Unit4sec
Building Secure OT Environment
Ahmet Can Karaağaçlı
Table of Contents
Contents
01.
Introduction
02.
Map Your Environment
03.
Data Security
04.
Network Security
05.
Environment & Hardware Sec.
06.
All İn One Security Checklist
unit4sec.com | OT security
01
INTRODUCTION
The global OT security market is poised for substantial growth, with an estimated increase from USD 17.9 billion in 2023 to USD 38.2 billion by 2028, at a robust Compound Annual Growth Rate (CAGR) of 16.3% during this period. This expansion offers a lucrative opportunity for technology vendors and foresees significant development over the next five years
In a world that has been revolutionized by technology, industries ranging from manufacturing and energy to transportation and healthcare all depend on Operational Technology (OT) systems. These systems are often the silent drivers of critical infrastructure, invisible but absolutely essential in our day-to-day lives. OT has never been more important.
Nevertheless, with the onward progression of OT systems encompassing digital metamorphosis, they have similarly become increasingly susceptible to cyber-attacks. The amalgamation of IT (Information Technology) and OT has led to an intricate and testing security milieu, where safeguarding our indispensable core constructions is no more a selectable but anodcast occurence.
unit4sec.com | OT Security
02
Over the last few years, the publicized impact and sophistication of security breaches in operational networks have increased, which raises the demand for a risk based security approach. Unfortunately, because many companies do not have security controls in place, they are often unaware of security vulnerabilities in their OT environments. There is evidence, that intruders exploiting these vulnerabilities gather information and prepare an attack without being detected for many months or years. In several cases, the exploit became visible when the attack was launched and damage was inflicted. Implementing an OT security program is a fundamental step, companies should perform now.
In this article, we venture into the realm of OT security, examining its importance, implementation steps, and a useful guide for penetration testing in the OT atmosphere. The ramifications have never been greater, and perceiving and defending OT security is the path to guaranteeing the strength of our fundamental services in a associated world. Let's embark on this paramount voyage of exploration and protection.
unit4sec.com | OT Security
03
MAP Your Environment
A critical step in occupational technology (OT) security is mapping your environment and maintaining a thorough asset inventory. These policies are the cornerstone of a robust security system to protect critical infrastructure. In this section, we’ll explore why mapping your neighborhood is important, how to do it, and key points to consider.
Why Map Your Environment?
Visibility: You cannot protect what you cannot see. Mapping your environment provides visibility into your OT systems, which is essential for effective security management.
Risk Assessment: It enables you to assess and prioritize potential risks and vulnerabilities, ensuring that resources are allocated where they are most needed.
Compliance: Many industry regulations and standards, such as NIST and IEC 62443, mandate the creation of an asset inventory, making it crucial for compliance.
Incident Response: In case of a security incident, an asset inventory is invaluable for quick and accurate incident response, reducing downtime and minimizing damage.
"
It provides the necessary visibility, risk assessment capabilities, and compliance adherence required to protect critical infrastructure from evolving cyber threats
unit4sec.com | OT Security
04
How to Map Your Environment?
Identify Assets: Begin by identifying all the assets in your OT environment, including devices, systems, and infrastructure. This involves creating a list of every component.
Categorize Assets: Categorize assets based on their criticality, function, and importance to operations. Assign labels such as "critical," "supporting," or "non-critical."
Document Asset Details: For each asset, document critical details like manufacturer, model, version, IP addresses, locations, and operational dependencies.
Continuous Monitoring: Maintain a dynamic inventory by regularly updating and monitoring your assets. This ensures you have real-time information about your environment.
Asset Management Tools: Consider using specialized asset management tools or software to streamline this process. They can automate inventory creation and updates.
Several key issues must be considered in order to establish a solid foundation for effective OT protection. First, granularity is important, as it ensures that asset information is carefully detailed, no item is overlooked regardless of size Assigns ownership responsibility, and identifies the person or department responsible for each asset. It is necessary to implement a change management process to keep the inventory up-to-date, reflecting changes in assets as assets are added or modified. Integrating security solutions, such as Intrusion Detection Systems (IDS) and Security Information Event Management (SIEM) tools, enables advanced security and real-time threat detection to preserve data integrity and prevent tampering unauthorized limits by restricting the use of reserved assets to authorized personnel through strict access. In conclusion, these concepts collectively strengthen the OT security posture, providing the visibility, risk assessment capabilities, and compliance needed to protect critical infrastructure from evolving cyber threats.
