91%91% of industrial organisations report having experienced at least one security issue in their OT environment in 2021 (Kaspersky ICS Security Survey 2022).
What is OT cyber security?
Operational Technology (OT) refers to all monitoring and control technologies. Not to be confused with IIoT (Internet of Industrial Things), a parallel field concerning connected devices within an industrial environment.
OT security is intended to ensure the safe and sustainable operation of industrial production tools and protect people and goods.
Industrial cyber security: Advens’ point of view
Industrial cyber security should cover a broad spectrum of markets and not be limited to industry in the strict sense of “factories”, as in the buildings themselves. It encompasses all types of physical flows.
Examples of areas of industrial cyber security
- Logistics patterns and warehouses.
- In smart cities: securing road signs.
- In industrial buildings managed by local authorities: communal heating systems.
The management of a tunnel or an electric dam can have the same cyber security issues as a food-processing factory.
Why invest in cyber security in industrial environments?
OT environments are cyber attackers’ latest target
Attacking the IT sector is becoming more complex because information systems are increasingly well-protected. IT players today have a good level of cyber maturity: raising staff awareness, increasing cyber skills, deploying new generation solutions (EDR, NDR), etc.
And the direct consequence of their increased IT cyber resilience? Hackers are turning to a less secure business: the industrial environment.
Attacks on OT can cause collateral damage beyond the scope of a company, including a direct impact on its production line (an organisation’s main source of revenue) or damage to the environment and public health (e.g. radiation leaks or chemical spills).
The attack on the Oldsmar plant
In 2021, a cyber attacker hacked into the computer network of a water treatment plant in Florida. They increased the sodium hydroxide content of the water by a factor of 100, a dangerous and corrosive concentration. A technician detected an intrusion in the IT system and immediately reduced the concentration. The contaminated water didn’t reach the distribution system.
This is just one example of how vulnerable the industrial sector is, as it affects external factors related to the environment and public health.
Source: The New York Times, 2021
A larger attack surface due to equipment interoperability
The industrial operating model has evolved and changed over the last 5 or 6 years.
In the past, OT environments were very secure with respect to cyber security. They were also easy to monitor because the equipment was isolated and heterogeneous. But these technologies are now outdated and could be vulnerable if we digitised them today.
In the Industry 4.0 era, industrial equipment is data-centric: everything communicates and is connected. There is greater cohesion because everything revolves around IT technologies.
The convergence of OT and IT cyber security
The overall process of cyber security in OT is the same as in IT:
- Identify the environment.
- Find vulnerabilities (access, configuration, software defects, CVE, etc.).
- Try to remediate them.
- Where remediation is not possible, detect and contain the threat with the SOC.
It is essential to adapt the process to the particularities of the OT: the deployment of solutions will vary to fit the realities of the industry.
Three specific OT/IT features to bear in mind
#1 Life span of the equipment
Old OT systems were not connectable, and therefore not particularly vulnerable. Newer equipment is connectable but is not built to be resistant to cyber attacks. As a result, it has vulnerabilities that need to be dealt with and secured.
#2 Vulnerability management is different
The OT process is much more limited than in the IT world because OT systems must be operational 24/7. The windows of opportunity to update equipment are restricted to keep system downtime to a minimum.
The new equipment is connected, but comes with vulnerabilities, most of which remain in the equipment over time.
#3 False positives
False positive security alerts entail serious consequences. Since they require you to take action on operational equipment, they can impact the entire production line. Whereas in IT, the affected computer is disconnected from the network until the alert is confirmed.
To avoid any damage to the production line, the requirements for confirming an incident must be more thorough. Training may be necessary for those carrying out this work.
Two steps to secure industrial operating systems
The triad of “Prevention-Detection-Reaction” should be a reflex in OT as in IT. However, when deploying cyber security solutions, the constraints of the industrial environment must be considered: production stoppage, time limits, etc.
38%38% of companies report at least occasionally having to deal with a cyber security solution that affects their production and automation processes (Kaspersky ICS Security Survey 2022).
Step 1: Prevent attacks
Step 2: Detect attacks and react
A process inspired by IT must be established to detect and analyse abnormal and malicious behaviour. It should manage unaddressed vulnerabilities via:
- A dedicated tool: specialised OT detection probes that run 24/7 are much less intrusive and are familiar with the protocols used in the industrial world (bacnet, profinet, modbus, etc.), such as Nozomi, Claroty, CyberMDX, or Microsoft Defender for OT.
- A SOC organisation and process that detects, analyses and remediates attacks.
The constraints of the industrial environment may not appear to be conducive to the adoption of a cyber security policy. However, protecting yourself from and preventing attacks due to the interoperability of industrial equipment is essential to avoid the serious consequences that a cyber attack can have. There are ways to prevent these threats without stopping a production line (less intrusive detection methods, segmentation, staff awareness).