Over the past few years, I have been hearing a lot about the security issues and, therefore, the security requirements for Operational Technology (OT), as well as for the Internet of Things (IoT) technology. Experts often describe these security issues as fundamentally different from Information Technology (IT) security challenges. I felt that these differences should be reflected in a new set of OT/IoT security tools that focused specifically on these issues. A couple of years ago I was disappointed at the RSA conference as it seemed like only traditional IT security vendors were present, just recasting their wares as OT or IoT security tools. Where were the vendors who grew up with OT or IoT security in mind? This year at Black Hat it seems like my wishes were granted as there are a plethora of new start-ups focused on the unique requirements of these infrastructure areas. So here are a few questions I have been pondering, maybe you are too:

  • How do OT and IoT systems differ from IT systems and how do these differences affect the security approaches for these systems? Also, how does the on-going convergence of OT and IT systems challenge the security posture [and the security tool market] of these converged systems?
  • How do security measurement, instrumentation, automation and orchestration tools fit into the OT/IT and IoT security pictures?
  • What are some of the emerging business and technology trends that will likely reshape OT and IoT systems and the security tool market?

I plan to examine these issues and others over the next several articles and in interviews with leaders in this space. Below is a quick run through of some of these issues.

OT vs. IT

A wide variety of critical systems that are classified as Operational Technology are now exposed to cyber attacks.

OT consists of physical equipment-oriented technologies and systems that deal with the actual running of plants and equipment, including devices that ensure physical system integrity, are event-driven, and frequently involve real-time software applications or devices with embedded software. These types of specialized systems are pervasive throughout the critical infrastructure and are required to meet numerous and often conflicting safety, performance, security, reliability, and operational requirements. OT systems range from non-critical systems, such as those used for building environmental controls (HVAC, lighting), to critical systems such as the electrical power grid. Other frequently used terms for OT, apart from slight differences in connotation, are Platform IT (PIT), Industrial Control Systems (ICS), Distributed Control Systems (DCS), Industrial Automation Control Systems (IACS), Process Control Systems (PCS), Supervisory Control And Data Acquisition (SCADA) systems, Intelligent Electronic Devices (IED), digital protective relays, smart motor starter/controller, remote terminal unit (RTU), smart sensors and drives, emissions controls, equipment diagnostics, AMI (smart grid), Electronic Control Units (ECU), programmable thermostats, building controls, etc.

These systems have undergone a shift in operations over the last 10 years or so to take advantage of the cost savings provided by the Internet. In so doing, as shown in the figure, they have opened potential paths to the control systems that operate these industrial systems. 

OT systems often are resilient, real-time systems that place safety and availability as the highest priorities [over security]

Traditionally, operators of OT systems care about who has physical access to controls so that the physical equipment is operated safely and reliably. OT controls physical process and thus, often operates in a real-time environment. Data can become useless in a fraction to a few seconds, and inaccurate data or missing data can result in lost process efficiency, damage, or shut down. As a result, OT reliability is crucial and OT systems must continue to operate even during a cyber attack. OT systems must also function in environments that are electrically noisy, dirty, at temperature extremes, etc., thereby raising the already high bar for reliability. Process inefficiencies and shut downs are often very expensive, with tens of thousands of dollars an hour or much more at risk for large processes. In critical infrastructure, loss of the OT can extend to significant, detrimental impacts on the health and functioning of society. Given this context, OT security is more to do with events that impact safety and reliability and controlling access to human-machine interfaces than data security.

OT systems are often continuously operated and have much longer life cycles than IT systems

The systems that control OT are often designed and constructed to be in operation continuously. Any interruption in service, such as to scan and patch the system for vulnerabilities, may have catastrophic results to human life and property. This is a key difference between OT systems and IT business systems. Real time operation presents a unique challenge for securing these systems because security cannot compromise the reliable operation of the control system.

The life cycle for OT system hardware is from 5 to 20 years (or more) with the average being 19 years as compared to the 2 to 3-year (or shorter) life cycle for IT business systems. This long life cycle of OT systems means that security protections must address evolving threats over a long timeframe. The fact is that, the longer a device is on the network, the more vulnerable it becomes. In this way, product longevity can actually become a negative because it can cause vulnerable devices to remain connected to a network long past the date that the manufacturer stops supporting them.

