Orb 2
Retro Futuristic Elements

Unit4sec

Building Secure OT Environment

Ahmet Can Karaağaçlı

Table of Contents

Contents

01.

Introduction

02.

Map Your Environment

03.

Data Security

04.

Network Security

05.

Environment & Hardware Sec.

06.

All İn One Security Checklist

unit4sec.com | OT security

01

INTRODUCTION

The global OT security market is poised for substantial growth, with an estimated increase from USD 17.9 billion in 2023 to USD 38.2 billion by 2028, at a robust Compound Annual Growth Rate (CAGR) of 16.3% during this period. This expansion offers a lucrative opportunity for technology vendors and foresees significant development over the next five years

In a world that has been revolutionized by technology, industries ranging from manufacturing and energy to transportation and healthcare all depend on Operational Technology (OT) systems. These systems are often the silent drivers of critical infrastructure, invisible but absolutely essential in our day-to-day lives. OT has never been more important.


Nevertheless, with the onward progression of OT systems encompassing digital metamorphosis, they have similarly become increasingly susceptible to cyber-attacks. The amalgamation of IT (Information Technology) and OT has led to an intricate and testing security milieu, where safeguarding our indispensable core constructions is no more a selectable but anodcast occurence.





unit4sec.com | OT Security

02

Over the last few years, the publicized impact and sophistication of security breaches in operational networks have increased, which raises the demand for a risk based security approach. Unfortunately, because many companies do not have security controls in place, they are often unaware of security vulnerabilities in their OT environments. There is evidence, that intruders exploiting these vulnerabilities gather information and prepare an attack without being detected for many months or years. In several cases, the exploit became visible when the attack was launched and damage was inflicted. Implementing an OT security program is a fundamental step, companies should perform now.


In this article, we venture into the realm of OT security, examining its importance, implementation steps, and a useful guide for penetration testing in the OT atmosphere. The ramifications have never been greater, and perceiving and defending OT security is the path to guaranteeing the strength of our fundamental services in a associated world. Let's embark on this paramount voyage of exploration and protection.

unit4sec.com | OT Security

03

MAP Your Environment

A critical step in occupational technology (OT) security is mapping your environment and maintaining a thorough asset inventory. These policies are the cornerstone of a robust security system to protect critical infrastructure. In this section, we’ll explore why mapping your neighborhood is important, how to do it, and key points to consider.

Why Map Your Environment?


Visibility: You cannot protect what you cannot see. Mapping your environment provides visibility into your OT systems, which is essential for effective security management.


Risk Assessment: It enables you to assess and prioritize potential risks and vulnerabilities, ensuring that resources are allocated where they are most needed.


Compliance: Many industry regulations and standards, such as NIST and IEC 62443, mandate the creation of an asset inventory, making it crucial for compliance.


Incident Response: In case of a security incident, an asset inventory is invaluable for quick and accurate incident response, reducing downtime and minimizing damage.


"

It provides the necessary visibility, risk assessment capabilities, and compliance adherence required to protect critical infrastructure from evolving cyber threats

Business Portrait of Young Woman

unit4sec.com | OT Security

04

How to Map Your Environment?


Identify Assets: Begin by identifying all the assets in your OT environment, including devices, systems, and infrastructure. This involves creating a list of every component.


Categorize Assets: Categorize assets based on their criticality, function, and importance to operations. Assign labels such as "critical," "supporting," or "non-critical."


Document Asset Details: For each asset, document critical details like manufacturer, model, version, IP addresses, locations, and operational dependencies.


Continuous Monitoring: Maintain a dynamic inventory by regularly updating and monitoring your assets. This ensures you have real-time information about your environment.


Asset Management Tools: Consider using specialized asset management tools or software to streamline this process. They can automate inventory creation and updates.



