A couple of weeks ago, Pratum’s Digital Forensics Manager, Bryan Burkhardt and Information Security Analyst, Chad Porter, delivered an Operational Technology (OT) Security presentation to a group of manufacturers and utilities titled “Jurassic Part: Evaluating Security While Systems Age.” The presentation was not only captivating and amusing, it also encompassed a very important message: Converging IT and OT introduces information security risk, but your security can evolve.
“Evaluating Security While Systems Age”
What does it mean to evaluate security while systems age? As your equipment gets older, you may find yourself modifying industrial control systems (ICS) or shop floor automations. These adjustments can alter the amount of risk you face. It’s generally not the intention of a company to implement a design that poses a high security risk, but companies often don’t consider their potential risk exposure. Even if you haven’t made these changes, the threat landscape itself is constantly changing around you.
The premise of Bryan and Chad’s presentation was to shed light on what the risks are, how they can affect an organization, and how to prevent/mitigate the risks.
Are You at Risk?
When OT and IT merge, the potential to cut costs and increase efficiency flourishes. Rehabbing or expanding functionality of your shop floor might seem like a no-brainer, but don’t forget to consider the new security vulnerabilities they may introduce. These modern technologies require connections to a network, and installing connected devices means that you’ve just introduced an offline system to the internet, or you’ve just networked an independent machine with other (potentially more vulnerable) machines. With that comes risk that didn’t exist before.
Programmable Logic Controllers (PLC) are the workhorses of industrial automation. These simple computers help streamline manufacturing and reduce the demand on human capital. If hacked, a PLC can be manipulated to perform an undesirable task, causing damage to equipment or quality of production.
Human Machine Interfaces (HMI) are used to monitor and control machines. HMIs can be programmed to perform almost any function that can be controlled, or information that can be monitored, by a PLC. HMIs and PLCs work in tandem to operate machines. These pieces of equipment are integral in industrial control systems used in manufacturing and utilities operations. When connected to the Internet, HMIs are no longer protected by isolated systems, introducing greater exposure to attack.
In a competitive industry, there’s always a chance that external parties, such as competitors or nation states, might want to infiltrate your organization. Maybe they want to wreak havoc on your company, forcing a shutdown and loss of clientele. They might want to steal inside information and blackmail your organization with their findings. OT used in Public Services or utilities may see actors attempting to provoke terror or fear. There are numerous reasons your organization may be a desirable target.
The addition of new technology can help protect, or audit, an old system, but be mindful that it can also provide an entry point for bad actors. Once a PLC or HMI is connected to an unprotected or inadequately protected network, there is potential for it to be hacked and information lost/stolen. Likewise, if an attacker gains access to the network that’s connected to the HMI on your machine, they may be able to control and monitor that machine.
Risk doesn’t always originate from outside forces; there can be threats within the walls of your organization. Employees often inadvertently create risk through carelessness or misunderstanding. It might be as innocent as an employee needing to charge their phone, seeing an open USB port on a machine, plugging it in, and unknowingly creating an opportunity for the network to be scanned by outside parties. Leaving default configurations or not applying appropriate embedded security controls are other examples of how employees can unconsciously put your organization at risk.
Sometimes employees may be aware of their wrongdoing but continue due to self-interest. Perhaps an employee wants to leave work early on a given day, so they alter (hack) functionality to speed up production.
Then, there’s the bad apple employee who deliberately wants to create chaos. Let’s say you have an employee who wants time off but can’t get approval the conventional way, or they feel underappreciated. They could decide to disrupt production by hacking the network (this hack doesn’t have to be very complicated or technologically advanced), causing a machine to malfunction. Now they get their time off, or possibly fix the machine to become a hero and feel adequately appreciated. Employees continue to baffle management with the lengths they will go to get their way.
Only YOU Can Prevent OT Threats
If your OT technology has been compromised, whether by an external force or someone within your company, the consequences are the same. Your organization could face broken machinery, health and safety concerns, or legal implications (loss of client information or hazardous waste spills).
Every day that goes by without implementing proper OT Security measures is another day of increased security risk. If an incident does happen, it can be detrimental. The time, resources, and cost of rebuilding can not only hinder a company’s production but put an end to it completely.
Having the correct OT Security controls in place can shield your organization and its production immensely. Here are just a few things you can do to increase your organization’s OT Security:
OT Network Monitoring and Asset Discovery (SIEM Reporting)
- Help identify the source of an attack by proactively implementing thorough event logging within your environment.
- Utilize firewalls to help segment and segregate access between and within OT and IT networks.
OT Security Professional Services
- Defend your OT by proactively performing risk assessments, strategic planning, policy development, and architecture and design
Keeping up in today’s world requires interconnectivity. Adding a new vector of access to a piece of equipment will likely enhance your entire operation. However, without proper security you also enhance your vulnerability to threats. The key to success when converging OT and IT is to evolve your security practices to keep up with the ever-changing threat landscape.