How to balance the conflict between security and interconnectivity in critical infrastructures?

Antonio Marco. CISO LANACCESS

Is your environment well protected from operating technologies (OT)?

The consequences of living in a hyper-connected world , where the need to keep everything “online” is growing more and more makes both OT environments and critical infrastructures, which were historically isolated, begin to have the need to interconnect.

This fact, which we could consider the result of the normal evolution in digitization processes, implies the need to extend networks, increase the use of Wireless or resort to the installation of IoT-type devices, which can significantly increase permeability in environments. critical, making it easier for security incidents to materialize.

The critical infrastructure “are systems that are considered essential and the services they provide are vital for everyday operations, economics, safety and general welfare of modern societies”.

But what if a cyber attack damaged any of these critical environments? Beyond the impact on the digital level, we all remember the WannaCry incident , there would also be the possibility of environmental damage, damage to public health or simply putting human lives at risk. The consequences could be extremely serious, since these are undoubtedly facilities that provide essential services to society.

The Specific Protection Plans of the different infrastructures include all those measures that are considered necessary based on the risk analysis carried out and based on the threats that affect its assets, including the information systems. Threats to critical infrastructures have a cybernetic component of enormous importance that can affect both the infrastructures themselves, as well as all other related industrial environments that depend on technology for their control and operation.

The enormous impact of the current pandemic has led to a forced acceleration towards telework solutions , paving the way for cybercriminals, who now have a greater radius of action, especially in what has to do with remote access solutions. that allow us to access our workplace from home and that are not always properly secured.

Differences between OT and IT

But what is OT ?, that great forgotten. And what differentiates it from IT? In the industrial environment we speak of Operational Technology (OT), that is, intelligent devices such as: sensors, probes, controllers, actuators, etc .; while in the corporate IT environment we refer to databases, document repositories, servers, etc. In addition, Operational Technologies are structurally different, since they are made up of a multitude of small devices spread over a wide space. Diametrically opposite to what happens with IT systems, which are usually grouped into CPDs.

Another big difference is that while in IT environments the confidentiality of information is one of the most important aspects that we must protect , in OT environments availability is the most critical factor . If we focus on the great technical differences that separate both worlds, we observe that the technological knowledge possessed by professionals in each sector is clearly different, facilitating the distancing between them.

From the field of cybersecurity we face great challenges. The adoption of new information technologies, together with the strong demand for connectivity, has caused technologies used in IT environments to become part of OT environments, significantly increasing the contact surface with threats in cyberspace.

What kinds of security breaches are OT environments exposed to?

Both the safety of industrial plants and critical infrastructures have been increasingly threatened in recent years. Above all, with the rise of different forms of cybercrime and cyberterrorism, with the proliferation of web access to SCADA systems, with the adoption of the cloud, mobile and BYOD (Bring Your Own Device) paradigms and with the confluence of IT technologies. in the OT field.

On many occasions, the criticality and specificity of the industrial environment does not allow the same countermeasures to be implemented as in a traditional IT environment. In fact, there are clear differences between the IT and OT fields, which justify the need to address the development and implementation of specific industrial cybersecurity programs that are aligned with the organization’s IT security policies.

In OT environments, potentially more vulnerable, the guidelines and policies that affect all areas related to cybersecurity must be developed under continuous improvement methodologies, since risks and threats are constantly changing and evolving. For this reason, either we increase the budget for cybersecurity in the OT sector or we directly converge IT with OT , aligning the security measures of both environments. This action entails an increase in exposure, by expanding the risk area and implies a complete redefinition of security measures and policies.

The dual nature of IT-OT that we have addressed, as a result of the digitization of operational technologies, exponentially increases cybersecurity risks. In this sense, the protection and availability of the facilities becomes essential , so as not to be doomed to situations such as that of the largest Japanese manufacturer of optical products Hoya Corporation, affected by a cyberattack at the end of February 2020, which caused an impact on the OT environment that ended up leading to a partial closure of its production lines.

Measures to minimize the scope of an attack

Considering the high value of this type of assets, aspects such as:

• The identification of the fundamental critical infrastructures and the accessory infrastructures according to their operational nature.
• Determine the main threats and risks that could interrupt the continuity or correct operation of the plant.
• Establish priorities , based on its type, relevance, dangerousness and harmful potential of the type of risk and its consequences.
• Carry out a Benchmarking study to compare the criteria and solutions that peer companies apply in industries belonging to the same sector.
• Comparison . Evaluate the different existing successful solutions in the protection of critical infrastructures.
• Propose a program of periodic reviews and updates , which helps to maintain adequate security levels.

It is important to start from the knowledge of the degree of exposure and vulnerability of the operating network. To do this, the first step is to perform a multidimensional analysis and network security audit . This analysis will allow us to ensure that the IT-OT convergence procedure is adequate. Once this step is taken, it is important to go deeper and carry out increasingly granular analyzes in order to collect the specific peculiarities of the environment and adapt it to the new security policies.

To achieve these objectives, early detection and the implementation of technologies that help increase the level of security through the application of safe controls and procedures is very important. But it is also true to follow best practices, as well as to use directives such as NIS , a European regulation that identifies the sectors in which it is necessary to guarantee the protection of networks and information systems, and establishes reporting requirements for cybersecurity incidents. .

