Infrastructure and operational security should be top of mind for IT/OT professionals when embarking on modernization or greenfield projects today.  “Defense-in-depth” is the phrase used by many in the security space as the holistic approach to IT/OT security.  This term refers to the idea that systems, where practical, provide levels of redundancy in their security model so that any one failure or breach will NOT cause a complete system-wide event.   Some of the key elements to discuss and consider with your IT/OT team or service provider around security are:

IT Governance /IT Management

IT Governance has multiple dimensions to it and a subset of this is IT Management.  If your organization has formal IT Management documents that provide a complete framework and a body of knowledge with respect to security, use them. In many cases, formal documents on specifically “security” do not exist, so as part of your initiative or project, start developing some IT Management policies and procedures around security.  Documenting these policies and procedures is important for both operational purposes and educating your service providers on the “do’s and don’ts” of system design and access.  The document can be a “working” document that will serve as a great artifact of the project and a framework for others to expand on later.  Some of the high-level IT Management topics to define around security are:

• Policies – What are the rules, compliance (e.g. National/international standards) and guidelines around security?
• Procedures – What are the steps to follow for implementing and enforcing security?
• Design Patterns and Architecture – What standard  security designs or architectures should be prescribed for various network layers or use cases?
• Technology standards – What open standards and vendor technologies are permitted?
• Monitoring and control – How is monitoring and control (enforcement) going to be done?

Physical Security

One of the simplest methods of providing IT/OT security is through physical access restrictions or “air gaps.”  Implementing locked server rooms and/or control panel access is a relatively inexpensive method to deter one of the common vectors for unwanted cyber-attacks.  More elaborate methods utilize card access and biometrics to authorize and track access to key cyber assets.  “Air gaps” are another method to protect cyber assets from network attacks. It is not uncommon to have certain OT networks completely disconnected from other layers within the network architecture, creating an “air gap”.  It is simple and effective but not a prescription for everyone.

Another common vector for cyber-attacks is USB drives (sometimes referred to as “sneaker net”) and open access to network ports.  Part of your security governance should include end-point standard computer configurations and whether they include USB ports at all or whether they have controlled access based on user authentication.  Generally this can be controlled through Group Policies that prevent users from installing devices on end point computers. In the case of open network ports, utilizing port blocking based on IP or MAC addressing may be prudent security measures.

Network Security

Network security is a complex subject, but for the purposes of aligning your IT/OT team or service provider, here are some things to consider:

• Architecture – We discussed this on the topic of Networking, but this will define how and where access is made to the network and the more vulnerable attach vectors.
• VLAN – Virtual LANs can provide isolation and cost reductions in network design by providing “virtual” networks on a shared infrastructure.
• Firewalls (typically Ethernet and IP) – Firewalls essentially control traffic between two adjacent layers in your network. They provide finite control over what Ethernet and/or IP based messages can traverse the firewall barrier.  Next Gen Firewalls (NGFW) include anti-virus and content filtering (deep packet inspection DPI) along with Secure Sockets Layer (SSL) decryption to identify undesirable encrypted applications.
• Demilitarized Zone (DMZ) – A common practice of setting up a physical or logical layer between untrusted (e.g. Internet or business networks) and trusted systems. The DMZ typically restricts or prevents data from directly passing through layers within the network architecture.
• Encryption with Virtual Private Networks (VPN) – This is one of the more common methods for encryption over the wire and it is often used as a method for external access over the internet to private IT assets. This method provides protection against people “snooping” or “eavesdropping” on the wire and seeing the information with tools like WireShark.  However, VPN is not a “magic bullet” solution to cyber security and has vulnerabilities with respect to the users who present attack vectors when connected through their computers.
• Proxy – Proxy servers or devices can keep internal networks more secret by using Network Address Translation (NAT) which makes requests from machines and users on local networks anonymous. Proxy devices are often used in conjunction with Firewalls.
• Identity-defined Networking (IDN) – An IDN is an encrypted overlay network (using Host Identity Protocol – HIP) that uses special hardware on top of existing infrastructure to provide separate end-point identifier from standard IP addressing and is fully encrypted.  This type of security architecture is perhaps one of the most robust on the market today.

