Today we welcome guest blog author Gabe Authier, Sr. Product Manager at Tripwire, a part of the Belden family. Originally posted as a Tripwire blog, the article offers expertise we think you’ll find valuable.
Securing industrial operations is a unique challenge. The same approach used to secure information technology (IT) networks unfortunately can’t effectively secure plant floors.
That’s because operational technology (OT) has evolved tremendously over the years, creating very complex environments consisting of a dizzying variety of devices from different makes, models and generations that communicate through different protocols.
To begin securing a plant environment, operators need visibility into all the devices and software on the network. To gain that visibility, operators need to speak all these devices’ different languages. This is easy in a corporate IT environment were devices are all IP-based. The same cannot be said of OT environments, however, as devices generally use numerous protocols and languages.
What language a device speaks oftentimes depends on the device’s type, age and manufacturer, along with other factors. Programmable logic controllers (PLCs), for example, communicate over Ethernet/IP, Modbus and Simple Network Management Protocol (SNMP). This gets even more complex given the different variations of remote terminal units (RTUs) and distributed control systems (DCSs).
Ultimately, if operators can’t talk to all the network devices, it’s difficult to know what needs to be secured. Even if the team can send signals to their devices, incorrect communication could possibly cause a shutdown and disrupt operations.
7 Ways Operators Learn to Converse with OT Devices?
- Understand Device Languages: Plant operators should start by understanding what languages their devices are speaking and learn to speak them. This involves taking an inventory of the critical assets and choosing a solution that can both speak natively to these devices and monitor a wide variety of systems not typically monitored, including routers, switches, gateways, and firewalls.
- Prioritization: Identify which of those devices are highly sensitive and, therefore, critical to operations.
- No Touch Approach: In this case, plant operators should use a “no touch” approach with these devices. This method leverages integration with an intermediary device that talks to the PLCs to configure the devices and back up those configurations.
- Obtain Configuration Data: With integration in place, plant operators can obtain configuration data from the intermediary device by querying its database and ingesting the data.
- Harden Environment: Once network visibility is established, operators can harden the environment. OT security solutions should identify what’s on the network, detect changes, identify where the risks are, and mitigate them.Hardening the environment starts with looking at how the devices and software are configured. Misconfigurations, though many of them are simple to fix, continue to be the main vector for successful digital attacks.
- Assess Configuration: A good security solution assesses configurations and enables users to fix any that are not in a secure and compliant state. Unpatched vulnerabilities are another major reason for successful digital attacks. Security solutions should scan for vulnerabilities in the environment and prioritize which flaws are most critical based on the organization’s needs.
- Continuous Monitoring: Once the attack surface has been minimized through proper configuration and vulnerability management, the plant’s security solution should continuously monitor for changes made in the environment and issue alerts when appropriate. Changes can indicate an intrusion or a configuration alteration that has weakened the security posture or put systems out of compliance
Even if certain devices are air-gapped, isolated and disconnected from any external-facing network, internal staff may introduce system changes without understanding the effect on security or compliance. Worse still, an intruder can bypass the air gap by gaining physical access, for example, through an infected USB drive to carry out a digital attack.
Foundational security boils down to understanding the attack surface, minimizing it and monitoring it. That first step has traditionally been difficult for OT environments because of the language barrier around different devices. With the right technology, however, plant operators can navigate past OT language barriers for enhanced visibility to harden and monitor their environments for more secure and compliant operations.
How’s the conversation between your IT and OT networks? Drop us a line and tell us what you’ve learned.