Several key issues must be considered in order to establish a solid foundation for effective OT protection. First, granularity is important, as it ensures that asset information is carefully detailed, no item is overlooked regardless of size Assigns ownership responsibility, and identifies the person or department responsible for each asset. It is necessary to implement a change management process to keep the inventory up-to-date, reflecting changes in assets as assets are added or modified. Integrating security solutions, such as Intrusion Detection Systems (IDS) and Security Information Event Management (SIEM) tools, enables advanced security and real-time threat detection to preserve data integrity and prevent tampering unauthorized limits by restricting the use of reserved assets to authorized personnel through strict access. In conclusion, these concepts collectively strengthen the OT security posture, providing the visibility, risk assessment capabilities, and compliance needed to protect critical infrastructure from evolving cyber threats.


In a nutshell, when you map out your surroundings and build a detailed list of your assets, you're laying the essential groundwork for strong OT security. This process gives you the ability to see what's happening, assess potential risks, and make sure you're following the necessary rules and regulations to protect crucial infrastructure from the ever-changing world of online threats. By carefully following the steps and keeping these important details in mind, organizations can strengthen their OT security and be better prepared to defend against possible threats and vulnerabilities with a proactive and resilient approach.

unit4sec.com | OT Security

05

Data Security within OT Security

Explicitly define the key roles responsible for OT security, such as the CISO, OT Security Manager, and Network Administrators, while assigning them well-defined responsibilities. It's essential to establish a clear hierarchy, reporting lines, and emphasize collaboration among these roles. In production environments, three fundamental principles guide data security:


01

Confidentiality

Confidentiality in OT Security emphasizes that all data and information related to operational technology systems must be classified, ensuring that only authorized individuals or entities have access to sensitive data.

  • Adopt a clear and structured asset classification system based on specific OT security needs. This should encompass not only data inventories, topological diagrams, and encryption software but also any other digital or physical assets. By classifying assets, companies can better understand and protect their most critical information and systems.


  • The strict prohibition on sharing confidential data without authorization should be a cornerstone of OT security. Companies should ensure that confidential data is shared only after a confidentiality agreement is signed and approval is granted by designated personnel, such as an OT Security Manager.


  • Prior to sending a product, system, or equipment with confidential data to a third party for maintenance, organizations should adopt secure data erasure protocols to safeguard sensitive information. This process should be meticulous, ensuring data is completely wiped clean, and devices should only be dispatched after a confidentiality agreement is signed and approved by relevant authorities.


unit4sec.com | OT Security

06

  • It is essential for organizations to have clear policies for data destruction when products, equipment, or systems with confidential data are decommissioned. Data should be permanently and irreversibly deleted and destroyed to prevent any potential breaches in the future.


  • Digital security measures like access restrictions to relevant folders should be implemented to ensure data security. Striking a balance between both physical and digital security is crucial for comprehensive data protection in an OT environment.


Note: Reference your policies and procedures according to related fields while you are building your own OT Security Policy

02

Integrity

Data integrity focuses on restricting unauthorized access and ensuring that only qualified personnel, such as I&C and Electrical Engineers, have the authority to program or delete data in ICS systems. This safeguards the reliability and consistency of data, with access and authorization procedures following established guidelines for robust security.

  • Enforce strict access controls to prevent unauthorized personnel from tampering with existing ICS systems. The authority to program or delete data within ICS should be limited solely to qualified personnel, such as I&C and Electrical Engineers in the plant.


  • Accessing to ICS systems and authorization processes should align with the guidelines outlined with the company policy which could be the identity and access management. This ensures that access is properly managed and restricted to authorized individuals, enhancing overall ICS security.


  • conduct regular data backup processes, adhering to the procedures related with your company like “Backup and Restore Policy” etc.This proactive approach safeguards critical data and facilitates recovery in the event of data loss or system disruptions.


These recommendations promote strong access controls, adherence to established procedures, and the implementation of data backup practices to ensure the security and integrity of ICS operations.

unit4sec.com | OT Security

07

03

Availabiltiy

Data integrity focuses on restricting unauthorized access and ensuring that only qualified personnel, such as I&C and Electrical Engineers, have the authority to program or delete data in ICS systems. This safeguards the reliability and consistency of data, with access and authorization procedures following established guidelines for robust security.

