Pratum Blog

OT Security with ICS, HMI and SCADA

A couple of weeks ago, Pratum’s Digital Forensics Manager, Bryan Burkhardt and Information Security Analyst, Chad Porter, delivered an Operational Technology (OT) Security presentation to a group of manufacturers and utilities titled “Jurassic Part: Evaluating Security While Systems Age.” The presentation was not only captivating and amusing, it also encompassed a very important message: Converging IT and OT introduces information security risk, but your security can evolve.

“Evaluating Security While Systems Age”

What does it mean to evaluate security while systems age? As your equipment gets older, you may find yourself modifying industrial control systems (ICS) or shop floor automations. These adjustments can alter the amount of risk you face. It’s generally not the intention of a company to implement a design that poses a high security risk, but companies often don’t consider their potential risk exposure. Even if you haven’t made these changes, the threat landscape itself is constantly changing around you.

The premise of Bryan and Chad’s presentation was to shed light on what the risks are, how they can affect an organization, and how to prevent/mitigate the risks.

Are You at Risk?

When OT and IT merge, the potential to cut costs and increase efficiency flourishes. Rehabbing or expanding functionality of your shop floor might seem like a no-brainer, but don’t forget to consider the new security vulnerabilities they may introduce. These modern technologies require connections to a network, and installing connected devices means that you’ve just introduced an offline system to the internet, or you’ve just networked an independent machine with other (potentially more vulnerable) machines. With that comes risk that didn’t exist before.

Programmable Logic Controllers (PLC) are the workhorses of industrial automation. These simple computers help streamline manufacturing and reduce the demand on human capital. If hacked, a PLC can be manipulated to perform an undesirable task, causing damage to equipment or quality of production.

Human Machine Interfaces (HMI) are used to monitor and control machines. HMIs can be programmed to perform almost any function that can be controlled, or information that can be monitored, by a PLC. HMIs and PLCs work in tandem to operate machines. These pieces of equipment are integral in industrial control systems used in manufacturing and utilities operations. When connected to the Internet, HMIs are no longer protected by isolated systems, introducing greater exposure to attack.

Who?

In a competitive industry, there’s always a chance that external parties, such as competitors or nation states, might want to infiltrate your organization. Maybe they want to wreak havoc on your company, forcing a shutdown and loss of clientele. They might want to steal inside information and blackmail your organization with their findings. OT used in Public Services or utilities may see actors attempting to provoke terror or fear. There are numerous reasons your organization may be a desirable target.

The addition of new technology can help protect, or audit, an old system, but be mindful that it can also provide an entry point for bad actors. Once a PLC or HMI is connected to an unprotected or inadequately protected network, there is potential for it to be hacked and information lost/stolen. Likewise, if an attacker gains access to the network that’s connected to the HMI on your machine, they may be able to control and monitor that machine.

Risk doesn’t always originate from outside forces; there can be threats within the walls of your organization. Employees often inadvertently create risk through carelessness or misunderstanding. It might be as innocent as an employee needing to charge their phone, seeing an open USB port on a machine, plugging it in, and unknowingly creating an opportunity for the network to be scanned by outside parties. Leaving default configurations or not applying appropriate embedded security controls are other examples of how employees can unconsciously put your organization at risk.

Sometimes employees may be aware of their wrongdoing but continue due to self-interest. Perhaps an employee wants to leave work early on a given day, so they alter (hack) functionality to speed up production.

Then, there’s the bad apple employee who deliberately wants to create chaos. Let’s say you have an employee who wants time off but can’t get approval the conventional way, or they feel underappreciated. They could decide to disrupt production by hacking the network (this hack doesn’t have to be very complicated or technologically advanced), causing a machine to malfunction. Now they get their time off, or possibly fix the machine to become a hero and feel adequately appreciated. Employees continue to baffle management with the lengths they will go to get their way.

Only YOU Can Prevent OT Threats

If your OT technology has been compromised, whether by an external force or someone within your company, the consequences are the same. Your organization could face broken machinery, health and safety concerns, or legal implications (loss of client information or hazardous waste spills).

Every day that goes by without implementing proper OT Security measures is another day of increased security risk. If an incident does happen, it can be detrimental. The time, resources, and cost of rebuilding can not only hinder a company’s production but put an end to it completely.

Having the correct OT Security controls in place can shield your organization and its production immensely. Here are just a few things you can do to increase your organization’s OT Security:

OT Network Monitoring and Asset Discovery (SIEM Reporting)
  • Help identify the source of an attack by proactively implementing thorough event logging within your environment.
Network-based Security
  • Utilize firewalls to help segment and segregate access between and within OT and IT networks.
OT Security Professional Services
  • Defend your OT by proactively performing risk assessments, strategic planning, policy development, and architecture and design

Conclusion

Keeping up in today’s world requires interconnectivity. Adding a new vector of access to a piece of equipment will likely enhance your entire operation. However, without proper security you also enhance your vulnerability to threats. The key to success when converging OT and IT is to evolve your security practices to keep up with the ever-changing threat landscape.

