Three Ways to Protect Your Data
BY DANIEL COHEN-SASON, CYBERBIT
Throughout the industrial control systems (ICS) security industry, air gapping has long been a goal. For some, the process, which involves using isolation to prevent computers or networks from establishing external connections, represents an idea that IT influences are unable to exploit operational technology (OT) connections. Evidence today, however, reveals that it's wishful thinking to believe air gapping is an effective solution.
Organizations must move beyond the air-gapping myth to better identify vulnerabilities in their networks and improve security for ICS, as well as SCADA. Doing so requires acknowledging that IT and OT are converging, avoiding common mistakes within the industry and addressing security issues head on. Following are three ways to get started with this process, and shatter the illusion of air gapping once and for all.
1. Recognize the Convergence Between IT and OT.
Air gapping's believed effectiveness is a myth because it calls back to an era that dictated isolation between IT and OT. Today, there is no separation between IT and OT systems. For this reason, air gapping is no longer a realistic cybersecurity solution. To confirm this point, look no further than daily operations within your environment. For example, when your facility runs after hours, the tools that enable this activity (and invite managers to monitor it) rely on the connection between IT and OT.
To secure SCADA networks, it's critical to acknowledge the wishful thinking associated with air gapping. It's a common misperception that securing OT networks means you can focus on protecting your SCADA network and disregard the rest, but there's far more to the story. Nearly all ICS within national infrastructures and localized controller-run systems combine IT and SCADA networks. Although SCADA networks manage their own operational systems, they're usually controlled by a human machine interface (HMI) application layer, Windows or Linux, but they are not necessarily in the IT network. These layers are connected, critical to, and sometimes controlled by corporate IT infrastructure: they report to the same operation centers, the same enterprise resource planning (ERP) system and more. For this reason, most cyberattacks are multivectored, attempting to penetrate the sensitive OT networks through the more accessible IT network.
The Stuxnet attack on a nuclear plant in Iran, is a good example. It was the first-known example of weaponized malware and it penetrated an IT network to address critical OT infrastructure. As Internet of Things (IoT) technology becomes more pervasive within enterprise networks, this attack model will have the chance to evolve. In the case of Stuxnet, hackers compromised the fully air-gapped plant on multiple occasions by targeting companies working with the plant, using USB drives to infiltrate the plant, and finally reaching uranium-enriching centrifuges controlled by programmable logical controllers (PLCs). With this level of access, the malware had the autonomy to damage the centrifuges physically and digitally, showing that air gaps can be easily breached when the connectivity between OT and IT is left vulnerable.
2. Avoid Common IT/OT Convergence Mistakes
As they address the relationship between OT and IT, some organizations allow two-way communication-a common mistake with potentially disastrous results. One German steel mill suffered a cyberattack after permitting two-way communication with a monitoring interface. During the attack, the company's bi-directional communications failed to provide alerts.
Regarding industrial networks, some other organizations have a false sense of security, instilled by the antivirus software and firewalls present in the system. While these security measures are necessary, they're not designed to address every kind of attack. By failing to take basic precautions, such as changing PLC passwords and disregarding risks, many SCADA systems remain vulnerable.
3. Address SCADA Security and IT/OT Convergence Head On
Effectively securing converged IT/OT environments hinges on one detail: bringing in the right people. When professionals understand OT details, they can glean information that others can't, identify the constraints posed by critical systems, they help organizations safely live in the new reality of IT/OT harmony. For example, critical systems usually can't afford any offline time or support new security products, because doing so would negatively affect operations. By focusing on protecting systems without affecting performance, organizations can find an approach that works for SCADA, IT and OT alike.
Meeting this goal relies on embracing innovation. Remember that infrastructure systems themselves are not central to networks, as they're often distributed between regions and cities. Deploying solutions that pinpoint critical places within the network and specific traffic is vital to preserving the security of such systems. Organizations should also focus on mapping IT and non-IT communications by deploying OT security solutions, building a clear visual map of the organizational network and outlining sensitive OT/IT touchpoints. With this information, managers can closely monitor bi-directional communications between networks, reconfigure them as needed and remain one step ahead of security threats.
Of course, network security best practices should always be heeded as a guide. Forensic business intelligence (BI) tools can help create charts and graphics to visualize network activity-meaning when a threat or attack occurs, teams have an in-depth view of timelines, affected systems and how to prevent similar situations in the future. Embracing new advances within the industry, such as deep packet inspection for SCADA layers and anomaly alerts, also contributes to maintaining the system's overall health. In addition, working with security technology vendors with experience in IT/OT environments can change the game for organizations. Organizations should seek partners that can help draw maps, create system baselines and analyze unusual network behavior. If your company, like many others, lacks the bandwidth to continually monitor critical systems, the right third-party support can be the difference between a devastating breach and a close cybersecurity call.
Most SCADA systems are vulnerable to cybersecurity attacks because they're clinging to the air gapping myth. By addressing the relationship between OT and IT systems, avoiding false pretenses and common mistakes, and embracing innovation and expertise, your team can make SCADA security a reality-all while remaining on the forefront of today's security landscape.
Daniel Cohen-Sason is head of R&D for ICS security and SOC automation and orchestration products at Cyberbit. With more than 10 years of experience in software development and management of software teams, he's responsible for the overall aspects of the software-starting from marketing and product requirements throughout the product lifecycle, including design, software development, testing, manufacturing support, product documentation, delivery, customer support and POCs.