  • Implement continuous real-time monitoring of OT systems to detect anomalies and performance issues promptly, enabling swift response to disruptions.


  • Employ redundancy in critical system components to ensure system availability, even in cases of component failures.


  • Prioritize patches based on severity and relevance to OT systems, focusing on critical vulnerabilities that could impact availability.


  • Collaborate closely with equipment and software vendors to stay informed about patch releases and updates specific to OT systems.


  • Categorize data based on sensitivity and potential impact on system availability.


  • Establish non-disclosure agreements (NDAs) with external entities when sharing sensitive data, ensuring they commit to maintaining data confidentiality.


  • Limit access to data and systems based on job roles and responsibilities, ensuring that employees can access only what is necessary for their tasks.


  • Establish clear procedures for employees to report security incidents or violations promptly, which may impact data availability, facilitating a swift response.


These details provide a comprehensive view of how to address system accessibility and performance, security enhancement through patch management, data sharing practices, and employee responsibilities for data access, all of which are essential for maintaining data security and system availability in OT environments.


unit4sec.com | OT Security

08

Network Security

Network security involves managing and securing the network infrastructure to safeguard against cyber threats and ensure the availability and integrity of OT systems.

01

Responsible Sections

Define the teams of experts within the IT department to focus specifically on SCADA firewall pre-network security and firewall settings. These experts should have a deep understanding of SCADA systems and industrial control networks.

02

Isolation and Access Control:

It is crucial to keep the OT network isolated from external networks, especially the internet. If internet access is required for specific systems, it should be tightly controlled with security updates and tightening policies. Unauthorized access to OT networks from the internet should be blocked. When necessary, use VPN and VDI technologies for internet access, ensuring it complies with company information security policies.


If complete isolation between the OT and corporate IT network is not feasible, implement strict access controls and prevent unauthorized access between the two networks.

unit4sec.com | OT Security

09

03

Firewall Security

OT networks with remote access capabilities should have secure firewalls in place. These firewalls must be selected in accordance with industry standards and configured based on manufacturer recommendations. Use stable and up-to-date versions for security updates.


Control the flow of traffic between allowed sources and destinations, using permitted ports and protocols at the OT network boundaries. Ideally, log these access and, if possible, the traffic.


Implement segmentation using the Purdue model to ensure safe operations and cybersecurity conditions for all OT networks.

Purdue Model Explained

The Purdue Model, also known as the Purdue Enterprise Reference Architecture, is a framework for designing and structuring industrial control systems (ICS) and operational technology (OT) networks.

unit4sec.com | OT Security

10

It comprises seven levels, each with distinct functions and responsibilities. At the lowest Level 0, you find the physical devices and processes that execute industrial operations. Level 1, Basic Control, manages local control functions through devices like programmable logic controllers (PLCs). Level 2, Supervisory Control, oversees multiple processes within a facility and includes human-machine interfaces (HMIs). Level 3, Manufacturing Operations Management, focuses on tasks like production scheduling and quality control, with systems such as manufacturing execution systems (MES). In between Levels 3 and 4, the Purdue Model introduces a Demilitarized Zone (DMZ) that acts as a security sub-layer between OT and IT environments, enhancing security for OT.


Levels 4 and 5 deal with broader business operations and enterprise IT systems, respectively. Securing the Purdue Model involves tailoring security measures to each level's specific requirements. This encompasses physical security, access controls, device hardening, network segmentation, secure remote access, change management, strong authentication, role-based access controls, data exchange security, standard IT security practices, perimeter defenses, patch management, and security monitoring. By applying these security considerations to each level, organizations can adopt a structured approach to enhance the security of their ICS environments within the Purdue Model framework.


04

Device Configuration and Firewall Rules:


No device within the OT environment should be left with default settings. Device configurations should align with information security requirements. Default usernames and passwords on firewalls should be changed post-installation.


Periodically (at least every 2 years) review and eliminate unused firewall rules. All connections other than permitted rules should be denied by default. In firewall configurations, restrictions should be applied both inbound and outbound, ensuring that uncontrolled outbound access from the internal network is prevented.


