What has COVID-19 taught us in the context of information technology security?
Today, almost no discussion about any subject goes on for long without the current pandemic being brought up in some way. It dominates all of our lives in many ways. Of course, life must go on, business does continue. But not in the same ways. Companies have had to review their business models and adapt to the reality that fewer people work from an office for the near future – they have become home workers. This has put pressure on IT departments, including new security concerns. Likewise, the impact on securing Operational Technology (OT) has been enormous.
For example, under lockdowns, many production lines have had to slow or shut down completely as workers are unable to come to the plant. But unlike an IT environment, where changing a software process or powering down a device is relatively straightforward and can be done remotely, the reality of OT means it isn’t so easy to turn off a chemical process or shut down an assembly line. Some systems, like a blast furnace or massive boiler, are designed for continuous operation, making it close to impossible to turn them off completely. In many cases, a skeleton shift of operators has to be on-site to run a plant or process just to keep the machinery from failing. In many more cases, operators are trying to run things remotely, even though the systems were not designed for this.
One of the most important lessons of Covid has been that disruptive changes can happen at any time. Even if we cannot anticipate which disruptions may hit us, we have to assume that there will be some. Or, like one CISO I know, operate as if you’ve already been breached. Which means we need to do a better job of anticipating and preparing for change, and that starts by taking nothing for granted.
OT Is a Target. Really
Historically, OT processes ran on non-routable protocols. This tended to make security more or less a simple matter of physical protection. The separation of the OT network from everything else - the so-called air gap - made it easy to for the operations teams to ignore the major cybersecurity headaches being faced in data centers and business networks. And the result was that, for many organizations, cybersecurity for the production environment was a low-priority item or even ignored.
One Operations Manager recently asked me, “We back up all our production data and configurations every day; why invest in cybersecurity? If we’re attacked, we can just re-start with yesterday’s data.” It only took a few minutes for me to change his mind when I mentioned a new breed of ransomware. I asked, “Are you aware of OT-specific malware like EKANS? Or of exploits that spoof the HMI console, tricking the operator into thinking everything is fine when in fact the machines are spinning out of control?” He was shocked by the realization that cyber-attacks can result in not merely production problems, but potential damage to equipment, danger to the safety of staff, and even environmental hazards.
We shouldn’t have needed Covid to tell us to make sure OT is protected. But that’s what it has done.
Good-bye, Air Gap. It was Nice While it Lasted
Over the last decade or so, more and more OT systems have switched to run on standard Ethernet using IP protocols. But it isn’t just the protocols that are changing. The air gap has disappeared as industrial networks converge with the IT network. For almost three decades, one of the main architectures for production and manufacturing automation has been the Purdue Model, which divides functional aspects of a process into zones. The Process Control zone is defined by the sensors, actuators, and related instrumentation implementing a process. The Operations and Control Zone describes management of this process and multiple processes across a site. The Purdue model is very hierarchical, so each Process Control zone only has one point of communication with the supervising Operations & Control zone. In turn, the Operations & Control zone only has a single point of connection to the corporate IT environment, referred to as the Enterprise zone. That interconnection point is usually a demilitarized zone with a firewall to separate them. For a long time, this level of security seemed to be enough.
However, IT and OT networks are now necessarily converging as an ever greater amount of information passes between them. Sensors and programmable logic controllers (PLCs) proliferate in the production environment, and many of them have wireless connectivity. Wireless LANs and wired LANs are shared by office workers and production machinery. OT and IT networks may still be separated logically, but they are no longer separated physically. In addition, the multitude of OT sensors in place produce a flood of data that needs to be analyzed by applications in the Enterprise zone. And information and instructions flow in the other direction, as well. And where data flows, so too can threats.
This does not mean that the Purdue Model no longer applies. However, it does mean that we have to rethink the protections we put in place within and between OT zones. For example, while a segmentation firewall for each Process Control zone is like a locked front door on a house (fine for keeping out passers-by), it won’t block a determined thief—especially if the windows and an associated back door are open.
The New Tools of the Trade
Many of the necessary tools for protecting our OT environments are already available. Fortinet has developed a wide range of cybersecurity solutions that are a perfect fit for Operational Technology environments. And they are all integrated into the Fortinet Security Fabric, providing broad visibility and control for securing both IT and OT networks. Here are just a few examples of solutions at your disposal:
- Fortinet’s FortiGate Next-Generation Firewalls not only segment operational technology logically, they can include an Intrusion Prevention System that recognizes the signatures of thousands of types of OT malware and blocks them.
- When suspicious traffic not recognized by the IPS arrives, it can be forwarded to a sandbox, like FortiSandbox, where it is placed in a contained environment and analyzed for dangerous behavior.
- Another tool available to you is a “honey pot,” which pretends to be a tempting target. FortiDeceptor is one example. It attracts a hacker who has gained access to the network, allowing you to identify the attacker’s TTPs: Tactics, Techniques, and Procedures.
- The explosive growth of IoT and IIoT devices is a major threat. Ensure that only authorized users and devices connect to the network with FortiNAC, our Network Access Control solution.
- End-point protection (EPP) and Endpoint Detection and Response (EDR) software, such as FortiClient and FortiEDR, can harden many PC-based controllers, critical HMIs, or Historians.
One final point about cybersecurity for OT networks: there isn’t a single solution to make this all go away. Protecting your environment will most likely involve multiple vendors providing various types of equipment: the ICS system itself, tools for visibility into highly specialized OT devices and PLCs, probes and analyzers. And no single vendor can do everything; so be sure the suppliers you choose are able to play nicely with each other.
Fortinet solutions include a large number of open APIs and connectors that allow them to interoperate with solutions from many other vendors. This include OT technology alliance vendors, control system vendors, and OT systems integrators. For a complete list, please see the Fortinet Ecosystem Directory.
Covid has warned us: we all must start imagining the unimaginable. When it comes to defending our production environments, the time is now to harden the cybersecurity of our Operational Technology.
Joe Robertson, EMEA CISO, Fortinet