OT systems are often acquired as a consolidated bundle of sensors, control systems, and actuators from a single provider with stringent limitations on how maintenance can be performed, thereby making it difficult to change the system without affecting the warranty. Therefore, security patches, as well as greenfield deployments using the most current and secure technologies are rare and often infeasible across the long life cycle of these systems. These limitations also curtail the range of commercial security offerings since it is difficult to integrate any security capability into such a tight bundle and with such low life cycle turnover. Security technology must often be wrapped around the existing set of legacy OT systems if allowed at all.

OT and IT reflect different mindsets to managing risk in their respective environments

Operators of OT systems are often engineers who generally use a consequence-based approach to managing risk in their environment. Instead of an intense focus on cyber hygiene and chasing every vulnerability in a “scan-and-patch” approach that is typically found in an IT system environment, OT operators view any change to the system on how the mission at large will be impacted. This latter approach to risk management requires a deep and comprehensive knowledge of the mission domain in which the system operates, rather than a siloed technical awareness of the system that often characterizes IT system environments.

For comparison, consider the operator of a typical IT system that gets one of its Windows systems infected by a quick-spreading worm / virus such as Conficker. Conficker is generally used to convert systems to bots which are then herded for botnet attacks. Conficker disables many security features and automatic backup settings, deletes restore points and opens connections to receive instructions from a remote computer. As the botnet grows, it can have a deleterious effect on the host network as well as the Internet at large. In most cases, the IT operator would quickly shut the system down or quarantine it to prevent the spread of the virus, then would proceed with patching the system, scanning the system to ensure the patch took, and then bringing the system back on-line. The OT operator confronted with a similar Conficker problem may likely take a quite different approach. They may consider that patching the system for the Conficker problem poses a greater risk to the mission due to downtime than having Conficker on the system. They may take other mitigation measures to confine the spread of the virus. In any case, whether the OT operator is facing a greenfield or  brownfield deployment, all affected parties — security vendors, manufacturers, systems integrators and equipment owner/operators — must be engaged to create a more secure and reliable OT system.

OT/IT Convergence Increases Attack Surface

Due to safety and availability traditionally being the primary objectives of OT systems, and that safety largely depends on the stability of the systems, cybersecurity has been a secondary consideration for OT systems, if it has been considered at all. Typically, legacy OT systems do not contain the standard security functionality included in many IT systems such as cryptography or network access controls. This has been changing, however, with the convergence of OT and IT systems as characterized by the integration of IP networking and the adoption of other standardized IT protocols into OT systems. This move to converged systems is driven by the desire to lower costs and increase process efficiencies. Some examples of IT products used in OT systems are Microsoft operating systems, directory systems, IP-based communication technology (Ethernet/IP, TCP/IP etc.), MS-SQL and Oracle database solutions. This shift to IT components is changing the role of security tools in the integration of OT systems as well, with the recasting of firewalls, IDSs, threat analytics, and passive/active sensors into OT/IT converged systems.

Notwithstanding this push to convergence, IT and OT personnel belong to two entirely different “tribes” that do not always speak the same language, which ends up causing some delays or hiccups in convergence activities and security solutioning. IT people will focus primarily on taking an inventory of OT systems and working toward cybersecurity solution testing and implementation. But OT operators often push back, hesitant to introduce solutions which may disrupt systems or require system downtime to deploy. 

Converged systems bring with them a heightened concern about trustworthiness due to their potential impact on the physical world and their connectedness. There is a more urgent need for emphasis on security, privacy, safety, reliability, and resilience, and corresponding assurance for pervasive interconnected devices and infrastructures. As an example, converged OT/IT networks may have “brokers” and other infrastructure-based devices and aggregators that are owned and managed by third parties, resulting in potential trust issues – e.g., publish and subscribe messaging, certificate authorities, type and object registries.

Although safety and security focus on different problems, causes and consequences, it is no longer possible to be truly safe without also being secure. The challenge for those facing convergence, however, is to not only address safety and security issues, but to get the most from the ability to connect systems and share information conducive to effective and efficient decision making. There seems to be a fine line between safety, security and productivity.

Air gaps are a myth

The push to OT/IT convergence has brought to light the fact that air gaps are a thing of the past. Data diodes, VLANs, VPNs, and gateways are now connecting IT systems, cloud-based analytics, and remote operators to OT enclaves. Despite the illusive protections these offerings provide, attackers are still finding a way into OT networks – like transferring files on USB drives and infiltrating supply chains – and causing problems. For example, in Iran at a well-guarded facility, the Stuxnet virus infiltrated an air-gapped network through a USB drive. In the same attack, equipment was infected at the manufacturer before it even shipped to the facility. In another comparable scenario, a team at an Israeli university found a way to use malware on a cell phone to extract data from a computer by sensing electromagnetic waves. Now, vendor networks, which often times maintain connectivity to air-gapped networks for support purposes, have become a vector of attack. Convergence has added a new attack surface to OT systems, creating the ability of attackers to produce physical world results, and therefore, affect the safety of OT systems, Now cybersecurity is becoming essential to safety.