Configure local security firewalls on all servers and clients according to the principle of least privilege.

unit4sec.com | OT Security

11

05

Secure Remote Connections

For cases requiring remote connections, use encrypted VPN networks. Avoid the use of anonymous programs like TeamViewer or AnyDesk.

06

Long-Term Service Agreements

When providing long-term service connections, make sure these connections are managed via firewalls. Firewall rules are reviewed periodically, and event logs are actively monitored via a Security Information and Event Management (SIEM) system. If a contractor's firewall is used as part of the long-term service agreement, firewall rules should be requested from the contractor and reviewed at specific intervals (e.g., annually).

These details provide a comprehensive guideline for network security in OT environments, ensuring that the network infrastructure is protected, and access is tightly controlled to maintain the availability and integrity of OT systems.

unit4sec.com | OT Security

12

Environmental and Hardware Security Management

In the realm of OT security, environmental and hardware security is a critical facet that necessitates attention and careful management. It is primarily concerned with the physical aspects of the operational technology infrastructure, safeguarding against both natural and human-made threats.

Environmental Security

In safeguarding critical infrastructure and ensuring secure operations, it's essential to establish a robust physical perimeter that undergoes diligent monitoring by security personnel, effectively deterring unauthorized access.

  • To maintain a vigilant and secure environment, continuous monitoring is upheld at entrances 24/7, manned by dedicated security personnel to prevent any unauthorized entry.


  • Furthermore, remote areas surrounding the facility are consistently monitored through CCTV cameras, with recorded footage securely stored for a minimum of 30 days, preserving an unaltered account of activities and ensuring data integrity.


  • Prioritizing safety and security, visitors to the facility receive specialized training, encompassing information security, occupational safety, and compliance with facility protocols.


  • Access to the premises is meticulously controlled, granting entry exclusively to individuals possessing authorized visitor cards, ensuring they are not unaccompanied within the facility.


  • In alignment with security measures, photography within the facility is generally restricted. However, specific areas may permit photography, subject to approval from the designated Site Manager.

unit4sec.com | OT Security

13

Secure ICS Rooms

In safeguarding critical infrastructure and ensuring secure operations, it's essential to establish a robust physical perimeter that undergoes diligent monitoring by security personnel, effectively deterring unauthorized access.

  • To maintain a vigilant and secure environment, continuous monitoring is upheld at entrances 24/7, manned by dedicated security personnel to prevent any unauthorized entry.


  • Furthermore, remote areas surrounding the facility are consistently monitored through CCTV cameras, with recorded footage securely stored for a minimum of 30 days, preserving an unaltered account of activities and ensuring data integrity.


  • Prioritizing safety and security, visitors to the facility receive specialized training, encompassing information security, occupational safety, and compliance with facility protocols.


  • Access to the premises is meticulously controlled, granting entry exclusively to individuals possessing authorized visitor cards, ensuring they are not unaccompanied within the facility.


  • In alignment with security measures, photography within the facility is generally restricted. However, specific areas may permit photography, subject to approval from the designated Site Manager.

unit4sec.com | OT Security

14

Hardware Security

Hardware security in OT security focuses on safeguarding the physical components and devices crucial for industrial operations. It involves measures like access control, lightning protection, and port security to prevent unauthorized access and vulnerabilities that could disrupt industrial systems.

  • To ensure comprehensive protection against lightning strikes, it is essential to incorporate lightning safeguarding measures in all structures, integrating lightning protection filters within incoming power and communication lines.


  • Access to Ethernet and USB ports on hardware must be restricted exclusively to authorized personnel, reinforcing data security.


  • In situations where software-based locking is not a viable option, the use of physical port locks is recommended to maintain data integrity and privacy.


  • To prevent hardware failures and data loss, the implementation of redundant power sources is advised wherever compatible with the hardware configuration.


  • For portable hardware devices, it's essential to designate responsible individuals for their removal from the premises, with stringent security protocols in place to address potential loss or theft.


  • Keeping meticulous records when portable hardware leaves the premises and is subsequently returned is pivotal to track and secure these devices effectively.


