OT Security 101
Operational Technology (OT) security protects critical infrastructure and industrial control systems from cyberthreats using best practices and technologies. Before diving into OT, let's first understand the difference between OT and IT.
The main difference between IT and OT is that IT deals with the management and processing of data, focusing on systems such as applications, databases, servers, and networks to support business operations and information exchange. OT, on the other hand, refers to the technology used to monitor, control, and automate physical devices, processes, and systems. In short, IT systems focus on data integrity and security, while OT systems prioritize the reliability, availability, and safety of physical components.
Why OT Security Matters
Securing critical infrastructure is vital to ensuring the American people have access to essential services like drinking water, electricity, and food. But, protecting high-value industries such as chemicals, communications, and healthcare from cyberattacks is critical. OT security plays a crucial role in achieving these goals.
OT helps improve business process efficiency through automation and real-time data analytics, enabling industries to optimize production and reduce waste. By integrating OT with existing infrastructures, it can reduce downtime through predictive maintenance. For instance, OT can detect and address issues before they escalate into failures, allowing companies to minimize disruptions to daily operations.
Most importantly, OT helps improve safety and security within companies. Advanced monitoring, control, and alarm systems enable businesses to quickly detect and mitigate potential risks or hazards. This not only helps companies mitigate cyberthreats but also reduces the risk to employees, especially those in industries like oil and gas, chemicals, and power generation, where safety is paramount. Security OT can save lives and protect assets.
OT Security challenges
Despite OT playing a pivotal role in industry control systems and critical infrastructures, there are many challenges in the OT security space.
Below outlines a few main challenges in OT security:
1. Legacy Systems and Limited Patching Options
Legacy or constrained systems with old, unpatched vulnerabilities are a major concern in the OT space. Many OT systems are built on outdated legacy protocols, making it difficult to implement security measures without significant upgrades or patches. This leaves them vulnerable to known exploits, as attackers can target these vulnerabilities with confidence.
Due to being built on outdated legacy systems that are not supported by many vendors, many OT devices have limited processing power, memory, and storage. This makes it challenging to run security software or apply frequent updates/patches. Updating or patching OT systems often requires downtime, which can be frustrating for employees who need to work.
2. Network Segmentation
OT environments often operate in isolation from IT networks to protect critical systems. However, this isolation can create challenges in monitoring and managing security risks. In his RSAC 2024 presentation, Christopher Walcutt, Chief Security Officer at DirectDefence, stated, 'Segmentation is a big challenge in the OT space. The protocols used in the OT space are not your typical IT protocols. It's not just the standard traffic – its certain protocols used for specific functions that most IT tools don't understand and can't interpret.”
In IT, they simply roll out an agent that can provide all the information from the endpoints and feed other data sources. Walcutt explained that in the OT space, they don't have agents in programmable logic controllers (PLCs), so organizations need network traffic analysis to inspect the traffic. He also highlights that most OT platforms don't
communicate with the outside world through their firewalls, so if there's activity behind that firewall, they won't be able to see the general day-to-day operational traffic.
Since OT networks are mostly flat, Walcutt said that organizations will need to make changes to the network to create choke points. Without these choke points, there's no control, and to gain visibility into OT activities, organizations need to segment networks. This can be challenging, as 28% of service engagements involved issues with improper network segmentation or improperly configured firewalls and 70% of OT-related incidents originated from within the IT environment due to improper network segmentation.
3. Limited Security Visibility
Given that traditional security tools may not be suitable for monitoring OT environments due to their unique protocols, devices, and outdated legacy systems, it becomes challenging for OT systems to monitor traffic.
A recent report highlights a significant decline in organizations reporting 100% visibility of OT activities within central cybersecurity operations (from 13% in 2022 to 10% in 2023 and down to only 5% this year), as illustrated in the image below. This lack of visibility can hinder timely detection and response to threats.
4. The Inadequacy of Traditional Penetration Testing for OT
Penetration testing (pen testing) in OT environments presents unique challenges compared to traditional IT systems. Due to limited visibility, it can be difficult to assess and secure all potential vulnerabilities during a pen test. Additionally, as OT systems are often located in physically secure environments (e.g., industrial plants or power stations), access for testing is limited and requires careful coordination with operational teams.
Traditional IT security tools are primarily designed for IT systems, focusing on standard IT protocols and scenarios. Consequently, they often fall short in fully supporting OT-specific protocols and scenarios, leading to incomplete vulnerability assessments.
To learn more about OT penetration testing, watch this RSAC virtual seminar. In the first presentation, Ric Derbyshire, Senior Security Researcher at Orange Cyberdefense, and Charl van der Walt, Head of Security Research at Orange Cyberdefense, delve deeper into the topic.
Time to Act: Safeguard Your OT Systems with Best Practices
OT security and systems are vital in protecting our critical infrastructure and industrial controls systems, so organizations must use best practices and collaborate to mitigate risks in the OT space. Below highlights best practices and considerations.
Risk Assessment: Conduct a thorough risk assessment to identify potential threats and prioritize patching efforts. CISA offers guidance for industrial control systems and critical infrastructure on how to conduct a risk assessment, which can be found on their website.
Segmentation: Isolate legacy systems from the broader network to minimize the impact of potential breaches. As Walcutt stated, organizations need to change their network to create choke points to have control of visibility into day-to-day operational activities.
Monitoring and Alerting: Implement robust monitoring and alerting systems to detect anomalies and respond quickly to threats.
Consider Replacement: Develop a long-term plan to replace legacy systems with more modern, secure alternatives. This way, organizations can successfully conduct a pen test, updates, and patching.
By taking these steps, organizations can significantly enhance the security of their OT environments and protect their critical infrastructure and industrial control systems from cyberthreats.