Cybersecurity Workforce

As the world become more interconnected, the need for protecting data grows. The cybersecurity industry is booming, and companies, both large and small alike, are looking to cybersecurity professionals for the protection they need. It’s critical that we have a powerful workforce to keep up.

In Iowa, many colleges and universities have responded to the demand by enhancing existing curriculum and adding new curriculum that’s molded around the need for cybersecurity. They seek guidance from professionals who are leaders in the cybersecurity industry to advise them on their courses. Who better to provide input than experts who know exactly what qualities and education the industry is looking for in an employee?

How One Individual is Getting Involved

Dave Nelson, Pratum’s President & CEO is one of the experts providing input. Nelson serves as the Co-Chair of the Cybersecurity Subcommittee of the DMACC IT Partnership and has since the subcommittee was formed. This subcommittee has established its goals: identify key technology skills that the industry needs to grow a powerful workforce, provide a pathway for people who want to further their education past a two-year degree, and attract/retain cybersecurity professionals in the state of Iowa. “Students who feel like they have support in Iowa are more likely to stay here,” Nelson says.

The cybersecurity subcommittee’s efforts have led to the creation of the Iowa Cyber Hub™ - a partnership between DMACC and Iowa State University that is geared towards cybersecurity. A well-suited name for this group that acts as a central location for cybersecurity resources. On the hub’s website, there are pathways for all levels of education: high school students, high school grads, associate’s degrees, and bachelor’s degrees. The hub fosters alliances with established cybersecurity professionals and partner schools through internships, training programs, and other projects.

Nelson’s contributions aren’t limited to the cybersecurity subcommittee. He’s spoken to the information assurance student group, and he mentors students who seek direction from established professionals. His most recent involvement is partnering with Drake University and other cybersecurity professionals to advise the college’s new post-baccalaureate certificate in cybersecurity.

You Can Make a Difference, Too

If you’re an information or cybersecurity professional looking to make a difference in the education of the future workforce, here are just a few ways to get involved:

  • Contact your local colleges and universities to see if they are needing members of an advisory board, subcommittee or other type of group that influences curriculum
  • Volunteer to be a guest speaker
  • Mentor students & advise them on their studies and coursework
  • Participate in surveys/polls requesting the needs of an employer and employees

The need for strong cybersecurity professionals won’t subside. As long as data is entering the world of the internet and technology, it will always require protection. It is the wisdom and guidance from established professionals that’s driving the future of cybersecurity and its workforce. With the proper tools and support, future cybersecurity professionals will be able to rise to the challenges of cybersecurity by reducing risks and keeping data safe.

AWS Security Best Practices

Security in the cloud should be viewed as a shared responsibility. With many organizations moving some, or all, of their data to the cloud, it’s important they understand, evaluate, and adopt the security solutions available to minimize and address risk.

Many cloud providers take care of the physical and underlying security and availability to the infrastructure that provides the services, but the consumer is responsible for configuring, deploying, and managing their data and systems within the cloud environment. This is where the shared responsibility model is important to understand. Cloud providers such as Amazon offer a multitude of security solutions to assist with properly configuring and managing these systems, however, these solutions are not enabled by default, so consumers must manually activate to leverage them.

Security and Network Access

Managed and unmanaged access to AWS resources should be carefully configured. Policies should be defined such that all traffic is blocked by default and only required communication is explicitly permitted. This will help to ensure unnecessary services and ports aren’t exposed. Management of services should be restricted to known and approved sources and used in combination with multi-factor authentication. In addition to a virtual or host-based firewall, it is considered best practice to leverage Amazon’s built-in security groups to help define and restrict permitted access. Most host-based or virtual firewalls will provide capabilities such as deep packet inspection, intrusion prevention, and additional advanced threat protection.

Logging and Security Monitoring

Amazon has multiple ways to begin logging data within EC2 including both CloudWatch and CloudTrail. Many times, organizations simply enable CloudWatch since it can be done with a single click. Unfortunately, these logs are generally focused towards availability and performance monitoring versus security events. To perform security monitoring and properly audit events to aid in a forensic investigation, it is crucial to monitor network, security, application, authentication, and system logs. The only way to pull all of these events in is to properly configure and tune them. It is recommended to point this data to a central aggregation server such as a SIEM, which will store this data for a year, provide threat detection capabilities, and allow for rapid incident response and analysis.

Identity and Access Management

In addition to restricting access management through access controls, it’s important to adopt best practices managing user access to AWS resources and API’s. This access can be managed through Amazon’s built-in Identity and Access Management (IAM). Role based access can be defined by referencing built-in security groups. These groups can be customized to align with roles within your organization. This helps to reduce risk by decreasing the chance of access creep. IAM policies should also be enforced to match corporate standards. Settings such as multi-factor authentication, password complexity requirements, and lockouts and expirations should also be aligned to the business’s requirements.

If this article was helpful, make sure to check out our Office 365 Best Practices blog article.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.
Privacy Policy Ok