  • Conforming to encryption policies, hardware passwords should meet security standards, and best practices like maintaining clean desks and screens must be consistently observed to enhance information security.

Environmental and hardware security management in OT environments involves a multi-faceted approach to physical protection and resilience. These measures are essential to protect critical infrastructure and ensure the continuity of operations while mitigating risks from both natural and man-made threats.

unit4sec.com | OT Security

15

General cyber security checks

Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark

Security Awareness Training: Provide employees with information security awareness training to elevate their knowledge and consciousness about security practices.


Integration with All Business Processes: Ensure that information security processes are seamlessly integrated into all critical business operations.


Competency Development: Identify the competencies needed for improving information security, plan the necessary training, and enhance the skills of the workforce.


Access Control: Limit access to ICS systems to System Administrators, Specialists, and System Users according to their respective permissions.


USB Port Management: Disable all USB ports on ICS devices, reserving the installation and uninstallation of software to System Administrators only.


Remote Access Control: Restrict the use of software like TeamViewer or AnyDesk for remote access on ICS devices.


Penetration Testing: Engage accredited firms to conduct penetration tests on ICS systems to discover vulnerabilities. Develop action plans to address identified weaknesses and regularly track their mitigation.


Antivirus and Backup Testing: Periodically scan ICS systems with up-to-date antivirus software and test backup and recovery procedures. Extend this practice to engineering programming computers as well.


User Permissions Review: Regularly review and revise user permissions for ICS systems, ensuring that access is limited to necessary personnel only.


Security Enhancements: When needed, add security products such as firewalls, Security Information and Event Management (SIEM) systems, Intrusion Prevention Systems (IPS), and Intrusion Detection Systems (IDS) to critical ICS networks.


Firewall Rule Maintenance: Periodically review and update firewall rules to optimize security.


Physical Access Control: Implement card-based access systems in equipment rooms, granting room entry permission only to authorized personnel. Regularly review access permissions according to defined matrices.




unit4sec.com | OT Security

16

Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark
Green Check Mark

Cybersecurity Risk Management: Conduct assessments to anticipate potential damages arising from cyberattacks and develop response strategies.


Logging and Monitoring: Maintain a comprehensive log of all activities on ICS and ensure historical data can be retrieved.


Patch Management for Penetration Test Findings: Keep penetration test findings up to date and manage patches effectively.


Emergency Action Plan: Enhance the emergency action plan to include procedures to follow during cyberattack incidents.


Communication with Regulatory Authorities: Notify relevant regulatory authorities (SOME, EPDK) in case of a cyberattack and establish communication with them.


Password Management: Ensure that passwords for devices in Industrial Control Systems are not set to default or easily guessable combinations. Operator and Administrator passwords should be complex and challenging to crack.


User Authorization Review: Regularly review user authorizations to prevent over-authorization.


Detailed Procedures: Refer to specific sections in the procedure for comprehensive management system details and responsibilities.


unit4sec.com | OT Security

17

Conclusion

In today's world of industry, safeguarding our tech systems, especially Operational Technology (OT), is a big deal. You see, having a strong OT Security setup is crucial to protect our vital infrastructure from those sneaky cyber threats that keep changing and getting smarter.

Throughout this article, we've been talking about the key elements of OT Security - it's not just one thing, it's a mix of stuff like controlling who gets access, watching the network closely, keeping everything up to date, and making sure everyone knows how to stay safe.


When we put in place the best ways of doing things and make sure our security measures cover everything, we're basically making our tech systems super tough. Taking a proactive approach by quickly spotting any threats, responding fast if something goes wrong, and making sure everyone on the team knows about cybersecurity, well, that's a big part of making our OT systems really secure.


It's not just a one-time thing; we've got to keep working on making OT Security better. That means checking things regularly, learning about new threats, and always trying to do things smarter. When our IT folks and the people who work on the systems team up and use the best security tricks, we create a strong OT Security environment that keeps our important systems safe and sound.


unit4sec.com | OT Security

18