Operational Technology, or OT as I refer to it in this article, arrived on the cyber security scene in a big way back in 2010 when Stuxnet arrived as the first real example of cyberwar between two countries. Before going into the challenges with OT, I would like to define the OT term a little more. When using the OT terminology, I am referring to SCADA and ICS systems as well. I know that there are different opinions on what each of these terms a covering, but for the purposes of this article the use of OT as an umbrella term for all of them will suffice.
Historically there have been no integration between OT and IT. This has changed in a big way in the past 20 years or so. Now there are may integration points between IT and OT, enough that OT is becoming a major headache for many cybersecurity professionals. But first, why are two technologies that have, historically, not been talking with each other now doing so? As I see it, there are two major reasons for this. The first one is convenience, using IT to monitor and control OT, makes the job of running the OT much easier. The second one is that the various OT devices are gaining more features and are getting more programmable and anything that can be programmed can be compromised! These two reasons, along with the distributed nature of OT, creates the headaches for security professionals as well as the compromises we have seen proliferate in recent years.
Making the OT platforms integrate with the ‘normal’ IT systems has opened these OT platforms to attack and the, typically critical, OT platforms makes them an excellent target for a malicious attacker. Just recently an attacker tried to poison a Florida county by gaining access to the controls for the OT systems maintaining the water supply in the county. The attack in that case was not in any way a complex one, but it demonstrates my point, that OT platforms and networks are juicy targets for attack. Another challenge for a cybersecurity professional, is that OT platforms are in many cases using technology different from the ones used in IT, making the securing of the OT systems an unknown challenge for many professionals. Just on the networking side there are:
- Modbus RTU
- MelsecNET, etc.
You can see a more complete list of protocols here. Some of these can carry the known TCP/IP protocols, but for some of them the protocol payload they carry is aimed at the OT device at the end of the communication. In addition to the plethora of communications protocols, there is a vast number of different suppliers of OT equipment. Here are just a few of them:
- Bosch Rexroth
- Schneider Electric
- Rockwell Automation
- Mitsubishi Electric, etc.
Together these creates the headaches that we as cybersecurity professionals needs to address! Add to that, that in many cases the OT platforms are using a combination of devices from different vendors, just to make our lives even more challenging. So, what to do? Are there tools/guidance that we can turn to for help? Yes, there is!
IEC, the International Electrotechnical Commission, has created a standard called IEC 62443, that comes with guidance on cybersecurity for industrial networks and automation systems. This standard is divided into sections, each of which are focused on different areas of cybersecurity for industrial systems, describing both technical and process related aspects of security for OT. To keep this article at a reasonable length, I will not list all the sections, with that sentence I am sure you can guess the length and depth this standard goes into. But some of the sections that are of the utmost interest to professionals new to OT security are:
- Part 2-1: Establishing an industrial automation and control system security program
- Part 2-3: Patch management in the IACS environment
- Part 3-1: Security technologies for industrial automation and control systems
- Part 3-3: System security requirements and security levels
- Part 4-2: Technical security requirements for IACS components
There are many more sections, including the programming of OT devices, but for someone new to OT security, those are the ones I recommend familiarizing yourselves with first. Just as for IT standards, IEC 62443 comes with maturity levels for OT security as well. These are fortunately based on something we already know, CMMi. IEC 62443 is a massive document to be sure but given the complexity of heterogenous nature of OT deployments, that is to be expected. If you would like to know more about IEC 62433, without going to the full document for this standard, then Schneider Electric has created a good introductory document to IEC 62443 which you can find here: files (schneider-electric.com) This document is still 13 pages long, but it provides an excellent introduction to IEC 62443. Make no mistake, as cybersecurity professionals, we will be expected to, at the very least, have some knowledge about OT security and be able to advise on security approaches to OT technology in the coming years.