As the frequency of cyberattacks increases — often with a higher level of sophistication in order to evade detection — it's easy to see why organizations are investing in security technologies, such as automation, that can respond more efficiently to potential attacks after certain conditions have been met.
The effects of this risk can take many forms, including unauthorized disclosure of client data, loss of client trust, litigation, financial loss (including heavy penalties), and damaged brand reputation. While these impacts sound bad — and they are — they often pale in comparison to the potential implications of a breach in operational technology (OT) and critical infrastructure environments, which can also include safety concerns and loss of life.
By improving how they protect their IT networks, organizations can achieve more immediate risk reduction, shorten the time needed by defenders to counter an attack and maximize the use of investments and human resources. So, why do we often see less proactive efforts in OT?
First, the implications of inadvertently blocking a connection are likely not going to lead to a catastrophic event and so there is a bit more flexibility on where controls can be automated. Second, there is a higher rate of cyberattacks seen at the external perimeters than there are at the perimeter of the OT networks, which reminds us that controls on the business network are often the first lines of defense for OT. While both are valid reasons, it doesn't mean a higher level of cybersecurity maturity can't be achieved in OT environments.
Proactive controls in OT are nothing new. Thinking back to the days of the LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) program, the consortium came together to evaluate application whitelisting, a security technology designed to maintain a list of authorized executable files and then automatically block the execution of any files not on that list. This is a great example, from nearly a decade ago, of proactive controls used in the higher levels of OT — and the business case wasn't much different than it is today.
When many people think of OT networks, they think of the sensors and actuators that do tasks, such as opening valves, turning on pumps, raising temperatures, and adding chemicals. These devices reside in Levels 0, 1, and 2 of the Purdue Model and are at the core of what monitors and controls that site. Because many endpoint security technologies, such as application whitelisting, are designed to be installed on IT-type devices, such as workstations and servers, these solutions typically are not applicable to these industrial assets residing in the lower levels.
However, there are many other supporting assets residing in Levels 3 and 3.5 (the OT DMZ) that are less critical and may include devices such as domain controllers, remote access jump boxes, antivirus and patching servers, historians (a historian collects data points over time from many different areas of the plant so decisions can be made on that data at a later point), and much more. This is a great potential area to begin proactive security improvements because it more closely resembles traditional IT-type devices supporting the OT environment — but more importantly, they often do not have a direct impact on operations. For these reasons, Levels 3 and 3.5 are a great starting point for automating cyber controls in OT.
Taking proactive steps in these levels provides some significant advantages over the adversary. A simple example might be leveraging a continuous network monitoring solution to detect malicious or anomalous traffic, which is where the business network traffic often comes through. Then, once activity is detected, an alert could be generated followed by the creation of a firewall policy to automatically block that host while simultaneously opening a support ticket assigned to the appropriate group for any follow-up actions.
Another example could be when a new host, undefined in the network baseline, begins communicating with the human-machine interface or engineering workstation. An appropriate action may be to automatically block those unauthorized connections while, of course, also generating an alert and support ticket. These actions are prudent in today's environment and are just a couple of basic examples that leverage the benefits of automation.
While some may hesitate at the idea of automatically blocking any communications on the OT network, there are many options, which depend upon one's comfort level. For example, in either of the previously mentioned scenarios, an alert and ticket could have been generated without implementing a block. Another option would be to automatically add or update any discovered assets to the configuration management database or to push critical events to the security information and event management system, disable unauthorized USB devices, change virtual LANs for an asset if certain criteria have not been met, validate and remediate antivirus, or patch compliance gaps for transient laptops. The options, while not endless, are certainly abundant and allow for a wide range of actions while taking advantage of existing investments the company has made.
Each of these is a step in the right direction toward proactive security in OT environments. In the end, it's about risk reduction and balancing the needs of the business while ensuring that the site continues to run — and run safely.
Any good cybersecurity program is not implemented overnight but, rather, can take years to get into place. Even then, it is a constantly evolving journey that requires adaptation to our changing times. But we cannot neglect OT networks as part of this journey, even in just taking manageable baby steps and working toward milestones in Levels 3 and 3.5 to meet the organization's security goals and objectives.