Computer/Device Security

One of the primary objectives of Computer/Device security is to protect data.  Two of the main vectors for security breaches on computers today are external device connections to the computer and application level viruses.  External device connections range from standard network cards to USB and Blue Tooth devices.  Application level viruses run as an application on the computer through various masquerades (sometimes using end point computers as a pivot points for other network attacks).

Some of the main remedies for these two vectors are certificates, OS updates and anti-virus software. Typically updates and antivirus software are controlled by IT administrators.  Device access can be controlled through Group Policies on most Operating Systems.  However, careful attention and policies need to be defined around the methods and frequency that updates are deployed.  OT systems typically need regression testing by the manufacturers before they are certified to run on updated operating systems, so standard practices at the business layer for IT administrators do not necessarily apply to OT systems.

In addition, anti-virus software (as well intentioned as it is) can adversely affect OT software performance and in some scenarios cause unplanned downtime.  OT engineers typically prefer to disable or remove anti-virus software for this reason.  Another strategy to consider for high value cyber assets is whitelisting the computers which can be fully tested in advance for any potential performance impacts and prevent zero day threats (as only the “whitelist” set of executables are allowed to ever run on the system).

At the computer/device level, certificates are another consideration for authorizing and authenticating hardware within your systems. This method provides a layer of security to ensure hardware placed on the network is “certified” to be there before it is authorized to use (e.g. Certificate Authorization Server).

Another security measure that should be considered for sensitive data is Data Encryption.  Utilizing applications or hardware level disk encryption (eg. Full Disk Encryption – FDE) can provide another “defense in depth” remedy to cyber-attacks on data.  With today’s currency being “data”, securing it is vital.

Application Security

Access to systems in the IT domain is usually through a centralized Authentication (who are you?) and Authorization (What are you allowed to access?) process (e.g. Multifactor Authentication (MFA) – requires more than one method of authentication).  It’s important to include all the major stakeholders in this discussion as IT and OT requirements around authentication and the methods may have competing interests (e.g. uptime of Authentication services may not be acceptable for OT but perfect for IT).

At the application level, security can be generally categorized as follows:

• No security
• Application specific security – customized security system built into the software application.
• Integrated security into IT Administered MFA (eg. Microsoft Active Directory) – Application authenticates and authorizes based on an external MFA system.

OT software applications in the past had limited security as the driver was operational uptime and ease of access for quick trouble shooting. However, this pattern is changing towards providing MFA and Change Management systems for accessing and modifying systems.  Strict industry vertical requirements often drive the necessity to have tighter control over software applications (e.g. Food & Drugs Administration – FDA), so consideration should be made with your team members on how this should be appropriately handled.

When it comes to custom software development, security is defined around the coding practices.  This encompasses measures and practices to prevent gaps in security of an application.   If your IT/OT team or service provider is developing software, ensure that security is defined as part of the requirements and is “baked” into the Software Development Life Cycle (SDLC) of the developers.

Monitoring Security

Finally, depending on the complexity and scale of your IT/OT project, instrumenting your system with the correct monitoring tools to ensure network and system activities comply with IT/OT policies will be very important.  Intrusion Detection Systems (IDS) appliances and software considerations should be made during the design to ensure components and systems can be monitored.  In addition, these monitoring systems should track and record events for subsequent sequence of event analysis and provide configurable business rules to notify administrators when anomalies occur.

In addition to IDS, Intrusion Prevention Systems (IPS) are another consideration to be made to prevent unwanted activity from internal or external threats (e.g. denial of service attacks).

Wrap Up

The above information should serve as a quick list of things to consider and discuss with your IT/OT team or services provider and other stakeholders when embarking on initiatives or projects with respect to security.

» Read more from the IT/OT Executive Series

References

Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) – Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies
Proactive Protection Through Industrial Networks
International Information System Security Certification Consortium, Inc., (ISC)²®
National Institute of Standards and Technology – Computer Security Resource Center (CSRC)
SANS Institute

This post was written by Chris Gray, P.Eng. Chris is the VP of Technology Solutions at Cogent Industrial Technologies, a recognized leader in IT/OT solutions and project management.