OT Cybersecurity in Three Steps

Insider Threats

Too often, cybersecurity efforts are focused on external threats. The possibility of malicious actions by an employee—often far easier to implement and more likely to occur—can be completely overlooked. Building a robust perimeter does little if the adversary is already inside.

Reasons for employee-induced cyber-attacks include disgruntlement and desire for revenge due to real or imagined company slights; betrayal driven by bribery or monetary gain; becoming reluctantly compromised due to threats or blackmail; cheap thrills; or boredom.

Another type of insider threat is that performed by a perpetrator who is spoofing a trusted employee using stolen credentials. For example, even if they are checking the logs, operators may turn a blind eye and not be suspicious of changes made to production specs initiated by the boss or a colleague, not realizing that the changes were being made by someone masquerading their identity through the misuse of their credentials.

No matter the source, protection against insider cyber events starts with visibility. If every time a change is made, an alert is sent to the operator, then every change can be verified to authorized work orders. Unexpected, unauthorized changes, whether with malicious intent or not, can be immediately reverted back to the expected operational configuration.

Malware—Ransomware, Viruses, Trojans, Worms & More

Malware describes a number of man-made, code-based phenomena that can infect the OT network and impact production in a number of ways. This can vary from silly and annoying to completely shutting down production indefinitely.

Malware can be introduced to the OT network in a number of different ways. Infecting user PDF manuals and schematics is a common channel. When a contractor opens such a file on the plant floor to attend to a device, the malware is launched and spreads throughout the entire OT network. Malware can enter through an attachment opened in an email—another reason why Internet-connected devices should not be connected to plant floor devices.

Unfortunately, malware is often not an end in itself, but the first step in malicious behavior. Malware can be designed to change configurations, capture passwords, open connections to external devices and so on. With proactive cybersecurity awareness, these changes can be seen and prevented.

Human Error

Not all cyber events are malicious—unintentional mistakes play a role in a high percentage of detrimental network impacts in a discrete manufacturing environment. Think how easy it is for a busy operator to type in 60 psi instead of 6.0 psi to a torque value. Detecting these errors and then remediating them is another important piece of a cybersecurity program.

Failing Equipment

Another common, non-malicious scenario that can impact the integrity of the production network stems from an imminent failure in physical infrastructure, such as a cable, a switch or a device like a PLC or HMI. All these can cause an impact on quality and yields in the discrete manufacturing environment. These devices can generally communicate diagnostic data but most of the time, no one is proactively looking at this data.

Numerous Cybersecurity Threats—One Protective Strategy

Any change to the network—whether purposeful, accidental or malicious, immediately leaves evidence of its inputting. The problem is, by default, such evidence is often incomplete, isolated and hidden somewhere in device logs or not even collected in the first place. That’s why operators consider implementing solutions that are designed to provide continuous real-time visibility into their network operations. Generally speaking, these have a three-part strategy:

• Inventorying what you have & what it does
• Establishing protective controls
• Monitoring for changes or abnormal network behavior

There are foundational cybersecurity controls that you can begin right now to help reduce operational risk and detect and avoid the impacts of all the threats discussed above.

Step 1. Gain Visibility

Immediately take the guessing game out of the equation. You need to know what you have and therefore what you need to secure.

Visibility capabilities include:

• Understand & document all network communication between the industrial control network & the enterprise IT network
• Understand & document all remote access into the industrial control network, i.e. vendor access with dial-up modems, VPN and cellular connectivity
• Create & update asset inventory information for both hardware and software, including vendor, make, model, serial number, firmware version & versions of installed software
• Create & maintain a network topology diagram
• Understand what industrial protocols are communicating & between what assets, such as HMIs to PLCs
• Understand how assets & devices are configured and if those configurations are changing
• Identify what vulnerabilities (weaknesses) are present in the environment
• Implement centralized log management to capture logs from all capable automation devices, including switches, PLCs, routers, firewalls, HMIs, etc.
  
  

Step 2. Implement Protective Controls

Protective controls help prevent or lessen the impact of cyber events. Ensuring network segmentation between the corporate enterprise IT network and the industrial control network is a great first step. This denies all unauthorized network communication through the use of firewalls or access control lists on networking devices.

Another effective protective control is system/device hardening, by which:

• Disable services not explicitly needed to run the industrial process (e.g., disable insecure protocols like telnet which doesn't encrypt traffic)
• Enable cybersecurity features such as logging, SSH, SNMPv3 & other features 
• Check device/system for proper configurations (e.g., change default passwords/enable password management (length, strength, complexity, etc.)
  
  

 Step 3. Continuous Monitoring

The third step is to implement continuous monitoring. Just like you have a SCADA to help optimize and control your industrial process, you need a cybersecurity solution to help optimize and control visibility to industrial cybersecurity events and ensure the protective controls you have implemented are operating correctly. This is not a one-and-done activity—it needs to be performed continuously, as automation systems are evolving and the cyber threat landscape is constantly changing.

Industrial cybersecurity monitoring helps continually answer the “How do I know” questions, such as:

• How do I know if my device/asset configurations have changed? Do those changes put the device in an insecure state or misalign to my technical build spec?
• How do I know if my operational baselines (system/device configuration specific to the environment it is running in) are changing?
• How do I know if one of my devices is at the brink of a failure?
• How do I know if a rogue asset or protocol is now present on my control network?
• How do I know if my vulnerability risk profile has changed?

If you can answer all of these questions, you'll be able to keep your industrial process running without interference from cybersecurity events.

The time to implement visibility, protective controls and continuous monitoring is now—every minute that you don’t is a minute that leaves your network vulnerable to a host of costly threats.