OT security uses technologies to monitor and detect changes in the operational technology infrastructure , such as in critical infrastructures – what is important here? Palo Alto Networks explains the basics and aspects of OT security.

OT (Operational Technology) stands for operational engineering or technology in the English-dominated engineering language. The term refers to hardware and software systems used to monitor and/or control industrial plants and processes.

These are OT devices (servers, industrial robots, PLCs, conveyor belts), 5G OT devices (such as drones) and IT/IoT devices (endpoints, printers, security cameras, heating and cooling systems). These industrial processes and devices are used in critical infrastructure, utilities, power grids, manufacturing plants and traffic control systems.

The generic term OT includes many specialized systems such as process control domains, programmable logic controllers (PLCs), physical access controls, and distributed control, security, and transportation systems. This also includes SCADA systems (Supervisory Control and Data Acquisition) and building management/Automation systems, often summarized under the term ICS (Industrial Control Systems).

Although OT and IT security share some similarities, there are characteristics that differentiate OT from traditional IT systems. Perhaps the most obvious difference between IT and OT security is the direct connection of OT to the outside world. OT has the potential to impact the physical elements of society through production disruptions, public health and safety risks, environmental damage, and financial damage.

Unique requirements and ongoing convergence of IT and OT

OT environments rely on applications and operating systems that IT professionals may be unfamiliar with. When developing and operating OT systems, security and efficiency are sometimes at odds with security.

Operational technology systems have special requirements for connectivity and security, e.g. B. Uptime with high availability, security and integrity. Vulnerability patching is slow to non-existent and cyber forensics limited, if at all.

Security breaches not only affect business operations as in IT, but can also lead to process fluctuations, equipment and environmental damage or endanger personnel safety.

In the past, IT and OT were managed by separate groups and had no interdependencies. In recent years, however, the paradigm has changed. Today it is common for OT systems to be equipped with network and computer technologies. The worlds of IT and OT are converging, laying the foundation for the Industrial Internet of Things (IIoT).

The IIoT is a matrix of interconnected sensors, instruments and devices that collect and exchange data. Many industries use this data, e.g. For example, in manufacturing, oil and gas, transportation, energy and utilities, and more.

Modern OT environments must facilitate the exchange of data between machines and applications. At the same time, OT environments must be able to scale processes across physical and virtual systems. Because of this, OT systems are beginning to converge with IT systems.

The IIoT will play a key role in Industry 4.0. Converged IT/OT ecosystems will serve as conduits embedding the IIoT into the 4IR ecosystem. The integration promises numerous benefits such as improved information flow, process automation, advances in managing distributed processes, and easier compliance.

Why is OT security so important?

As the boundaries between IT and OT disappear, the attack surface for networked IT/OT systems increases. The most common attack vector for hackers is the internet. ICS sensors, instruments, and OT devices that can be accessed over an OT network are vulnerable to malicious actions. Botnets can be used for targeted attacks on critical infrastructures.

Typically, Human Machine Interfaces (HMI) that connect human operators to industrial control systems are also networked to IT infrastructures. Accessibility of HMIs over the Internet poses a major risk to ICS security. Consequently, HMIs are vulnerable to IP-based vulnerabilities such as B. Bypassing authentication and weak session management.

According to the experience of Palo Alto Networks, attackers usually penetrate ICS systems with malware. This can be generic malware or malware specifically designed to attack critical infrastructure. These infiltrations often lead to denial-of-service (DoS) attacks that paralyze or bring industrial networks and processes to a standstill. ICS and IIoT devices are also a valuable target for hackers. Whether attackers are looking to extort ransom or to sabotage rival nations by gaining access to confidential data, this is a target.

OT security risks and challenges

One of the current challenges in OT security is that it’s not possible to secure what you can’t see. Invisible vulnerabilities create exponential risk. The threats exceed the possibilities of prevention. The promise of digital transformation and connectivity in OT environments also comes with significant risks. A flood of connected devices will further increase the opportunities for attacks.

This is especially true in OT environments as OT devices are vulnerable and unprotected. There are more than 1,000 common vulnerabilities and compromises in industrial control systems, more than 80 vulnerabilities in the devices of the four largest OT vendors, and 29 percent of OT devices are vulnerable due to internet connectivity.

The consequences of security breaches in ICS are very different from typical cyber attacks. A manipulated OT system can cause damage to devices that cannot be easily replaced. Other risks include malicious changes to alert thresholds, commands, or instructions, as well as OT software infected with malware, or improperly changed OT configuration or software settings.

Disrupted or delayed data flow through OT networks could also disrupt OT operations. Erroneous data sent to system operators to disguise unauthorized changes or induce operators to take inappropriate actions is another problem.
OT security best practices

According to NIST, there are nine OT security recommendations for creating, implementing, maintaining, and continually improving an OT security program. By implementing and maintaining these best practices, organizations can create an OT security roadmap for risk management:

1. Establish OT security governance.
2. Established and trained a cross-functional team to implement the OT security program.
3. Defining an OT security strategy.
4. Definition of OT specific policies and procedures.
5. Implemented a security awareness training program in the OT organization.
6. Implementation of a risk management framework for OT.
7. Developing a maintenance tracking capability.
8. Develop Incident Response capability.
9. Development of recovery skills (recovery and restore).

Regardless of whether the environments are partially separated by air gaps or connected via a cloud, Palo Alto Networks has found that this can be achieved with a Zero Trust OT security approach.

This consists of (1) minimally privileged access control with micro-segmentation and granting of minimal access, (2) continuous trust assessment that assesses the security posture and behavior of OT devices, as well as the behavior of applications and users, and (3.) a continuous security review. The latter means that all traffic is inspected, even on allowed connections, and all threats, including zero-day threats, are prevented.

Establishing a complete and effective OT security program is a complex endeavor that differs from typical cybersecurity strategies. Ultimately, the goal is to maximize uptime by enabling operators to take targeted action to reduce and, where possible, minimize security breaches in OT environments.

Technology article by Palo Alto Networks