For anyone new to securing an operational technology (OT) network or industrial control systems (ICS) from cyber threats, gaining full visibility would probably seem like a logical first step. But then what? The fact is that visibility alone will not protect you. Visibility will not block intruders, protect endpoints, stop malware, segment the network, or prevent downtime. A better solution would do all that in real time rather than trying to remediate after the fact. Because once an intruder is inside your network, visibility will not get them out.
Because of the barrage of threats OT networks face, they require a two-pronged solution. Visibility, absolutely. But they also need defense-in-depth protection that detects and blocks these activities as — and even before — they happen.
To be effective, the defenses must be OT-specific, not restyled IT solutions. OT environments can be extremely delicate, often with a mix of brand-new and decades-old technology. Applications may be oil and gas production, power generation, manufacturing, water processing, or building automation. While IT traditionally prioritizes privacy, OT-native solutions are designed to prioritize continuity within these unique environments.
OT Attacks Grow More Clever, Brazen, and Common
From 2010 to 2020, there were fewer than 20 known cyberattacks on critical infrastructure. By 2021, there were more known attacks in one year than in the previous 10, which doubled again in 2022. And the attacks were more brazen, such as state-sponsored actors hijacking a delivery vehicle, infecting its OT cargo, and sending it on its way. These are the kinds of incidents traditional IT solutions are not prepared for.
A Defense-in-Depth Approach
Traditional IT security, and even more so with cloud security, tends to see everything as a software problem in search of a software solution. Not so in the very physical world of automated factories or infrastructure operations, where multiple attack vectors demand a multi-pronged defense that goes beyond just visibility and provides tools to both prevent and respond to threats. Here are some practical, effective steps you can take.
Trust Nothing, Scan Everything
One way to go beyond visibility is to scan everything. Storage devices, vendor laptops, refurbished assets, and brand-new assets from the factory should all be physically scanned before connecting them to the network. Make it a policy and provide the necessary appliances in the form of portable scanning devices in vulnerable locations. These devices must make the scanning process easy and practical for facility and operations managers to comply with your security inspection policy. Proper scanning tools should also collect and centrally store asset information during every inspection, supporting both visibility and protection strategies.
Protect the Endpoints
If you’re working with a Windows-based system or you want to use agent-based antivirus technology, deploy a software solution that’s also capable of detecting unexpected system changes, such as malware, unauthorized access, human error, or device reconfigurations, and preventing them before they impact operations.
Effective endpoint protection requires a solution purpose-built for OT environments. A true OT solution will have a deep understanding of thousands of combinations of OT applications and protocols. Moreover, it will do more than just recognize these protocols; it will delve deep into read/write commands for aggressive, proactive protection.
Secure Assets in Production
In OT security, availability is everything, and a proactive OT-native solution is recommended. An OT-native solution will have a deep understanding of the protocols allowed to maintain the availability of known and trusted operations.
But defense-in-depth means going beyond identifying a potential attack or reconfiguration to actually preventing it. Thus, virtual patching, trust lists, and OT segmentation to block intrusions or prevent and isolate malicious traffic from spreading across the network are also recommended. There are OT-native physical appliances available that don’t actually touch the devices they’re protecting but simply sit on the network to detect and block malicious activity from reaching production assets.
Don’t Stop; Attackers Won’t
OT environments are the latest front in the cyber wars because they are target-rich and very, very vulnerable. They need specialized protection because no one wants to go in on a Monday morning or after a holiday to find an alert saying, “Welcome back. There’s a breach going on.” If you’d prefer an alert that says, “There was an attempted breach at 3:00 a.m. Saturday, but it was prevented, and you’re good to go,” you’ll need an OT-native defense-in-depth approach that goes beyond visibility to prevent attacks proactively.
About the Author
Austen Byers is technical director at TXOne Networks. He leads the company’s efforts in providing design, architecture, engineering technical direction, and leadership. Byers is a sought-after thought leader in operational technology (OT) digital safety, with more than 10 years in the cybersecurity space. He has spoken at numerous industry events as a subject-matter expert to provide insight into the state of industrial cybersecurity and the intricacies of OT breaches and to provide strategies to help organizations keep their assets and environments safe.