Business & Technology
Until recently, Operational Technology (OT) networks functioned as isolated, air-gapped environments, meaning cybersecurity was not a top priority. The emergence and growth on externally sourced data has in some instances led to industrial environments converging with IT networks. At the very least, because of this increased dependence on new technological trends like the industrial internet of things (IIoT), wireless, and 5G, OT leaders can no longer avoid a balance of attention focused on the topic of cybersecurity.
Outlined below are the implications of IIoT, Wi-Fi, 5G, and other trends for OT cybersecurity, including OT environments that are frequently built on the Purdue Enterprise Reference Architecture (PERA).
IIoT cybersecurity risks often arise from the devices’ direct or indirect internet connections. Examining the primary use cases for IIoT and the associated information flows provides additional insights into these risks. An OT deployment may include a mix of the following three main use cases:
Securing IIoT environments first requires an understanding of organization processes. A production system involves a complex interaction of industrial devices and use cases, as described above, with flows of information moving along conduits between zones and domains.
The Industrial Internet Consortium (IIC), an open membership organization formed to accelerate the development, adoption, and widespread use of the industrial internet, divides IIoT ecosystems into five functional domains: control, operations, information, application, and business. The control domain mainly deals with the industrial or machine aspects, such as control, sense, and actuation technologies. The combined control and operations domains form the business’ OT side, and the remaining domains are on the IT side.
The IIC further suggests a three-tier IIoT system architecture consisting of an edge tier for OT, a platform tier for OT and IT integration, and an enterprise tier for IT. The five functional domains can be mapped to the three-tier technology architecture with an overlay of three networks—the proximity network, the access network, and the service network, enabling communication and connectivity across each domain and technology tier.
The standard that guides the deployment for security in OT is ISA/IEC 62443 – this includes guidance for utilizing the Purdue Enterprise Reference Architecture, also known as PERA, which features the following hierarchical set of levels for applications and controls:
First conceived in the early 1990s, the original Purdue model did not anticipate IIoT, wireless, or cloud connectivity. But by mapping the IIoT functional domains, technology tiers, and security requirements to the PERA levels, it is possible to visualize how components of this model fit into the necessary security architecture (see below).
Securing IIoT environments involves applying many of the same cybersecurity strategies used in IT to IIoT architectures and use cases. However, there are clear specificities to OT environments and IIoT that must be taken into consideration. Using the ISA/IEC 62443 standard for security in OT as a base, and additional references to the NIST Cybersecurity Framework (CSF), the following list represents objectives for securing the connected IIoT infrastructure.
Applicable to assets in all levels of the PERA model that can be probed and identified over the network, security solutions for this objective include next-generation firewalls (NGFWs), network access control (NAC), and a log management and analysis platform.
This covers device identification and control of protocols and application types, including limiting which devices can use certain protocols or communicate with specific applications. Security tools such as the FortiGuard Application Control feature, which can generate alerts, and FortiAnalyzer, which can generate reports, may be helpful here.
IIoT devices are prime candidates for an attack, mainly because of their ability to “short circuit” multiple layers of the Purdue model. Although the limited functionality of IIoT devices reduces the probability of vulnerabilities, custom-development of IIoT functionalities can introduce bugs. Preventing intrusion requires the ability to detect and block exploits, reconnaissance, and fuzzing attacks. Virtual patching and breach detection can help here, as well.
NAC deployment methods differ depending on the type of network. The simplest form of NAC is achieved by enabling the 802.1X network authentication protocol on supported IIoT assets. Secure wireless access points can keep wireless networks safe, and appropriate network policies can secure third-party remote access. Multi-factor authentication (MFA) can also supplement remote access.
Segmentation and microsegmentation provide the essential methods for breaking industrial networks into physical or virtual secure zones. Typically, segmentation is performed between the local area networks (LANs) or wide-area networks (WANs). Microsegmentation, on the other hand, is performed within the LANs. In industrial networks, network segments may include various industrial LANs or WANs, and network microsegments may include different industrial controllers and hosts, such as RTUs, HMIs, etc.
As 5G technologies mature, cellular access networks will become more common in industrial networks. If there are large numbers of IIoT endpoints compared with the amount of data transferred, this can pose a risk of signaling storms—either intentional (due to a cyberattack) or unintentional (due to device malfunction). An ecosystem based network operating system like FortiOS can protect these systems against signaling storms.
Since signaling and data usually pass through one or more IoT platform nodes, those nodes need protection. The traditional IoT model positions the platform in the cloud. But for IIoT, the round-trip time between devices and cloud may be too long, and cloud connection reliability may be insufficient. Moreover, sending data into the cloud may present additional security risks. Solutions proposed by the 3rd Generation Partnership Project (3GPP) include multi-access edge (MEC) architecture or a private 5G network.
Centralized logging and monitoring enable observation of the entire IIoT ecosystem from a single point, usually a security or network operations center (SOC or NOC). This should include the ability to determine or configure baselines and provide access to logs and events resulting from deviations from these baselines or detection of malicious activity. Depending on the IIoT organization’s operating structure, logging and monitoring measures can be incorporated within the conduits between PERA levels 2 and 3, between levels 3 and 4, or in Level 5.
Changes in production environments due to wireless, 5G, and IIoT technologies are ushering in a new era of flexibility, productivity, and control for OT-based organizations. At the same time, these innovations expand the threat landscape. Protecting OT systems requires flexible security infrastructure with elements that can evolve along with today’s changing wired and wireless OT environments.
Learn how Fortinet can help you extend security and maintain compliance in any ICS/SCADA-connected environment.
Explore how organizations are securing OT in the face of IIoT and 5G.
Learn more about securing 4G, 5G and beyond with Fortinet.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.