In a nutshell, when you map out your surroundings and build a detailed list of your assets, you're laying the essential groundwork for strong OT security. This process gives you the ability to see what's happening, assess potential risks, and make sure you're following the necessary rules and regulations to protect crucial infrastructure from the ever-changing world of online threats. By carefully following the steps and keeping these important details in mind, organizations can strengthen their OT security and be better prepared to defend against possible threats and vulnerabilities with a proactive and resilient approach.
unit4sec.com | OT Security
05
Data Security within OT Security
Explicitly define the key roles responsible for OT security, such as the CISO, OT Security Manager, and Network Administrators, while assigning them well-defined responsibilities. It's essential to establish a clear hierarchy, reporting lines, and emphasize collaboration among these roles. In production environments, three fundamental principles guide data security:
01
Confidentiality
Confidentiality in OT Security emphasizes that all data and information related to operational technology systems must be classified, ensuring that only authorized individuals or entities have access to sensitive data.
unit4sec.com | OT Security
06
Note: Reference your policies and procedures according to related fields while you are building your own OT Security Policy
02
Integrity
Data integrity focuses on restricting unauthorized access and ensuring that only qualified personnel, such as I&C and Electrical Engineers, have the authority to program or delete data in ICS systems. This safeguards the reliability and consistency of data, with access and authorization procedures following established guidelines for robust security.
These recommendations promote strong access controls, adherence to established procedures, and the implementation of data backup practices to ensure the security and integrity of ICS operations.
unit4sec.com | OT Security
07
03
Availabiltiy
Data integrity focuses on restricting unauthorized access and ensuring that only qualified personnel, such as I&C and Electrical Engineers, have the authority to program or delete data in ICS systems. This safeguards the reliability and consistency of data, with access and authorization procedures following established guidelines for robust security.
These details provide a comprehensive view of how to address system accessibility and performance, security enhancement through patch management, data sharing practices, and employee responsibilities for data access, all of which are essential for maintaining data security and system availability in OT environments.
unit4sec.com | OT Security
08
Network Security
Network security involves managing and securing the network infrastructure to safeguard against cyber threats and ensure the availability and integrity of OT systems.
01
Responsible Sections
Define the teams of experts within the IT department to focus specifically on SCADA firewall pre-network security and firewall settings. These experts should have a deep understanding of SCADA systems and industrial control networks.
02
Isolation and Access Control:
It is crucial to keep the OT network isolated from external networks, especially the internet. If internet access is required for specific systems, it should be tightly controlled with security updates and tightening policies. Unauthorized access to OT networks from the internet should be blocked. When necessary, use VPN and VDI technologies for internet access, ensuring it complies with company information security policies.
If complete isolation between the OT and corporate IT network is not feasible, implement strict access controls and prevent unauthorized access between the two networks.
unit4sec.com | OT Security
09
03
Firewall Security
OT networks with remote access capabilities should have secure firewalls in place. These firewalls must be selected in accordance with industry standards and configured based on manufacturer recommendations. Use stable and up-to-date versions for security updates.
Control the flow of traffic between allowed sources and destinations, using permitted ports and protocols at the OT network boundaries. Ideally, log these access and, if possible, the traffic.
Implement segmentation using the Purdue model to ensure safe operations and cybersecurity conditions for all OT networks.
Purdue Model Explained
The Purdue Model, also known as the Purdue Enterprise Reference Architecture, is a framework for designing and structuring industrial control systems (ICS) and operational technology (OT) networks.
unit4sec.com | OT Security
10
It comprises seven levels, each with distinct functions and responsibilities. At the lowest Level 0, you find the physical devices and processes that execute industrial operations. Level 1, Basic Control, manages local control functions through devices like programmable logic controllers (PLCs). Level 2, Supervisory Control, oversees multiple processes within a facility and includes human-machine interfaces (HMIs). Level 3, Manufacturing Operations Management, focuses on tasks like production scheduling and quality control, with systems such as manufacturing execution systems (MES). In between Levels 3 and 4, the Purdue Model introduces a Demilitarized Zone (DMZ) that acts as a security sub-layer between OT and IT environments, enhancing security for OT.
Levels 4 and 5 deal with broader business operations and enterprise IT systems, respectively. Securing the Purdue Model involves tailoring security measures to each level's specific requirements. This encompasses physical security, access controls, device hardening, network segmentation, secure remote access, change management, strong authentication, role-based access controls, data exchange security, standard IT security practices, perimeter defenses, patch management, and security monitoring. By applying these security considerations to each level, organizations can adopt a structured approach to enhance the security of their ICS environments within the Purdue Model framework.
04
Device Configuration and Firewall Rules:
No device within the OT environment should be left with default settings. Device configurations should align with information security requirements. Default usernames and passwords on firewalls should be changed post-installation.
Periodically (at least every 2 years) review and eliminate unused firewall rules. All connections other than permitted rules should be denied by default. In firewall configurations, restrictions should be applied both inbound and outbound, ensuring that uncontrolled outbound access from the internal network is prevented.
Configure local security firewalls on all servers and clients according to the principle of least privilege.
unit4sec.com | OT Security
11
05
Secure Remote Connections
For cases requiring remote connections, use encrypted VPN networks. Avoid the use of anonymous programs like TeamViewer or AnyDesk.
06
Long-Term Service Agreements
When providing long-term service connections, make sure these connections are managed via firewalls. Firewall rules are reviewed periodically, and event logs are actively monitored via a Security Information and Event Management (SIEM) system. If a contractor's firewall is used as part of the long-term service agreement, firewall rules should be requested from the contractor and reviewed at specific intervals (e.g., annually).