This change in attack surface to OT systems has not gone unnoticed

The Department of Defense relies on an estimated 2.5 million OT systems in more than 300,000 buildings for the real-time, automated monitoring and management of utility and industrial systems which support military readiness and operations. In response to the urgency of securing these systems, the John S. McCain National Defense Authorization Act for Fiscal Year 2019 required the Pentagon to designate one official to oversee the integration of cybersecurity and ICS, including the adoption of department-wide certification standards and the consideration of frameworks from the National Institute of Standards and Technology. That legislation authorized the Department of Defense and the Department of Homeland Security to launch a pilot program to improve the cybersecurity and resiliency of critical infrastructure. Both the House and Senate versions of the fiscal year 2020 NDAA also draw attention to the challenges of securing these systems, directing the GAO to evaluate whether military departments have “implemented a DoD instruction to enhance the cybersecurity of industrial control systems.”

One example of the DoD’s response to the NDAA is MOSAICS [More Situational Awareness for Industrial Control Systems]. MOSAICS is an integration of COTS and GOTS technologies for enhanced situational awareness and defense of industrial control systems associated with critical defense assets. Key objectives of MOSAICS include:

  1. Detect control system threats faster – from months to minutes
  2. Improve situational awareness driving real-time decisions aids to enable cyber defender response
  3. Disrupt adversary kill-chain in mission-relevant time
  4. Limit adversary re-use of attacks through enhanced sharing of indicators and mitigations.

The MOSAICS program is a JCTD being led by the U.S. Navy and Department of Energy labs.

The US spy agencies are also noticing changes in threats to OT systems. Early in 2019, according to SecurityWeek, the U.S. Intelligence community published a Worlwide Threat Assessment revealing that Russia and China are capable of disrupting critical infrastructure in the United States. These revelations by the intelligence community came on the heels of major attacks to the critical infrastructure in 2018 as well as attacks on the Ukrainian power grid in 2015 and 2016. Three events stand out in 2018: the shutdown of operations of the city of Atlanta; the shut down and subsequent reattack of the Colorado Department of Transportation (CDOT), and the take down of a dedicated Safety Instrumented System (SIS) overseeing an industrial control system that required sophisticated reverse engineering of proprietary components. The cost for and duration of the restoration of service in the former two incidents ran into millions of dollars and months for each. The potential for damage from the latter attack could be catastrophic in certain industrial applications. The 2016 Ukrainian attack was based on malware known as CRASHOVERRIDE which represents alarming tradecraft and the ability to disrupt operations, with outages lasting up to hours or days but not in weeks or months. Spy agencies have also warned that Iran is “also attempting to deploy cyber attack capabilities that would enable attacks against critical infrastructure in the United States and allied countries.” It is believed that Iranian hackers could disrupt a large company’s networks for days or weeks, as demonstrated by the Shamoon attacks.

To sum it up, there are many differences between OT and IT systems which impact the security approaches that are employed in the respective environments as reflected in the chart.

Ultimately, OT/IT convergence equals the convergence of safety and security requirements and risks. Solving the challenges involved starts with risk assessment and threat analysis by joint security and safety professionals, enabling them to qualify and quantify cyber threats and their potential impact on relevant operational / industrial processes. Special focus is needed to solve contradicting requirements between safety and security in the system design to avoid “fail open” situations. Composing a system to meet the security and safety requirements drives a more comprehensive and rigorous development effort. Functional safety requirements must be considered as an engineering practice, implemented at the lowest level all the way up to the system level, both from a hardware perspective and software perspective. Security development practices must also be implemented as an engineering practice for any new development. OT security tools must also take into consideration the impact their operation will have on the OT environment. Passive sensing, behavior-based approaches along with gateways that protect the OT/IT perimeter appear to be the norm in many instances. However, there are recent moves to allow SNMP-based agents to provide a more active sensing approach. Patching is also becoming more accepted in certain cases. 

So next we visit the unique challenges involved in securing IoT systems and compare their challenges to OT and IT systems. We also examine some of the key trends that are reshaping the security market due to the push to connect everything. 

And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.