Security of the operational technologies (OT)

Operational technologies, or OT, are the critical network segment used by the enterprises which make goods or are engaged in physical processes. Such industries as production chemical petrogas mining industries, transport and logistic spheres use specialized technologies for object management: assembly and production sites and power supply systems. Control, monitoring and management of these systems were gradually automated for the last several decades, and the specialized systems which carry out these tasks, data SCADA OT are called industrial management systems (ICS), dispatching control and collecting () or just.

Networks in which these OT systems work were traditionally separated of corporate environment information technologies (IT) and also from Internet are often separated by an air layer. They usually are controlled operation personnel, but not IT specialists. Production capacities can bring to the company millions dollars per hour, and communities rely on crucial infrastructure, the providing pure water and energy. When these systems fail even for several minutes, it can cost hundreds of thousands of dollars and even to put at risk of workers and surrounding people.

In other words, the IT is data management, and OT - creation of things. And as these OT systems were completely isolated, the world of OT felt unreceptive to cracking which became a life fact for IT environments. But attacks to OT changed a usual order of things.

2020: The number of cyber attacks to OT - infrastructure continues to grow

According to the experts Fortinet, the number of cyber attacks in 2020 continues to grow in systems and infrastructures of OT, and they cause the actual damage. Possibly, the first such attack to Stuxnet happened ten years ago. It was a system with air gap, i.e. it had no communication with external networks, but, nevertheless, was cracked. In 2017 the racketeer of NotPetya interrupted production and closed offices. The same year, the malware Trisis/Triton damaged security aids in the equipment for oil and gas production. And in 2020 there was Ekans, or Snake Ransomware which is specially intended for the ICS systems.

First, the air gap never provided complete security though isolation really complicated cracking of the OT system. Receiving physical access was always possible using tools of social engineering, such as leaving of the infected USB flash card on the parking or sure pass on the organization territory under the guise of the employee. Secondly, access for maintenance to industrial machines, remote update of the ICS tools or remote updates of the built-in software – all this leaves potential vulnerabilities in the OT environment.

But the most important, IT and OT networks integrate, subjecting OT to the attacks through the world of IT. Consolidation of data with production allows the companies to react quicker to market changes and far off to manage and control systems. But these business benefits are integrated to real risks. The new malware which is specially intended for the equipment of OT uses components of investigation and delivery which use the IT environment and its network connections for gaining access to industrial management systems.

For example, the malware Trisis/Triton contains the components intended directly for the security system and monitoring used by petroleum chemical plants. Such attack is directed to OT. But processes, procedures and methods which she uses to get into this security system are net methods of investigation and delivery of IT cyber attacks, emphasized in Fortinet.

Despite additional risk for OT networks, convergence of IT/OT happens because it makes financial and operational sense. Operational groups implement the complex systems of management using the software and databases which work at IT systems. Such things as thermostats and valves with support of Wi-fi, can be controlled and be controlled far off through IT infrastructure, and chief financial officers do not like costs for the separate networks or separate groups necessary for their work.

Consolidation of the world of IT and OT provides big process performance and business. Thus, convergence happens, and it is necessary to recognize that it increases cyberrisk in several ways, are convinced of Fortinet.

First, it expands what is called "the surface of the digital attacks" that is a fancy method to tell that hackers have much more devices for targeting. The number of Web servers, branches, distant and house employees and IoT devices promptly grows, and each of them is a potential way to IT network and, finally, in the OT environment. The same way, many OT systems which are connected to IT network can be older, sensitive systems which give in to cracking much more simply.

Besides, threats become more and more sophisticated. The same as the companies are exposed to digital conversions and develop the universal software, malefactors use the same methods for creation of very difficult and universal malware. In their attacks different mechanisms for penetration into IT environments are used, and in the increasing degree – in the OT environment, at the same time means of protecting of the company are avoided.

As for security tools, there is a lot of them that management of threats in some respects became more difficult, than ever. Polls showed that most large enterprises have from 30 to 90 different tools of security from almost all suppliers. They have the different management consoles and demand the trained personnel which would understand them. In too many cases security service specialists have no time to penetrate into specifics of operation of each tool. Cyberthreats can get lost literally in this confusion.

And, at last, the regulations regulating cyberviolations and protection of personal information complicated security for managers of IT and OT even more. There are general standards, such as PCI DSS (Specification of data security of the industry of payment cards), GDPR (The general regulation of data protection) and Structure of a NIST (National institute of Standards and Technology) which the organizations should understand and observe. There are also industry standards and standards from the different organizations, such as International Organization for Standardization (ISO) and American national standard institute (ANSI) which define as well as where security should be applied.

In many cases, so far as concerns the ICS or SCADA systems, huge deficit of investments into security is observed. For this purpose there is a lot of reasons, but irrespective of why so occurs, this situation needs correction. No matter, whether the IT and OT organization integrates, it is necessary to protect OT using several key methods for security:

• 1. Recognize that the risk for the organization grows and to take measures.
• 2. Install the tools providing the wide overview of OT network and also IT. It includes detection and inventory of devices, ensuring access control only for the authorized personnel and gaining access to applications and traffic.
• 3. Use segmentation strategy. Integrate gateways with strict politicians between the IT and OT environments and do the same between different levels of OT network. The purpose consists in that each system and a subsystem performed only the work. Segmentation prevents distribution of the attack from one place on all system.
• 4. Replace open model of access on the basis of trust with the strategy of access with zero trust. Set controls access which authenticate users limit only them to those systems which are necessary for them for accomplishment of the work, and then control them at connection to network. It should be applied to all, but it is especially important for contractors and suppliers.
• 5. Use automation to help to analyze actions and to accelerate the answer. Implement tools for registration of activity, to analyst for search in those magazines which look for abnormal behavior, and security systems which can react to the detected threat. Considering the speed to which there can be attacks, automation and the orchestration are necessary for identification of threats and taking measures in read seconds.
• 6. Set processes for audit and testing of systems in case of cracking and create rules for backup, recovery and recovery.

You See Also

• Information security of an APCS QUO
• Protection of critical information infrastructure of Russia
• Critical infrastructure of Russia