Operational technology (OT) networks have become targets for major cybersecurity attacks. The attacks are particularly disturbing because OT (also called industrial control systems or ICS) controls critical processes around the world in manufacturing, energy and utilities, transportation, and other industries. Any disruption of OT networks—in a chemical plant, on a rail line, in an electrical grid—can threaten public safety and economic well-being. OT plant operations and manufacturing leaders have weighed in on the security of their environments in Fortinet’s “State of Operational Technology and Cybersecurity Report.”
Any disruption of OT networks—in a chemical plant, on a rail line, in an electrical grid—can threaten public safety and economic well-being.
Traditionally, OT networks have been separated from information technology (IT) networks by an air gap. Now, however, opportunities to build competitive advantage are driving the convergence of OT and IT networks. Sensors are optimizing production lines. Augmented reality glasses are reducing errors for warehouse workers. Cloud-based services are rapidly reshaping many industries.
When organizations converge their OT and IT networks, they increase the digital attack surface and the risk of cyber threats. Nearly three-quarters of OT organizations in the “State of Operational Technology and Cybersecurity Report” reveal that they have been breached in the past year (see Figure 1 for more details). Unfortunately, these intrusions are detrimentally impacting organizations, with 43% citing operational outages that affected productivity and 36% saying it impacted revenue. (See Figure 2 for a list of the business impact experienced by organizations over the past year.)
As the risk of cyber threats gets ratcheted up, organizations are rethinking OT security. One reflection of these changes is under what role OT security falls. While the CISO currently shows up only 9% of the time as directly responsible for OT security today, that is going to change very soon. 70% of the CISOs in the “State of Operational and Cybersecurity Report” indicate cybersecurity will roll up underneath them within the next year.
As CISOs develop a roadmap for improving OT network security, they should account for tactics that many OT breaches have in common: bad actors often gain entry by stealing credentials through spear phishing, or they take advantage of unpatched applications. Once inside, they exploit a typical lack of controls on lateral movement as they perform reconnaissance and compromise OT assets.
CISOs should consider five cybersecurity best practices that minimize risks when integrating IT and OT networks.
Few organizations have a current picture of what is attached to their networks: 82% acknowledge they are unable to identify all the devices that are connected, 64% say they struggle to keep up with change, and 78% report having limited visibility across their network (see Figure 3). As a solution, CISOs should look for a cybersecurity provider that offers a complimentary threat assessment. Since OT assets such as programmable logic controllers (PLCs) can be damaged by active threat scanning, a technique used on IT networks, CISOs need to look for an assessment that passively observes network traffic—including encrypted traffic. The result should be a report that inventories devices and notes high-risk applications, exploits, and other compromised assets. It also should analyze network usage.
The idea here is to divide the network into a series of functional segments or “zones” (which may include subzones or microsegments) and make each segment accessible only by authorized devices, applications, and users. A firewall defines and enforces the zones, and it also defines conduits, which are channels that enable essential data and applications to cross from one zone to another.
Segmentation is a fundamental best practice for securing OT, as described in ISA/IEC-62443 (formerly ISA-99) security standards. Segments restrict an attacker’s ability to move in an “east-west” or lateral direction.
Because network configurations and trust levels change, segmentation should be dynamic rather than static. CISOs should look for a segmentation approach that continuously monitors the trust levels of users, devices, and applications. It also needs to dynamically control access based on business intent, behavior, and risk, which can dramatically shrink the attack surface.
Surprisingly, 53% of OT organizations surveyed in the “State of Operational Technology and Cybersecurity Report” do not use segmentation. That exposes them to higher risk: OT organizations that experienced zero intrusions in the past 12 months are 51% more likely to use network segmentation than organizations that experienced six or more intrusions in the past 12 months.
OT environments should be protected by next-generation firewalls (NGFWs) capable of inspecting encrypted application traffic. Additionally, the NGFW should be integrated with a live feed service to provide updates on the most common OT protocols and OT application vulnerabilities. A threat-intelligence service of this type enables the NGFW to inspect OT application traffic and spot exploits. Because many OT devices run without patches, having the ability to protect against these exploits and provide “virtual patching” is valuable.
Security teams should look for a firewall that is updated by real-time global intelligence alerts so it can identify even new and sophisticated threats. When integrated with a compatible endpoint security solution, the NGFW can monitor endpoints for indicators of compromise (IOC) gleaned from a variety of sources around the globe.
The firewall can also learn from traffic on a network and establish a baseline or understanding of what is normal or abnormal across IT and OT systems. It can quarantine, block, or send alerts when it detects abnormal activity or IOCs. Integrated as part of the NGFWs, artificial intelligence (AI)-enabled capabilities, which are delivered as part of a self-evolving threat-intelligence system, develop signatures to catch zero-day threats, anticipating their attack methods in advance.
Traffic analysis is critical: OT organizations that experienced zero intrusions in the past 12 months are 68% more likely to manage and monitor security events and perform event analysis than OT organizations that experienced six or more intrusions in the past 12 months.
Many OT breaches begin with attempts to steal credentials by planting malware through phishing attacks. In fact, two-thirds of installed malware in the threat environment is delivered by email. The first line of defense should be a secure email gateway with signature- and reputation-based prevention.
Another 65% of OT organizations do not use role-based access control for employees, increasing the risk of insider threats. The same survey revealed that 59% do not use multi-factor authentication. Security teams should keep in mind the fact that 81% of breaches begin with lost or stolen credentials. Multi-factor authentication makes the use of stolen credentials to breach a network much more difficult. OT organizations confirmed this fact: Those that experienced zero intrusions in the past 12 months are 100% more likely to use multi-factor authentication than OT organizations that experienced six or more intrusions in the past 12 months.
Another characteristic of an effective access control solution is that it should continuously monitor devices connected to the network. It should authenticate them by observing their characteristics and behavior and note the need for software updates to patch vulnerabilities. It should also restrict access to only authenticated devices, locking down all other ports. This practice can ensure that any device added to an OT network must first be approved by authorized staff. It can prevent the attachment of “rogue” devices.
In many OT companies, exposure to potential attacks through wired and wireless access points is expanding. Every company in an independent study had some wireless or Internet-of-Things (IoT) technologies, which may include connections to OT networks. An average of 4.7 IoT technologies were in use, with GPS tracking and security sensors the top two choices.
What OT companies need are network switches and wireless access points (APs) that have security by design, administered from one central interface, instead of being protected by add-on point security solutions managed through multiple interfaces.
Security management that is centralized not only reduces risk but also improves visibility and minimizes administration time for security and operations teams.
As noted above, 74% of OT organizations have been breached in the past 12 months. Therefore, a cybersecurity breach is less a matter of “if” than “when.” While breaches cannot be stopped 100% of the time, they can be limited through the five cybersecurity best practices above. Learn more about them by downloading a copy of “A Security Approach for Protecting Converged IT and OT."