These details provide a comprehensive guideline for network security in OT environments, ensuring that the network infrastructure is protected, and access is tightly controlled to maintain the availability and integrity of OT systems.
unit4sec.com | OT Security
12
Environmental and Hardware Security Management
In the realm of OT security, environmental and hardware security is a critical facet that necessitates attention and careful management. It is primarily concerned with the physical aspects of the operational technology infrastructure, safeguarding against both natural and human-made threats.
Environmental Security
In safeguarding critical infrastructure and ensuring secure operations, it's essential to establish a robust physical perimeter that undergoes diligent monitoring by security personnel, effectively deterring unauthorized access.
unit4sec.com | OT Security
13
Secure ICS Rooms
In safeguarding critical infrastructure and ensuring secure operations, it's essential to establish a robust physical perimeter that undergoes diligent monitoring by security personnel, effectively deterring unauthorized access.
unit4sec.com | OT Security
14
Hardware Security
Hardware security in OT security focuses on safeguarding the physical components and devices crucial for industrial operations. It involves measures like access control, lightning protection, and port security to prevent unauthorized access and vulnerabilities that could disrupt industrial systems.
Environmental and hardware security management in OT environments involves a multi-faceted approach to physical protection and resilience. These measures are essential to protect critical infrastructure and ensure the continuity of operations while mitigating risks from both natural and man-made threats.
unit4sec.com | OT Security
15
General cyber security checks
Security Awareness Training: Provide employees with information security awareness training to elevate their knowledge and consciousness about security practices.
Integration with All Business Processes: Ensure that information security processes are seamlessly integrated into all critical business operations.
Competency Development: Identify the competencies needed for improving information security, plan the necessary training, and enhance the skills of the workforce.
Access Control: Limit access to ICS systems to System Administrators, Specialists, and System Users according to their respective permissions.
USB Port Management: Disable all USB ports on ICS devices, reserving the installation and uninstallation of software to System Administrators only.
Remote Access Control: Restrict the use of software like TeamViewer or AnyDesk for remote access on ICS devices.
Penetration Testing: Engage accredited firms to conduct penetration tests on ICS systems to discover vulnerabilities. Develop action plans to address identified weaknesses and regularly track their mitigation.
Antivirus and Backup Testing: Periodically scan ICS systems with up-to-date antivirus software and test backup and recovery procedures. Extend this practice to engineering programming computers as well.
User Permissions Review: Regularly review and revise user permissions for ICS systems, ensuring that access is limited to necessary personnel only.
Security Enhancements: When needed, add security products such as firewalls, Security Information and Event Management (SIEM) systems, Intrusion Prevention Systems (IPS), and Intrusion Detection Systems (IDS) to critical ICS networks.
Firewall Rule Maintenance: Periodically review and update firewall rules to optimize security.
Physical Access Control: Implement card-based access systems in equipment rooms, granting room entry permission only to authorized personnel. Regularly review access permissions according to defined matrices.
unit4sec.com | OT Security
16
Cybersecurity Risk Management: Conduct assessments to anticipate potential damages arising from cyberattacks and develop response strategies.
Logging and Monitoring: Maintain a comprehensive log of all activities on ICS and ensure historical data can be retrieved.
Patch Management for Penetration Test Findings: Keep penetration test findings up to date and manage patches effectively.
Emergency Action Plan: Enhance the emergency action plan to include procedures to follow during cyberattack incidents.
Communication with Regulatory Authorities: Notify relevant regulatory authorities (SOME, EPDK) in case of a cyberattack and establish communication with them.
Password Management: Ensure that passwords for devices in Industrial Control Systems are not set to default or easily guessable combinations. Operator and Administrator passwords should be complex and challenging to crack.
User Authorization Review: Regularly review user authorizations to prevent over-authorization.
Detailed Procedures: Refer to specific sections in the procedure for comprehensive management system details and responsibilities.
unit4sec.com | OT Security
17
Conclusion
In today's world of industry, safeguarding our tech systems, especially Operational Technology (OT), is a big deal. You see, having a strong OT Security setup is crucial to protect our vital infrastructure from those sneaky cyber threats that keep changing and getting smarter.
Throughout this article, we've been talking about the key elements of OT Security - it's not just one thing, it's a mix of stuff like controlling who gets access, watching the network closely, keeping everything up to date, and making sure everyone knows how to stay safe.
When we put in place the best ways of doing things and make sure our security measures cover everything, we're basically making our tech systems super tough. Taking a proactive approach by quickly spotting any threats, responding fast if something goes wrong, and making sure everyone on the team knows about cybersecurity, well, that's a big part of making our OT systems really secure.
It's not just a one-time thing; we've got to keep working on making OT Security better. That means checking things regularly, learning about new threats, and always trying to do things smarter. When our IT folks and the people who work on the systems team up and use the best security tricks, we create a strong OT Security environment that keeps our important systems safe and sound.
unit4sec.com | OT Security
18