Three Ways to Bolster OT Security and Visibility

Evolving data transfer needs have created attack vectors and introduced vulnerabilities that will be exploited if left unaddressed.

Computer Security 509230826 2122x1416 (1)

While outages and maintaining productivity are crucial factors driving security, manufacturing CISOs are often responsible for safeguarding industrial facilities, personnel, and information from various threats, including theft, sabotage, and cyber attacks. Yet when it comes to security, manufacturers often lag behind other industries. In 2021, approximately 90 percent of manufacturing organizations surveyed had either their production environments or energy supply environments hit by some form of cyber attack. 

In working with clients across the manufacturing spectrum, here are three areas we identify as ways these organizations can improve their Operational Technology (OT) security posture to achieve visibility and continuity of operations. 

1. Strengthen Network Segmentation

Many organizations fail to recognize the importance of implementing segmentation within their OT firewall infrastructure. Instead, they often rely on the presence of an (OT) firewall, believing that it separates them from their Information Technology (IT) counterparts and the associated vulnerabilities. However, this mindset is outdated, a remnant from decades ago when data generated within specific environments like substations remained confined within those spaces. 

Fast forward to today, and almost every industry desires access to this data for various purposes, such as business analytics or manufacturing efficiency. Consequently, they poke holes in the OT firewalls to enable business data flows. Operations often pushes organizations in this direction and, in some cases, they fully embrace it.

For instance, we’ve encountered plants that have adopted distinct data transformation models, managing it entirely in-house with six developers who've crafted more than 100 small applications. Surprisingly, there's no oversight or application security program in place for these critical apps that play a pivotal role in plant operations and a lack of collaboration with a robust corporate IT vulnerability management program for the organization. This diversity in management highlights the need for segmentation within OT firewalls. 

Another common scenario involves third-party vendors who install specialized hardware or software to support plant operations or manufacturing systems. These vendors typically have remote access to these systems. Unfortunately, organizations often fail to adequately monitor these connections. In some cases, they might enable remote access for a vendor and forget to disable it once their work is complete. This inconsistency in monitoring and access management poses significant security risks. In some cases, a requirement for access of this type is in the vendor procurement contract language, violating the customer’s own information security policies. 

With the newfound necessity to share this data externally, organizations create attack vectors and introduce vulnerabilities by creating openings in their firewalls. While sometimes necessary, this practice can be particularly risky because it's challenging to discern the potential threats in this space. Depending on where the data is being sent, there's a risk that an attacker could exploit this connection to compromise the plant's security. 

The primary purpose of segmentation in this space is to enhance visibility and provide containment enforcement capability. Without visibility, establishing a baseline for what constitutes “normal” becomes impossible, and consequently, detecting abnormal or suspicious activities becomes a major challenge. This is precisely where segmentation becomes indispensable. Visibility drives a desire for network segmentation, ultimately reducing the threat landscape and providing insights into attack vectors. 

2. Assess OT Risk for Resilience and Business Continuity 

Unlike conventional risk assessments in cybersecurity for IT systems, part of the primary emphasis for OT is on resilience rather than strictly quantifying risk. The paramount concern is to ensure uninterrupted operations, guaranteeing the continuous functioning of essential facilities such as power plants. It’s a relentless focus on system uptime. 

As an OT security services provider, our goal is to help organizations identify risks to their resilience that they may have previously overlooked. While they might be accustomed to assessing factors like machine maintenance intervals or oil change schedules, we aim to broaden their perspective. We want them to consider the possibility that a malicious actor armed with the right software could disable a critical controller.

In such cases, recovery might be impossible, especially if no backup of the firmware or configuration exists. This perspective aligns closely with business continuity as much as it does with cybersecurity because the perception of risk in the OT world differs significantly. 

3. Benefits of External Partners 

Many organizations have a limited number of individuals with OT systems expertise. Sometimes, it's just one or two people per plant, or in less fortunate cases, one or two shared across the entire enterprise. However, these individuals often focus on plant-specific operational concerns and overlook the bigger picture, such as centralized account management or remote access security. 

For instance, within manufacturing facilities, there's often a lack of central account management, resulting in scattered accounts across Windows and Linux systems, as well as the SCADA or DCS system devices. The default approach frequently involves shared passwords for user and admin accounts, which presents security challenges. However, as these systems get updated, they gain the ability to support Lightweight Directory Access Protocol (LDAP) integration with Active Directory or other authentication methods, enabling multi-factor authentication and separating logins into role-based access control. This is not only more secure but also provides vital visibility into system activity, including firmware upgrades and setting changes.

Another common problem arises from system expansion or new production facilities. With this, integrators are typically engaged to set up new systems or a group of components. These integrators are experts in the functional design of these systems. However, they frequently don’t have cybersecurity expertise.

During a recent assessment for a municipal government, we encountered a new drinking water SCADA system in an older plant. The integrator installed an unsecured wireless network and turned off the broadcast of the SSID, intending to hide it. For even the least sophisticated attackers, this results in an open back door into the environment. From outside the physical security fence of the plant, the team connected to and logged in to the SCADA system with administrative credentials and obtained functional control over the entire system because the vendor left the default passwords in place. 

When considering partnering with a Managed Security Services Provider (MSSP) to enhance security visibility and resilience, it's crucial to seek out a provider capable of effective communication with your team. Some organizations, including ours, employ experts who possess extensive experience in designing, building, operating, and managing these OT systems. 

Organizations can greatly benefit from continuous environment testing conducted by a security services vendor. These vendors play a pivotal role in helping organizations tackle the ever-evolving threat landscape, address technology gaps, improve environmental visibility, and augment their teams with 24/7 in-house security operations centers.

More in Cybersecurity