulate attack scenarios to understand security weaknesses in advance. If this practice can become an ongoing activity, organizations would be able to run an environment where they can understand causes of threats even if accidents do happen. Furthermore, they can establish proper threat responses and mitigation plans. The whole process would ultimately help organizations achieve the robust framework of security monitoring, protection, risk detection and threat responses, remediation, and recovery.
Signature-based solutions for particular ransomware or known vulnerabilities are not the most effective method for OT security. We suggest developing security framework strategies based on each smart facility and factory’s infrastructure. We also recommend conducting threat analysis and modeling by applying real-world attack scenarios from an attacker’s perspective. The OT security framework will help organizations continuously monitor and manage their security status.