Change, configuration and patch management as well as the operation of an information security management system (ISMS) are the cornerstones for the reliable operation of IT infrastructures in the office IT world. Those responsible for security in the OT world (OT stands for Operational Technology) of industrial and production facilities, on the other hand, rarely deal with configuration and patch management; at best, they update the software of the OT components used at irregular intervals.

There are historical reasons for this. When developing and building a machine, the focus is on the functional requirements. Once the machine has been manufactured, the manufacturer installs the software, configures the system, functionally tests the solution and delivers it. Safety management and incident handling requirements are only marginally involved. There are no standard processes in place to monitor and evaluate vulnerabilities and the associated risks and changes to security requirements in everyday operation over the entire course of the life cycle.

The fact is that programmable logic controllers, sensors, actuators and server-based SCADA systems and other components of OT networks are vulnerable. This is also due to the heterogeneous communication networks, as legacy protocols continue to be used in addition to newer IT protocols, possibly encapsulated in Ethernet frames. Authentication and encryption are largely lacking and there are unknown backdoors that are virtually an invitation for tailor-made attacks on OT components.

More security through transparency

As one of the first measures for greater security, companies should create transparency about the existing production system. The aim here is to detect anomalies and critical states in the processes as well as threats to individual OT components or even the entire OT infrastructure as quickly as possible and to be able to initiate defensive measures - nowadays mostly manually due to availability requirements and the low level of security maturity of OT systems. In order to identify existing vulnerabilities, companies should carry out a precise inventory of their OT networks and implement continuous monitoring.

Tools such as Continuous Threat Detection from Claroty or SCADAguardian from Nozomi Networks are suitable for this task. Supported by an external IT security specialist, companies can use these 'passive tools' to determine the components used, including software versions, communication protocols and communication partners. Neither tool affects the regular processes and communication in the OT network. In addition to the inventory of vulnerabilities and resulting risks, it is advisable to consult vulnerability databases. These are available for many PLCs and companies can use them to gain a very good overview of the vulnerability situation of the products they use.

The tools from Nozomi Networks enable real-time monitoring of processes and complete ICS networks and provide companies with a precise insight into operational events. Network visualization and monitoring show details of nodes and variables, the communication relationships and contents of data packets. Threat and anomaly detection can be used to identify anomalies in behavior. Companies can also create their own rules, for example to define which external connections and which external accesses are considered legitimate. It also makes sense to have your own rules for individual risk assessment and threat detection. In very extensive environments, behavior-based anomaly detection can also incorporate the results of an AI and analytics engine.

To detect anomalous behaviour, unauthorized access and other risks, the tools define baselines as the 'normal state'. Any deviation from this automatically triggers an alarm, for example when a new end device with an unknown MAC address or a new Modbus connection is diagnosed. The task of rule-based analyses is to detect cyber attacks as well as attacks from within and malware of all kinds in real time.

Integration into the IT world of a company

At a glance: a typical IT/OT architecture.

© NTT Security

In order to bridge the security gap between the production world and the traditional IT world, the tools used in OT networks should be integrated into the company's Security Operation Center (SOC) or by specialized service providers for IT and OT SOC services. In this way, companies can ensure that no new silos are created in the OT world. Ultimately, this is about implementing and adhering to a holistic security strategy that encompasses the traditional IT and OT worlds. This is the only way to identify and mitigate existing risks in a structured manner. The basis for this is a central asset inventory as well as coordinated reactive and proactive defensive measures in the event of incidents and attacks.

Intelligent vulnerability management

In the IT world of office environments, intelligent vulnerability management has been tried and tested for many years and its methods and principles can also be used to good effect in OT networks. This smart vulnerability management begins with an inventory of existing PLCs, sensors, actuators, server-based SCADA systems and other components of OT networks. OT asset inventories are modeled on the configuration management databases (CMDB) of IT systems in the office world. Vulnerability management evaluates, filters and prioritizes the risks associated with the individual OT components. This risk assessment is a central component of smart vulnerability management, as every production environment and every OT network has an individual risk profile that must be determined by classifying and evaluating the data and processes worthy of protection. All further measures as part of a comprehensive vulnerability management strategy are based on this, such as structured planning of further steps to increase OT security.

A possible architecture for secure OT environments.

© NTT Security

Vulnerability management also uses cross-system information that enables prioritization. For example, if a vulnerability occurs in a specific OT component, it does not necessarily have to be patched with high priority. For example, real-time information from OT threat detection sensors may provide insights into which systems are affected and which are regularly accessible. Pattern updates for this vulnerability may also be available via the intrusion prevention and intrusion detection systems already in use. If a company also uses a CMDB, it also knows which systems contain critical data. The prioritization this makes possible can also significantly optimize patch processes.

A comprehensive, intelligent smart vulnerability management system includes

• Visibility: Recording of all components of the OT network including detailed information about the structure, software versions used, modules, protocols used;
• Identification: real-time vulnerability information in a central database;
• Prioritization: a requirement-specific vulnerability classification;
• Management: action tracking, real-time reports, dashboards and charts;
• Audit: auditable processes from vulnerability identification to remediation;
• Vulnerability-threat correlation.

In the office IT world, the imperative is to close vulnerabilities promptly with patches. In OT networks, the blanket recommendation to always update all components is certainly desirable, but cannot be implemented in practice. Transparency and knowledge of the existing risks and vulnerabilities is certainly the decisive factor here in order to implement measures that do not disrupt the operation of the system but significantly improve the level of security by means of risk-based network segmentation, OT attack detection, the detection of changes in the infrastructure and controlled access to the network from outside. However, it is not only the manufacturing companies that are called upon here, but even more so the manufacturers of control systems, sensors and actuators. They must follow the security-by-design approach from the very beginning of product development: Even the technical requirements analysis should take into account the security risks currently associated with devices, but also, as far as possible, those that could occur further down the life cycle. IEC 62443, an international series of standards for industrial communication networks, provides a good basis for this. Certification of products according to this standard is possible and certainly a competitive advantage for every manufacturer.

Author:
Christian Koch is Senior Manager Governance, Risk & Compliance & IoT/OT at NTT Security.