By almost any objective measure, OT networks and devices are “behind” the evolution of similar networks and tools in IT. Mostly born out of necessity in the IT world and obscurity in the OT world as discussed in part 3 of this blog series: How to bridge the OT / IT knowledge gap
“Just do what those guys did” can be a compelling impulse that on its surface may seem like a safe path. Here are some considerations to take into account
Firewalls deployed in OT networks tend to be very simplistic due to the architecture of the networks (flat for the most part) and the almost complete lack of visibility and transparency as to what’s actually happening on the network.
A firewall is only as good as the individual or the team configuring and supporting it. And without full visibility into the network no matter how good your infosec team is, the firewall is going to be configured in broad strokes that does not provide the level of granularity that would enable the highest level of detection and protection.
We’ll discuss detection more in the next section after IDS / IPS but it applies to firewalls as well.
IDS / IPS
Next up in the evolution of infosec in IT networks was Intrusion Detection and Intrusion Prevention Systems. These technologies were primarily signature based, looking for particular patterns in the network traffic to identify malicious activity. They have evolved to include some 3rd party intelligence (which may not be applicable in truly air gapped networks) as well as some behavioral “signatures” as well. But by and large these proven technologies are IT centric for likely IT threats against likely IT systems.
Not to mention that they are very prone to false positives. It’s the nature of the solution; if you want it sensitive enough to identify “low and slow” or “quiet” attacks, you are going to get some alerts indicating potential malicious activity when there is none.
As a result, these systems tend to generate “busy” work for the security personnel monitoring them through the noise they make while running. A solution that generates 100 false positives for every valid match quickly leads to “security fatigue”. This often leads to “squelching” the configuration so only the most egregious examples cause an alert to be generated, but obviously that hinders the ability to identify major instances of malicious activity.
And what about detection? How are these events and alerts from Firewalls and IDS / IPS systems being captured, stored, forwarded, and analyzed? Adding remote storage and retrieval capabilities to hundreds of remote locations can be untenable and would mean back-hauling useful information that would allow seamless analysis.
And there is the not so trivial issue of either retaining a service or building in-house staff that can perform event and alert analysis, extract threat intelligence, and respond in a timely manner which tends to lead to these devices being monitored by a secondary system, checked manually, or not monitored at all.
Managed Switches present a significant hurdle within many OT infrastructures to deploying tools like IDS / IPS which requires all traffic to flow through the security tool either directly or through some sort of mirrored or SPAN port.
Many OT networks do not need managed switches for their networking requirements. Usually, we see non-managed, highly simplified hub type switches which can be easily compromised both physically and logically. Security concepts like switchport security and VLANs are not applicable with unmanaged switches.
Deception technologies and traditional honeypots show promise for identifying unknown attackers and attack types. This remains one of the biggest challenges for any information or operational security professional. However, just like in IT, there is one very huge “barrier to entry” and one significant drawback with traditional deception technologies.
The barrier to entry is the need to have available security analysts that can derive value from the activity uncovered by deception tools and techniques. Identity and attribution of potential nation states or known threat actors and understanding of the tools, tactics, and techniques used by those actors is non-trivial. Many organizations are unable to build and maintain the necessary staff and teams required.
The significant drawback is the disconnect between these deception technologies (inlcuding traditional honeypots) and the ability to prevent or contain the threat actor. Detection without the ability to quickly affect prevention may not meet the level of risk reduction and mitigation desired.
Endpoint security agents, a favorite within IT especially for high value and criticality assets, are a non-starter for many OT devices and systems due to proprietary operating systems, physical inability or lack of access and permissions to add software, or integration issues with vendors.
In general, the operations personnel will be highly resistant to adding any software that is not provided and supported by the OT device vendor.
One of the cornerstones of modern IT security management is the aggressive vulnerability management process. Programs that include a regular assessment of vulnerabilities, risk rating for prioritization, and application of patches significantly reduce the threat vectors for exploitation in an IT infrastructure.
Actively scanning many OT networks and systems with traditional tools like a port or application scanners may prove too strenuous for them either impacting their performance significantly or knocking them offline altogether.
OT requires purpose-built, usually passive scanners that listen to traffic on the network in an effort to identify, classify, and assess the types and state of OT assets. These systems also have their drawbacks which we will discuss in more detail in part 5 of this blog series: Why existing OT security tools fall short.
Even for systems that use COTS operating systems, that have known vulnerabilities, where vendor support may not exist or be declared end-of-life; the potential disruption to operations and processes or the remote and distributed nature of OT devices may make applying patches a daunting prospect.
Taking inventory of all these potential IT security tools and techniques, it starts to become clear that securing OT networks and devices will require purpose built tools.
Continue on to part 5 of this blog series: Why existing OT security tools fall short.
PacketViper OT360 is a dynamic, contextual, preventative solution that can deliver OT security. It can work on the OT/ IT boundary of an organization's infrastructure, within plant facilities to provide protection internally and between the plant and distributed assets, and within remote OT locations to provide prevention and containment.