Specific actions and procedures

• Performing IT / OT network audits (non-invasive) periodically , which allow to know the state of traffic and the existing visibility between the different segments of the network.
• Comprehensive identification of all the devices that make up the network , to later analyze and detect the specific vulnerabilities associated with those systems.
• Analysis of the network architecture , both at a physical and a logical level to detect possible points of improvement, and apply fortification measures through the use of specific security solutions.
• Analysis of the single points of failure , to improve the availability of critical networks, with the objective of increasing the capacity of resilience to failures through the use of redundant network topologies.
• Use of surveillance and intrusion detection systems , based on both behaviors and signatures, complemented if possible by deception technologies.
• If you have a controlled pre-production or laboratory environment , it is advisable to simulate MITM (Man in The Middle) attacks, malicious traffic injection, DoS (Denial of Service) attacks, etc. To observe the results and apply the necessary corrective measures.

The human factor

The demand for connectivity has caused the technology used in IT environments to become part of OT environments, exposing some weaknesses:

• On many occasions, users who make use of these technologies are not properly trained and / or are unaware of the technology they are operating .
• But it also happens that sometimes IT personnel ignore which systems are deployed in OT and therefore it is not in their power to apply the appropriate security measures and controls.
• Derived from the ignorance of these measures, it is possible that the plant management personnel are unaware of the risks posed by the use of certain IT technologies .

The Internet of Things (IoT) is no longer a trend, it is a booming reality that poses great challenges in many aspects. One of them is the need to create user-level security profiles, specific for this type of hardware.

Security breaches, prevention of threats and vulnerabilities

The standardization of IT technologies in the industrial field, the proliferation of web access to systems or the indiscriminate presence of the IoT, where almost any device has its Ethernet connection, are a handicap, because it is not always possible to deploy the same countermeasures as in IT environments. For this reason, factors widely overcome in IT are clear security gaps in OT environments, such as:

• Outdated software: In industrial environments, updates are rarely considered or in many cases difficult to apply.
• Control remote access – For ease of maintenance, full access privileges are often granted to technical equipment from remote locations
• Lack of security tools: in many cases there are no solutions to protect and audit OT systems and applications, as well as their monitoring.
• Non-secure code: manufacturers of this type of industrial solutions do not always review the code of their applications and systems. This impacts resilience against attacks.
• Training: it is essential to adopt a permanent information security awareness strategy, which avoids and mitigates dangerous behaviors.
• Innovation: implement innovative solutions such as Cyber ​​Deception to improve IOCs indicators of compromise.

Control mechanisms

In order to minimize the impact of these types of threats, more and better procedures and specific policies for each type of environment must be addressed, such as:

• Threat identification: understand external and internal threats in the field of cybersecurity due to inappropriate use or lack of knowledge.
• Identify vulnerabilities: identify all assets and understand the risks they face.
• Assess risk exposure: determine the likelihood that vulnerabilities can be exploited.
• Develop protection measures: reduce the impact that a threat could end up materializing.
• Establish contingency plans: develop an action plan to reduce the impact of threats.
• Respond to security incidents: establish recovery mechanisms to respond and restore normality after a security incident.

Monitoring

In the Security Operations Center (SOC), in addition to monitoring all plant activity, prevention, defense, detection, response and recovery actions against cyber threats must be able to be addressed in a coherent and structured manner. Analyzing the events in search of suspicious activity that could be an indicator of a cybersecurity incident in networks, servers, applications, etc.

Key elements in monitoring and control

• Changes in the firmware of the PLCs.
• Latency in the responses of the PLCs.
• Changes in the IMF firmware.
• Login failed in the HMI.
• Creation of user accounts in the operating system.
• Increase in the “payload” of data packets.
• Changes of HW devices in PLC / RTU.
• Surveillance of Internet exposure.
• Failed VPN accesses or from “exotic” locations (Eastern countries, Russia, China, etc.).
• Changes in the FW rules.

Regulations and compliance

As with cybersecurity in IT, working committees have also been defined for the operational environment, which aim to develop specific standards for application in industrial cybersecurity . This committee is responsible for the development of the IEC62443 series of standards, which is the evolution of the standards developed by ISA99 of the International Society of Automation (ISA) .

At the state level to improve cybersecurity in critical infrastructures, the CNPIC and the National Cybersecurity Institute (INCIBE) jointly operate the Center for Response to Security Incidents and Industry (CERTSI) . Which plays an important role as a link between CNIPC and INCIBE with the Office of Cybernetic Coordination (OCC). This body operates as a coordinator for the exchange of information with the European Union.

Limiting cybersecurity to purely technical controls leads to neglecting aspects as important as organizational ones. Managing incidents, defining responsibilities or addressing requirements are vital aspects to avoid threats.

Strong cybersecurity protection measures applied to highly critical environments can lead to a false sense of security that makes us forget that there are many other threats that require the adoption of specific measures. Because most of the security problems almost always come from within the organizations themselves.

In this sense, industrial organizations need to avoid the distance between IT and OT in order to avoid security breaches. It is essential to prevent the exploitation of any vulnerability from ending up causing permeability between environments. Being the main objective to achieve a true convergence, bet on the joint response , improve the indicators of commitment and create a single command that coordinates our defenses against cyber threats . With the aim of improving the degree of maturity of the organization, and at the same time offering a higher level of protection to the facilities, where fundamental factors such as availability, integrity and confidentiality prevail. Putting above all the focus on the creation of new security policies that improve the deployment of protection measures.