Securing OT Networks Beyond Guards, Guns & Gates
We are seeing Oil, Gas and Mining clients looking to amalgamate their OT and IT frameworks. More recently, Covid 19 has delivered physical site access restrictions to both corporate and operational environments. This reduced access or reduced workforce is increasing the need for remote monitoring and management of OT environments. The benefits of IT OT convergence are significant, so long as organisations acknowledge that these environments are vastly different worlds.
In this Insight, Denver Strategic Consulting Services Manager, Keren Jenns asks two of Denver's OT SME's to consider IT and OT convergence issues on manufacturing operations and look at how organisations are securing their operations beyond guards, guns and gates.
There are significant benefits of IT/OT Convergence, but there are associated risks too, including remote access. Are these concerns legitimate? Is it just a matter of mitigation through design?
David: OT networks by their nature operate with a high degree and expectation of implicit trust. Security for these OT environments used to be focused on ensuring only authorised personnel had access to the control environment via the 3 G’s (Guards, Guns and Gates). OT environments were built with minimal security countermeasures, and systems owners assumed that anyone with access to the control system was authorised to connect and operate it. Unauthorised access can be a grave concern as are the consequences of malicious activity on the OT environment. For OT systems that process non-finalised components/outputs the impact to an OT environment is not just to that company but also and it can also have potentially devastating downstream effects on other organisations that utilise that company’s production output. To understand the potential compromise of an OT system, organisations must consider the business risks of a production system interruption, an interruption to an input in the supply chain or failure of key plant equipment - as it can have the same consequences.
The merging of IT and OT networks along with the provisioning of remote connectivity into the OT environment can negate the physical security perimeter that OT infrastructure has traditionally relied on for its first line of security - opening up the OT system to threats across the world via the Internet. OT administrators must now treat the corporate network as a threat in the same way corporate network administrators see the Internet as a threat.
Remote access can bring cost benefits but can also introduce significant risk from the interconnect perspective. In order to address this risk, organisations need to improve their cyber-security practices. This requires a sustained effort by management and staff to diligently apply sound cyber-security practices during the entire life cycle of the OT environment. This has to occur from design, implementation, and operation, to the retirement of the OT and can’t just be considered as an item during operations. This requires organisation to establish a cyber-security culture and ensure that all levels of management understand that people are crucial in defending and protecting OT environments from a cyber security breach.
It also significantly requires organisations to shifting from a reactive mode in which is dealing with cyber-security issues once they occur to a more proactive approach where budget, resourcing and planning addresses risk to minimise the chance of a cyber security issue occurring before it happens.
Thomas: To allow remote access-based control capabilities, several elements are critical to minimise any risks introduced by providing such services:
- Multi Factor Authentication based Identity management to prevent unintentional and/or intentional misuse of a person’s credentials
- Access approvals that are workflow based with a separate SPA (Single Point of Authority) for a person’s roles required for logical
- Access to PCN systems and dataOffice environment user accounts and security groups
- Remote access approvals for user accounts and security groups
- PCN Firewall MFA based traversal access for user accounts and security groups
- Individual Device, Application, Service, Data, Network and Environment access for user accounts and security groups defined in those environments (i.e. not Office environment user accounts and groups)
- Role based access control methods providing granular access to systems and data based on a person’s role or roles in the organisation
- Remote access limited to devices approved by the organisation (Organisation provided or vetted BYOD)
Are companies trying to apply corporate security frameworks to OT environments?
What are the issues with doing this?
David: OT Networks have a focus on availability rather than confidentiality. The availability of an OT network is far more important than confidentiality in terms of Cyber-Security in OT. An OT network cannot just be shutdown suddenly - especially in manufacturing and process environments - as it can leave batch or continuous manufacturing processes hung, where ‘product’ is in a dangerous state. Due to this, corporate security frameworks - when applied to OT environments- can unintentionally cause more issues than they solve.
OT systems are purpose built with the underlying “IT” systems being comprised of a highly customised architecture. This adds additional complexity to protecting OT systems and traditional IT security countermeasures (normally used to protect corporate IT environments) may negatively impact the operational requirements of plant environments. Additionally, the differences between IT and OT are not necessarily clear cut and the lines between IT/OT cyber-security have blurred with modern systems, where remote access to OT environments and the sharing of data from OT to corporate applications is occurring. Interconnections between IT and OT environments creates new cyber security risks vectors for those with malicious intent to access the OT domain. These include remote access capabilities, peer-to-peer networking, direct Internet connectivity, or network modifications that enhance business performance.
Thomas: Often roles in the process controls systems space are not as clearly defined as in the corporate space. Process controls systems resources have the skills and the need to cross traditional corporate based role boundaries. Applying the corporate roles model to process control system resources may hamper -and in extreme cases - prevent them from fulfilling their duties in maintaining process controls systems availability.The implementation of corporate IT cyber security frameworks and countermeasures required to mitigate an OT vulnerability may result in the plant control system operating in an undesirable or unintended manner. Any undesirable or unintended plant events can be significant risk and a major safety concern – particularly in instances where that plant is processing dangerous or unstable/volatile products.
In the past, traditional OT networks have relied on physical security.
There is now a demand to leverage remote access- what are some of the benefits from this?
David: Historically, OT systems were specialized stand-alone systems protected by a physical security perimeter (fences, gates, doors etc) and controlled by on-premise operators in control rooms. Many existing OT systems are comprised of analog/manual controls that are still in use and operating long past their initial originally intended life cycle due to cost concerns with replacement. OT system owner and operators’ function under constrained budgets and are required to reduce the costs associated with managing and maintaining the OT systems while concurrently facing the replacement of ageing plant environments. The ability to provision remote access to OT systems allows more to be done with limited budgets infrastructures and facilitates reducing the labour costs required to operate plant environments.
OT system technology has moved from using disparate manual/analog systems to interconnected digital systems and remotely controlled environments from centralised control-rooms. OT vendors are designing their solutions based on standard operating platforms and networking technology, allowing for easier integration between control system and corporate networks. The standardisation in operating systems for OT environments allows cost savings via reduced need for specialist proprietary OT skills and the ability to more easily cross skill employees between the corporate IT and OT environments.
Thomas: Logical access controls are easier to oversee and manage (If implemented correctly) than physical access controls:
- Logical access controls can be made more granular with controls being software based
- Implementing granular physical access controls requires additional hardware and the associated control logic, such as swipe access control points, physical room divisions, door and rack locking mechanisms, rack segregation methods and device based anti-tamper hardware/options (i.e. person X should only have physical access to one device or set of devices in a rack. How do you prevent them from having physical access to the other devices in the rack)
- Allowing matter experts from other affiliated organisations to get hands on access to systems in a secure controlled fashion rather than having to manage the costs involved in transport and accommodation
- Allowing support engineers from Hardware and Software organisations to get hands on access to systems in a secure controlled fashion rather than having to manage the costs involved in transport and accommodation as well as temporary physical access controls
- Providing secure controlled View or Read Only DCS access from office locations and or offsite locations for analysis and advisory services
- Providing secure controlled DCS access from office locations and or offsite locations for plant scenarios calling for remote operations due to safety factors preventing all bar critical physical presence