To most people in IT, what happens inside operational technology (OT) networks is a bit of a mystery. They’re hidden networks that keep everything from critical infrastructure to manufacturing humming along. As long as they work, they get very little attention.
What happened at a water treatment plant in Oldsmar, Florida, in February 2021 is often cited as the warning shot not to take this for granted: The authorities claimed someone hacked into the town’s water treatment system and, alarmingly, changed the levels of highly caustic sodium hydroxide entering the water supply from 100 parts per million to 11,100 parts per million.
Panic ensued about what this implied about the safety of public infrastructure in the US — although it later emerged that the incident might have been an internal mistake all along. But the point raised was important: hacking OT systems held life-threatening potential.
Now the national cybersecurity agencies of nine countries — Australia, the US, the UK, Canada, New Zealand, Germany, the Netherlands, Japan, and South Korea — have endorsed new guidelines that urge organizations managing OT networks to address their threat levels.
Authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and backed by the US National Security Agency, the Principles of operational technology cyber security (PDF) lists the six principles and practical steps that organizations should be guided by, whether they’re securing critical infrastructure or a small production line.
The first three — safety is paramount, knowledge of the business is crucial, OT data is extremely valuable and needs to be protected — are broad ideas one might assume could be taken as read.
The remainder — segment and segregate OT from all other networks, the supply chain must be secure, people are essential for OT cybersecurity — are more practical in outlook.
Too open
This advice coming out of national security agencies doesn’t hold the same weight as the detailed best practice guidelines from organizations such as NIST but will doubtless still be noticed across the industry.
When you reduce OT security to first principles it all sounds so easy, and security managers know that tightening OT security should be a priority. It’s just that it’s not easy to do.
The first problem is that OT is a diverse category of networks that in some cases have evolved over decades. There is no typical OT network, and the risk is that this leads managers to see their network as a special case.
A second issue is how OT networks are connected, or not, to the networks that run office IT systems. This includes the people who run OT. OT is highly specialized and the teams looking after these networks are often separate or even physically remote from the main IT team.
OT networks themselves are almost always deliberately isolated from other IT systems, but not always completely so. One difference the guidelines note is how the data OT operators should protect is very different from other networks. For OT, sensitive data is anything that gives attackers special knowledge of its operation, for example voltage or pressure levels, or the location of specialized controllers.
“This information is unlikely to change in five years and may last for 20 or more years. As such, engineering configuration data has enduring value and is highly valuable to an adversary,” the document points out.
Securing this requires that organizations lock down where data can be stored, especially if that’s in an external document management system vulnerable to compromise.
The authors are also worried about the internal openness of OT networks, which they say often allow devices to communicate in a multicast one-to-many mode with no encryption. This offers a target for attackers trying to infiltrate OT via device supply chains.
Tool sprawl
Jeff Hall, an OT expert and principal security consultant at NCC Group, was broadly positive about the document but noted oversights in what is a broad-brush overview.
“One potential gap is the limited emphasis on automation and AI in monitoring and incident response, which could enhance resilience,” he said in comments sent to CSO Online. Prioritization was another challenge.
“OT decision-makers are likely to run into challenges in following these principles, specifically with regard to balancing operational uptime with security, managing supply chains and enforcing security standards and bridging the cultural gap between OT and IT teams.”
Hall’s advice was for decision makers to focus on applying the principles of zero trust in OT environments, conducting regular audits, and paying close attention to threat intelligence specific to these environments.
The larger question unaddressed by such a brief document is what weaknesses OT networks manifest under real-world conditions. One that featured in a recent report by industrial systems security vendor Claroty is the way once-isolated OT networks are now often peppered with risky remote-access ports.
The company scanned 50,000 devices from 120 customers and found that more than half of them used four or more remote-access tools to connect their OT systems with the outside world.
Many of these had been designed for use in IT environments and were not secure enough for OT environments. Simply managing the security vulnerabilities introduced by these tools could quickly become a burden in OT.
This echoes the point made by Hall about the need to conduct audits. OT managers should start their security assessments by gaining visibility on the hidden weaknesses introduced by the mixing of IT and OT systems.
No Responses