Convergence of industrial Operational Technology (OT) and Information Technology (IT) comes with countless benefits but it also brings many new cyber security concerns. The physical consequences of a security compromise in systems such as water supply, electrical substations, or manufacturing robots could be catastrophic.
Unfortunately, OT infrastructure and Industrial Control Systems (ICS) can’t be fully protected with traditional cyber-security standards and appliances, which is something that puzzles every cyber security professional.
In this article we’ll present a robust ICS Cyber Security Solution that can protect your entire ICS from security threats. Using the ICS cybersecurity best practices and deploying the right ICS Security Gateway, can guarantee a secured industry!
The End of Air-gapped Industrial Control Systems
Traditionally, field industrial control systems such as PLC’s and actuators like conveyor belts, water valves, or robotic arms were air-gapped. In other words, these industrial devices or processes were physically isolated from unsecured networks, such as the Internet or unsafe LANs.
Being an air-gapped network meant that there was no reason for OT cyber-security.
But with the great benefits of ICS remote monitoring and controlling, these industrial devices gradually gained IP connectivity. Now, most OT and ICS infrastructure are IP-enabled. On the positive side, being IP-enabled means that all of these industrial processes and devices can be interconnected and managed remotely, which is the underlying concept of Industrial Internet of Things (IIoT). Another great advantage is that these ICS devices are now open to new technologies such as Machine Learning and Big Data.
But there is a drawback.
Connectivity to the external networks can be beneficial as highlighted above, but at the same time, it means that these mission-critical industrial applications are now exposed to public networks.
IP-enabled OT devices create potential back-doors that could introduce harmful risks. Not only risks from intentional malicious external attacks but also from human-made internal errors. These threats do not only affect corporate and monitoring IT networks, but also the whole industrial infrastructure.
Cybersecurity Challenges of OT and IT Domains
For a long time, the OT and IT were two separate domains. But as industries evolve to Industry 4.0, all those IP-enabled OTs systems are now relying on computing, programming, and data; pretty much all the fundamentals of Information Technology (IT).
The new IIoT devices such as sensors, actuators, cameras, scanners, embedded systems depend on the OT physical management processes but also on the IT information management.
This brings three new challenges:
- OT and IT security priorities are not the same.
- OT and IT cyber-security standards and protocols are still not the same.
- Unsegmented IT and OT domain networks are very risky.
This OT and IT convergence, is blurring the lines between how we manage information and how we manage machines. IT personnel is now being handled OT responsibilities and vice versa. When the IT manager and the plant manager meet, there are often communication gaps and conflicts that lead to security risks.
In the plant, the security concerns of an IT cyber-security professional are really different from those of an OT plant operator. While the OT operator might be concerned with highly available devices and human safety, the IT professional is concerned with data integrity and confidentiality.
Below is a table with key differences. IT vs OT.
|Information Technology (IT)||Operational Technology (OT)|
|Priority||Data Integrity and Confidentiality||Availability|
|Safety||Data Safety||Human and machine safety|
|Protection Assets||Network devices, workstations, servers, mobiles, etc.||Industrial devices PLCs,|
The other challenge is that not all industrial OT/ICS processes and devices run on the same IT standards. An IT cybersecurity professional attempting to “cyber-secure” the OT infrastructure, with inadequate IT security processes could in fact, harm the physical operations of these OT and ICS systems.
To solve this…
A comprehensive ICS Cyber Security solution can start bridging the gaps between these two domains. A solution puts into place protection for all the endpoints (IT and OT), separates the OT and IT networks, and provides perimeter protection with an intelligent firewall.
A Comprehensive ICS Cyber Security Solution
The following diagram shows a basic ICS network. To provide security to a network such as this one, it is critical to protect the endpoints, from workstations, surveillance cameras, PLC controllers, etc. It is also important to segment the networks which can be done with VLANs or firewalls. Finally, an ICS Perimeter Firewall provides full visibility and protection from malicious external attempts.
- Protect the Endpoints
Threats coming from the inside network are the most common and easiest. Every employee and contractor that connects their own device to the network locally (LAN) or remotely (WAN), opens a new potential door to the ICS. Therefore, it is critical to:
- Identify the endpoints. Scan the network and discover critical elements.
- Harden through software. Maintain top-security on each of these devices through Anti-Malware and Host Intrusion Prevention Systems (HIPS) policies. Also, it is important to keep track of any unauthorized changes made to these endpoints.
- Harden physical devices. Protect local devices against on-site tampering by hardening physical security.
- Segment the Networks
ICS edge devices like sensors and field industrial controllers such as PLCs and DCSs must be protected from the external networks and from internal corporate networks. Although attacks would almost always be intentional malicious external attacks, there could also be unintentional internal cyber-security errors that could harm ICS availability. This is why it is critical to separate IT and OT domains.
A device such as Lanner’s LEC-6021 is designed to protect the communication between OT and IT domains. It creates network segments and group devices with similar functions.
- Deploy Tailored ICS Security Appliances
An industrial firewall (or ICS security gateway) is a key element in the ICS Cyber Security. A device such as Lanner’s LEC-6021 offers a robust platform for an industrial firewall that can protect industrial control systems and other devices from unauthorized access. It establishes zone boundaries between critical areas (such as IT and OT) and prevents unwanted traffic.
The Solution: An Industrial Firewall to Protect ICS Perimeters
Traditional firewalls wouldn’t last in the same extreme conditions that OT machinery usually faces. The industry floor is not the same as an air-conditioned data center. Power plants, oil rigs, manufacturing plants, electrical substations face extreme conditions.
Aside from segmenting networks and filtering traffic, industrial firewalls are built to run under extreme conditions. These devices are designed to operate reliably in harsh industrial environments, with dusty, wet, and extreme temperature environments.
The LEC-6021’s Wide-Temperature ICS Security Gateway provides the following:
- Protects and separates OT and IT.
- Low power consumption and high processing performance with Intel Atom x7-E3950 or x5-E3930.
- A suitable device for utility communication, automation, power plants, and substation environments. It comes with IEC 61850-3 and IEEE 1613 certifications.
- 5 KV magnetic isolation protection and 15KV ESD Protection for I/O ports.
- Wide range of temperature tolerance from -40°C to 70°C.
Today we can manage plant maintenance, machine upgrades, production quality/quantity, and inventory, all from a remote management system. But being open to the world also opens the doors to new risks. Whether accidental or intentional, cyber security threats can put the whole industrial infrastructure to shake.
These IP-enabled OT devices are also bringing IT and OT teams to work together. The two domains that run the entire industry, are slowly converging. But unfortunately, they are leaving many security gaps behind. This convergence brings risks such as unsegmented IT and OT networks, lack of communication, and different security requirements and standards.
ICS cyber security solutions such as the aforementioned LEC-6041 based industrial firewall protects the OT infrastructure and endpoints. It is the right type of ICS Security Gateway to help you filter ICS traffic, segment the IT and OT domain networks, and still work under extreme industrial environments.