With the increasing demand for Digital Transformation, IT and OT convergence and remote access have helped organizations with tools to better operate the IACS (Industrial Automation & Control System). However, this has put OT systems prone to cyberattacks. Attacks on industrial infrastructure, such as BlackEnergy, Crash Override and Triton/Trisis, have brought greater awareness of OT asset cyber vulnerabilities and risks.
Obtaining an accurate and detailed OT asset inventory is a foundational step for industrial organizations striving to improve their cybersecurity posture; this is fundamental to the Defence in Depth concept of reducing the attack surface. While many cybersecurity solutions and service providers talk about the Level 5 and Level 4 threat protection schemes as a single window solution to protect the OT system, protecting Level 0 to Level 3 is equally important. From Level 0 to Level 5, IT assets are 20 percent, while OT assets are 80 percent.
The asset owners are facing more challenges in protecting the IACS equipment because of the below myths related to IACS:
IACS is not connected to the Internet or Business network
The IACS may not be connected directly to the internet but through a business network (at Level5). The Shodan ICS Radar can easily detect the ICS protocols (Modbus, DNP3, Ethernet/IP, BACnet etc) currently connected to the internet.
Hackers Don’t Understand IACS
Hacking has evolved from a hobbyist pursuit of notoriety to a criminal pursuit of financial gain. Portals like ICS-CERT Alerts | CISA provides a double-edged sword by providing timely information about current security issues, vulnerabilities, and exploits.
Our Facility is Not a Target
According to industry research, the financial impact due to attacks will reach $50 billion by 2023.
Few more common myths & misconceptions about OT Cybersecurity.
What do Asset Owners want?
- Organization’s complete and comprehensive visibility of IT+OT Asset Inventory
- Detection and identification of potential vulnerabilities in IT+OT Infrastructure
- Operational and cyber risk reduction
- Configuration change management
- Compliance management as per ISA-62443/NIST/NERC-CIP
- Backup and restore of OT configuration data
A “good” OT asset inventory is a continuously updated and in-depth inventory of all systems running in the process control environment – both IT assets as well as OT assets.
OT Inventory : DCS, PLC, Communication and IO Modules, SIS, RTU, HMI/SCADA Operator Station, Smart Field Instruments - Profibus/Foundation Field Bus/HART, Historian, Asset Management System, Network Switches, Routers, Firewalls and Windows Machines/Workstations.
A complete OT asset inventory consists of hardware, software, and firmware, manufacturer, model, version, and serial number for each of those. Level 1 and Level 0 assets are the most important and expensive. These are the devices and sensors that directly connect to process equipment, move molecules, and ensure safe and reliable production.
Network-based anomaly detection can provide some visibility into Level 2 IT devices but not at L0 and L1 since the devices at L0 and L1 are not made to communicate on the network where IT devices can.
Proprietary architectures and lack of standard protocols in multi-vendor process control environments make passive Level 1 and Level 0 OT asset inventory discovery and management difficult. Level 1 and Level 0 industrial assets – the sensors and valves that control industrial processes – do not usually communicate on the network. If they do, they usually do not pass the detailed OT asset inventory and configuration information required for a comprehensive OT asset inventory over the network. Many OT assets in industrial environments do not connect to the network at all, further compounding the discovery problem. Here the only way to get the 100 percent asset inventory is from the OT configuration data, which is a passive way of collecting data without posing many challenges to the network traffic of the plant control network.
To address passive DPI limitations, some vendors have started to claim they can provide a “more complete” inventory by using “active” data collection methods. Active methods use native OT protocols to query IACS for information. However, active methods have their own risks. Improper targeting can disrupt OT services like shutting down the plant/processes. Existing IACS network designs may severely constrain active data collection or prohibit it entirely. Active methods are also not well suited to islanded OT systems unconnected to the network. Accurate inventory visibility from Level 2 to Level 0 requires more than passive network detection and/or active queries. While each method can provide some visibility, and passive DPI can be useful for network-based anomaly detection, neither approach provides visibility into all Level 1 and Level 0 OT assets required to ensure safe and reliable production.
Syed Munawer, Senior Solutions Consultant, OT Cybersecurity, ALI Division, Hexagon