Secure your OT System, Network and Endpoints from Cyber Attacks
Published on : Wednesday 14-09-2022
Asset owners are facing more challenges in protecting the IACS equipment because of some myths related to IACS, says Syed Munawer.
With the increasing demand for Digital Transformation, IT and OT convergence and remote access have helped organisations with tools to better operate the IACS (Industrial Automation & Control System). However, this has put OT systems prone to Cyber-attacks. Attacks on industrial infrastructure such as BlackEnergy, Crash Override, and Triton/Trisis have brought greater awareness of OT asset cyber vulnerabilities and risks.
As per the Standards like NIST, ISA/IEC 62443, NERC-CIP for Cyber Security frameworks, obtaining an accurate and detailed OT asset inventory is a foundational step for industrial organizations striving to improve their cybersecurity posture; this is fundamental to the Defence in Depth concept of reducing the attack surface. While many Cybersecurity solutions and service providers talk about the Level5 and Level4 threat protection schemes as a single-window solution to protect the OT system, protecting Level0 to Level3 is equally important. From Level0 to Level5, IT assets are 20%, while OT assets are 80%. The asset owners are facing more challenges in protecting the IACS equipment because of the below myths related to IACS,
1. IACS is not connected to the Internet or Business network
The IACS may not be connected directly to the internet but through a business network (at Level5). The Shodan ICS Radar1 can easily detect the ICS protocols (Modbus, DNP3, Ethernet/IP, BACnet etc.) currently connected to the internet.
2. Hackers Don’t Understand IACS
Hacking has evolved from a hobbyist pursuit of notoriety to a criminal pursuit of financial gain. Portals like ICS-CERT Alerts | CISA2 provide a double-edged sword by providing timely information about current security issues, vulnerabilities, and exploits.
3. Our Facility is Not a Target
According to Gartner, the financial impact due to attacks will reach $50 Bn by 20233
Note: Few more common myths & misconceptions4 about OT Cybersecurity.
What do Asset Owners want?
i. Organization’s complete and comprehensive visibility of IT+OT Asset Inventory
ii. Detection and identification of potential vulnerabilities in IT+OT Infrastructure
iii. Operational and cyber risk reduction
iv. Configuration change management
v. Compliance management as per ISA-62443/NIST/NERC-CIP, and
vi. Backup and restore of OT configuration data.
A “good” OT asset inventory5 is a continuously updated and in-depth inventory of all systems running in the process control environment – including both IT assets as well as OT assets. Level 1 and Level0 assets are the most important and expensive. These devices and sensors directly connect to process equipment, move molecules, and ensure safe and reliable production.
Network-based anomaly detection can provide some visibility into Level2 IT devices but not at L0 and L1 since the devices at L0 and L1 are not made to communicate on the network where IT devices can.
Proprietary architectures and lack of standard protocols in multi-vendor process control environments make passive Level1 and Level0 OT asset inventory discovery and management difficult. Level1 and Level0 industrial assets – the sensors and valves that control industrial processes – do not usually communicate on the network. If they do, they usually do not pass the detailed OT asset inventory and configuration information required for a comprehensive OT asset inventory over the network. Many OT assets in industrial environments do not connect to the network at all, further compounding the discovery problem. Here the only way to get the 100% asset inventory is from the OT configuration data, which is a passive way of collecting data without posing many challenges to the network traffic of the Plant control network.
To address passive DPI limitations, some vendors have started to claim they can provide a “more complete” inventory by using “active” data collection methods. Active methods use native OT protocols to query IACS for information. However, active strategies have their risks. Improper targeting can disrupt OT services, like shutting down the plant/processes. Existing IACS network designs may severely constrain active data collection or prohibit it entirely. Active methods are also not well suited for isolated OT systems. Accurate inventory visibility from Level0 to Level2 requires more than passive network detection and/or active queries. “While each method can provide some visibility, and passive DPI can be useful for network-based anomaly detection, neither approach provides visibility into all Level0 and Level1 OT assets required to ensure safe and reliable production.”
References
1. https://ics-radar.shodan.io/
2. https://www.cisa.gov/uscert/ics/alerts
3. https://www.gartner.com/en/newsroom/press-releases/2021-07-21-gartner-predicts-by-2025-cyber-attackers-will-have-we
4. https://gca.isa.org/blog/common-ics-cybersecurity-myths-lessons-learned
5. https://www.gartner.com/en/newsroom/press-releases/2021-07-21-gartner-predicts-by-2025-cyber-attackers-will-have-we
Syed Munawer, ME BITS Pilani, is a Senior Solutions Consultant, Asset Lifecycle Intelligence (ALI) Division, Hexagon. Having over 18 years of experience in a Global Matrix organization, executed multiple End-to-End Power Plant Industrial Automation & Control Systems projects across the globe for Utilities – Power Generation. Possess ICS Technical expertise with very good knowledge in OT/ICS Cybersecurity, Process rigor and Quality focussed approach.
