IT networks in companies are usually first planned and then implemented based on the context. Security aspects are usually also taken into account during planning. This includes, for example, segmentation with the help of subnetworks for servers and workstations as well as central access to the Internet. In many cases, a special WLAN is even provided for users only. Extensive thought is certainly also given to possible access rights within the entire network infrastructure; after all, legal data protection regulations must be complied with here - which is why access to the personnel or customer database from the visitor WLAN must also be prevented. Furthermore, there is a basic distribution of roles with at least two groups of people: a very specific one whose members are allowed to both carry out installations and change the configuration settings on systems and equipment - i.e. the administrators - and all others who are only allowed to use these components as intended. Due to the complexity of corporate IT and its importance for day-to-day operations, practically every IT landscape also includes internal or external experts who ensure the smoothest possible 24/7 availability. In larger companies, there is even a manager responsible for the IT systems. Through this IT manager or Chief Information Officer (CIO), the overall responsibility for cyber-secure IT operations is also anchored in the management team.

Figure 1: Various scenarios are possible for the connection between OT and IT applications. From a cyber security perspective, each individual application should preferably have a suitable connection process that is integrated into the company's internal IT management by the respective operator and for which monitoring, patch and update management as well as event detection also exist.

© SSV

It can be assumed that all experts follow a state-of-the-art IT operating process that regulates other elementary tasks such as data backup, monitoring, patch and incident management in addition to administrative activities. As a result, vulnerabilities and potential risks in relation to cyber security are generally known and monitored by experts.

Create structures

Regardless of the size of the company, networked automation applications - and in many cases also the existing IoT applications - are not seen as a direct component of the company's IT as a whole or in part and are therefore not included in the security considerations and management processes of IT experts. However, in view of the requirements of the EU NIS 2 directive on network and information security, it seems sensible to assign operational technology (OT) to IT, at least in terms of security, and to integrate it into the network segmentation concepts. One technical challenge here is the diversity of OT networking. Here are three examples:

• Direct network-to-network connection: An OT application runs together with other software functions within a separate OT network. The IT application can access the OT application via a dedicated connection interface between the two networks. In exceptional cases, the OT application can even establish a connection to the Internet via the IT network, for example to carry out remote maintenance for certain OT assemblies - although this would be a security-critical process that would be very difficult to control.
• Direct machine-to-network connection: An individual machine and therefore the OT application of a machine are directly integrated into the IT network via the respective connection process and can therefore be used like any other service within the IT network for an IT application. Depending on the settings of the responsible IT administrator, the machine can also be granted Internet access - which is critical in terms of security - so that the desired remote access option is available for a predictive maintenance or condition monitoring application from an external service partner, for example.
• Indirect machine-to-network connection. The machine has already been supplied with an integrated mobile radio modem or similar and connects to a cloud or cloud service via a wireless wide area network (WWAN) at its own discretion. The IT application of the machine or IT network operator also has access to this cloud via the Internet in order to communicate (indirectly) with the machine OT application, for example. In this case, the operator can only control the connection between the IT application and a cloud. The OT connection interface or the connection process to the cloud is usually managed by the OT application provider. This is usually the machine manufacturer or the IoT service partner.

Objective: Defense in Depth

A suitable approach for cyber-secure OT/IT integration is one that first analyzes and documents the data flow of each individual application connection in Figure 1 - if necessary with the help of special tools such as network sniffers that also detect OT protocols such as Modbus, OPC UA or Profinet in order to create the prerequisites for the next steps. The aim here is to design a connection process for each individual OT/IT connection that takes the individual security risks into account. The table provides an overview of the security risks for OT and IT applications based on the STRIDE model. This makes it possible to carry out effective condition analyses for OT/IT integrations, determine the individual risks with the help of a metric and develop suitable countermeasures.

With detailed knowledge of the data flow between OT and IT applications and the protocols used for this, plus a threat analysis that is as comprehensive as possible, a context-related connection process can then be developed. It should be noted that there are significant differences between IT and OT applications in terms of threats and risks. In the case of attacks in IT environments, spoofing and privilege escalation are very often possible methods of gaining unauthorized access to certain data sets. This can lead to considerable damage for the affected company. In the OT environment, on the other hand, unauthorized data access is less risky: the confidentiality of a machine's condition monitoring status data has a manageable value for attackers; ensuring data integrity is often the bigger problem. On the other hand, OT systems offer numerous possibilities for denial of service attacks, which can also cause a great deal of damage, for example by manipulating the real-time behavior of a controller or manipulating sensors. In this respect, an effective threat analysis in practice definitely requires cooperation between IT and OT experts.

In the subsequent implementation of a secure connection process, the segmentation concepts commonly used in the IT world with virtual LANs (VLANs), special firewall systems - such as NG, layer 4 or layer 7 firewalls - and universally applicable gateway systems can be used. However, very special assemblies, such as unidirectional gateways, may be required to securely isolate OT and IT networks. It should be borne in mind that there is not always a patch for many modules within the OT network to eliminate identified vulnerabilities as part of a software update.

The author: Klaus-Dieter Walter is a member of the management board at SSV Software Systems.

© SSV

Together with the connection process, system modules for logging OT/IT data traffic and measures for detecting security-relevant events should also be implemented where possible - see the IEC 62443 minimum requirements for logging and cyber attack detection as well as "SzA" from the BSI. Such an OT/IT connection process forms a solid starting point for continuously developing the entire OT/IT cyber security into a multi-layered defense in depth concept. More on this in the next part of this series.