Blog

The OT infrastructure challenges

This blog is part of a series of blog posts about securing critical infrastructure and Operational Technology (OT) networks and systems.

Originally, before Ethernet and TCP/IP became ubiquitous, OT networks were more geared towards the transmission of information either through purely electrical On/Off signals or through point to point transmission of information using voltage regulation across a limited number of sending and receiving wire pairs.  Standards like RS-232 were formulated by the Electronic Industries Association (EIA) to codify and standardize inter-device communications.

But there were many limitations including the need to designate each end of the communication as either a Data Terminal Equipment (DTE) or Data Circuit-terminating Equipment (DCE).  Voltage differentials could cause ground and communication problems, cable lengths were restricted to 15m or less, and there was no multi-point or multiplexing of communications.

Many of the limitations were overcome with the development of RS-485 by the Telecommunications Industry Association and Electronic Industries Alliance (TIA / EIA).  Now industrial control system (ICS) networks could operate in electrically noisy environments, cable runs could be much longer, transmission speeds could be higher, and multi-point, multi-drop networking was enabled.

However, RS-232, RS-485, and other like standards only define the physical networking infrastructure.  Protocols used to transmit information on such networks are not defined by these standards.  This has resulted in protocols like Modbus, Profibus, and DH 485 to emerge.  There are roughly 100 different widely recognized protocols for ICS type devices that exist.

Many of these protocols are proprietary to a specific manufacturer or a product family.  Interconnecting devices from multiple manufacturers can face many challenges trying to find common communications ground thus needing specialized systems to act as translators or converters.

In comes Ethernet and TCP/IP to save the day!  Suddenly, there are a multitude of choices available for inexpensive, high-performance networking of systems and devices. Using well defined, vendor neutral methods of communication across not only the 1000m possible with RS-485 but the 1000s of miles connecting networks across continents and to the cloud.

Consequently, this new form of  connectivity and openness has caused some problems.  Prior to Ethernet and TCP/IP, all the limitations of ICS communications provided the illusion of and in some cases actual security of these networks and devices.  Air gapped networks were a set of devices associated with a plant, control process, and remote locations not physically capable of communicating with anything outside of their little “clique”. This complete isolation provided security for those devices and systems. 

Prior to Ethernet and TCP/IP; having many protocols, some intentionally obscure or just poorly documented, meant that even if you got access to a physical network, there were significant challenges to understanding the information being communicated to either eavesdrop on it or to inject meaningful changes into it successfully.

Essentially OT networks were dragged from a circumstance where a successful attacker: 
  • Would need to have physical access to the network
  • Would likely need to have specialized equipment to connect to it
  • Would need to have significant knowledge of the devices and specific communication protocols being used
to a situation where a successful attacker
  • Could potentially be located anywhere in the world
  • Can use any laptop to connect to it
  • Has an abundance of open source tools available to them to capture packets, run protocol analysis, discover vulnerabilities, and exploit critical resources. 
That does not mean that if Ethernet and TCP/IP are implemented in OT networks that air gaps automatically go away.  However, when you combine it with the pressures discussed in part 2 of this blog series: The business drivers acting on OT, it’s easy to see why the promise of a greater ability to integrate OT networks into a larger IT infrastructure would be a strong siren song that leaves air gaps behind as wreckage in the name of progress.

And just because Ethernet and TCP/IP have been brought into the OT network space doesn’t mean that the older devices, communication networks, and protocols have disappeared. Companies have made significant financial investments in this technology and it has a proven track record of reliability, safety, and productivity.  In short, from the electrical or a process engineer’s perspective, it’s not broken and doesn’t require fixing.

So in many cases you now have devices that were designed to run on closed networks using limited throughput and proprietary protocols attached to an Ethernet network capable of transmitting at 1Gb/sec.  As we will discuss further in part 3 of this blog series How to bridge the OT / IT knowledge gap, many IT tools can easily “knock over” or overwhelm legacy OT devices because they weren’t designed to handle the speed and amount of data that drives the IT environment.

Also, due to their age, many of these systems and devices have been end-of-lifed by a manufacturer that wants to give customers an incentive to buy the updated systems and devices.  The manufacturer is no longer providing support and maintenance for these devices including security, resiliency updates and patches. One study published by the HIPAA Journal in January 2022 found that half of medical devices have known but unpatched vulnerabilities. Clearly, an alarming discovery that needs to be looked at.

Therefore, we have comparatively fragile devices that may have unknown or known vulnerabilities which cannot be patched for a number of potential reasons:
  • The process is critical and the devices are working as desired
  • The related costs of shutdown and startup of interconnected processes is very high
  • The manufacturer is no longer supporting the device
Finally, exposure in device management and security hygiene principles aren’t limited to a lack of patching and updating. Account management has also been an issue. After finding administrator account credentials of a third-party company that provided security cameras and their access online, hackers breached thousands of security cameras deployed across multiple companies, jails, hospitals, and other organizations.  

Afterwards, in some cases, the attackers were able to move laterally and gain access to other areas of the corporate networks within these organizations.  As connectivity between IT and OT increases, the OT systems as a threat vector for the larger organization becomes more likely.

Continue on to part 2 of this blog series: The business drivers acting on OT.
 
PacketViper OT360
PacketViper OT360 is a dynamic, contextual, preventative solution that can deliver OT security. It can work on the OT/ IT boundary of an organization's infrastructure, within plant facilities to provide protection internally, between the plant and distributed assets, and within remote OT locations to provide prevention and containment.

To learn more about OTR360 please visit https://www.packetviper.com/OT360