The one big (but little used) advantage that OT cybersecurity has over IT cybersecurityJohn S. Rinaldi | June 29, 2021
The requirement to keep people, possessions and information safe is as old as the human race. In the past, ancestors built the watchtowers, walls, gates and the moats often depicted in the movies. While moat building is a lost art, the need for security mechanisms that protect people, possessions and information has not changed, and now it is even an expectation for plant floor control systems.
Just like the low-tech mechanisms of an earlier age, control systems are expected to protect people (safety systems), possessions (quality products) and information (secure IP systems) from attackers). But that last part, securing production systems from attackers, is not as easy as it once was.
What is crystal clear in 2021 is that no manufacturing organization, big or small, is immune from a devastating cyberattack. With the popularity of the internet of things (IoT), cloud computing and enterprise connectivity, it is no secret that there are now more ways and more opportunities to attack manufacturing control systems than ever before. And it is not going to get any better in the short term.
Attackers are more sophisticated and elusive than ever. With all the additional connectivity, what used to be a hardened network perimeter is now blurred and porous to all sorts of cyberattacks. And even more discouraging is that bad actors are not the only worry. Most facilities have an army of IoT vendors, automation vendors, technicians, system integrators and corporate engineers who come onsite and (knowingly or unknowingly) bring viruses, malware and time bombs into a plant and onto critical I/O networks. Well-meaning but undertrained staff is also a concern. One of the largest cyberattacks ever was the result of a technician misconfiguring a managed switch.
IT and OT cybersecurity are not similar
Information technology/operation technology (IT/OT) convergence is a popular topic with consultants, in the big seminars and in YouTube videos. It is the idea that OT and IT can evolve to use identical technology and operating processes. What is missed in much of that discussion is that information IT and OT are not just different; in many ways they are polar opposites.
IT or enterprise networks operate more like a utility, providing resources and services to an ever-changing set of customers with constantly changing service requirements. IT uses a centralized management approach to accomplish their objective of protecting the corporate assets and their customers from each other and the outside world. IT assets are constantly changing but composed of a fairly small set of common infrastructure components: Windows computers, Cisco switches and routers, firewalls and the like.
The OT world is quite the opposite (Figure 2). Factory floor networks across a plant are not only quite different from each other, but are an integral component of a specific manufacturing machine or production process. OT network assets are quite static and composed of a very diverse infrastructure of controllers, actuators and sensors developed by a broad base of vendors. Control devices come with unlimited varieties of capabilities, operating parameters, communications capabilities and functionality. In this more static, yet more diverse world, control engineers build custom networks that must meet specific operating requirements dictated by the product being manufactured.
These differences mean that the philosophies, tools and cybersecurity processes that work for one won’t work for the other. It is a mistake to use the same approach to protect the people, possessions and information of a control network that is being used to protect an information network. Different objectives, processes and devices require different approaches.
The big mistake many make with OT security
There is a reason that castles of old were all built with a single entrance, protected by a moat and a drawbridge, and heavily guarded.
A single, heavily guarded entrance and exit is the best security for castles and manufacturing systems
The single biggest mistake that many of us make with OT security is not taking advantage of the fact that every single message between a manufacturing system and the external world is known and unchanging. Closely monitoring traffic through that gate and limiting the traffic to expected messages from known sources provides maximum protection for the manufacturing system.
Unlike IT security systems, OT can use a “Deny-by-Default” policy. All unauthorized traffic, traffic with suspect origins, traffic with malicious intent, or authorized traffic that has not yet been approved is blocked and discarded.
Deny-by-Default is particular to control system networks. Traffic in IT networks is constantly varying with new traffic to new destinations. Control system traffic is the opposite. Control engineers know exactly what traffic should be allowed through the security appliance, and they have the luxury of knowing that the traffic changes only rarely. The ability to expressly authorize traffic and deny everything else is what makes a Deny-by-Default security appliance so effective.
Deny-by-Default is the opposite of the security provided by firewalls typically used on the manufacturing floor. The out-of-the-box behavior of these firewalls is “Accept-by-Default.” All traffic is passed unless it is specially configured to match a particular source address and port number.
The real disadvantage of using the typical manufacturing firewall is that it lacks the ability to fully inspect traffic content. Most lack the more sophisticated features required to fully protect control networks. Traffic appearing to originate from an authorized user at an authorized address is free to roam the control network at will, write PLC tags and update PLC logic. If the login credentials of an authorized user are compromised, or the non-encrypted tunnel of a split encrypted VPN tunnel is penetrated, a typical firewall gives the attacker full access to the PLCs and control network.
The firewalls and VPNs in use today are fast and inexpensive and designed to protect the IT infrastructure. They do not adequately provide the kind of security needed to protect control networks on the factory floor. It is the equivalent of locking doors and windows at night but not installing an alarm system with cameras and motion detectors.
The answer is a well-defined plant floor perimeter security appliance
Instead of today’s firewalls, manufacturers should use a factory floor perimeter security appliance that provides the functionality of current VPN and firewalls with significantly more layers of protection including Deny-by-Default operation.
In addition to Deny-by-Default, a superior factory floor perimeter security device should have a broad list of supporting features:
No controls organization facing the threats of malware, worms and other attacks can afford to ignore the protection offered by a robust, full-featured perimeter security appliance. With the growing and persistent talent shortage of qualified security professionals, it is more important than ever to use technology when people are not available. Fortunately, flexible security appliances that address these challenges specifically for industrial control networks are becoming available.
More plain, no-nonsense information on factory floor security is available by subscribing to the biweekly RTA Cybersecurity Education email series. In these short, two-minute reads, readers will learn about the four types of factory floor security architectures; why device security like CIP security is so problematic and the big risk of having windows PCs on the factory floor! Subscribe at http://www.rtautomation.com/securityappliance/.
About the author
John S. Rinaldi is chief strategist and director of WOW! for Real Time Automation (RTA) in Pewaukee, Wisconsin. John is not only a recognized expert in industrial networks and an automation strategist but a speaker, blogger, the author of over 100 articles on industrial networking and the author of six books.