Between a rock and a hard place
When talking about OT-Security, everyone is quick telling you what you can’t do. We are perfect at explaining why Operational Technology (OT) is different from IT.
When assessing OT-Security, there is no report that is not bloody red. Moreover, many findings and vulnerabilities are just the same, cross company, cross industry, cross country.
We see more incidents that impact OT environments every year. More interest from organized crime that attack for the money. More holes punched into the firewalls for the purpose of digitalization.
Sounds familiar? Then ask for solutions. Usually, it will either be quiet then, or you will learn that “it depends”. In cybersecurity, it’s easy to get buried in vulnerabilities and compliance details. The real game-changers are activities that scale—those that significantly reduce a company’s overall cyber risk posture when applied broadly.
Relief ahead?
We are certainly not stopping innovation and digitalization. But this does not mean water is rising while the same problems hold us down. Security technology improves, too. But let’s go step by step.
First, you need a secure blueprint. Every new machine that is built and integrated should be secure by design. Your blueprint should incorporate that the devices may eventually be out of support and hopelessly vulnerable, as your legacy devices are right now. But they can be separated on an identity and network level, meaning a controlled network zone and separated identity and access management (yes, separate Active Directory!) so the vulnerable equipment will not put other systems at risk. Imagine a big lake with all your existing systems at risk. You don’t want to throw your new ones in there, do you? Your security measures need to be in the blueprints of machine builders and network integrators.
Second, to be efficient, you go top down. Introduce boundaries on the network level and make sure you define them as narrow as possible. The vast majority of incidents moves from the IT to the OT. Fixing a specific security issue on a device, and this includes patching, when possible, will not help you when the device is not designed for security. A device that crashes on a port scan will not pose lower risk even if you fix a certain vulnerability. And a device that has no proper access control will allow an attacker many ways of manipulation, even if it is up to date from a firmware perspective. Separate location from location, hall from hall, segment from segment.
Third, no more baby steps. Jump! Leverage the power of Software-Defined Networking (SDN) for better network management. SDNs flexibility allows for efficient segmentation, isolating vulnerable devices and safeguarding critical systems. Enhanced connectivity speeds and protocols improve device interaction, but also increase the need for tight security. SDN can be deployed using gateway appliances in the OT networks, as well as software agents on standard OS systems. It allows you to operate connectivity centrally and efficiently, without the need to decide which firewall rule needs to be set up on which firewall to route traffic through your networks.
Identity-based remote access changes the game. By implementing identity-based access, you define who has permission to access what, making the organizational framework more secure and structured. This is crucial because, in operational technology (OT), each access point is a potential vulnerability. By controlling access on a network layer, you can ensure that users, once they have access to a machine or a system, cannot pivot to other areas within the network. This isolation restricts the potential paths for unauthorized access and secures different segments of the network against unforeseen vulnerabilities and exploits.
Conclusion
I understand that a technology jump seems expensive and intensive, but there are shifting paradigms within security technologies and connectivity. According to Forrester’s security survey from 2022, over 60% of companies plan to increase their investment in network security. Network management has been evolving for a long time, predominantly following a consistent logic. By restructuring your networks now with software-defined features, you can significantly enhance operational efficiency and potentially reduce costs associated with multiple layers of security products.
Our security efforts have in large parts concentrated on implementing controls for business applications. However, it’s crucial not to overlook the security provided by our infrastructure and networks. The situation with OT underscores that, even when vulnerabilities cannot be resolved, a secure infrastructure can prevent large-scale cyber incidents.
Now, answering the title question: I think control systems become more standardized and replaceable, and vendors have learned to implement better security. However, a more rigorous approach can help to focus your security efforts: If a device is not on the latest patch level, or otherwise vulnerable, your infrastructure has to protect it, no matter if you know all the vulnerabilities in detail or not.