IT to OT And IIoT Chronicles
Get ready for a major shift in the world of state-sponsored cyberattacks.
As we witness the shifting underpinnings of power throughout the East and soon to be the Middle East, these future cyberattacks will be focused on cyber physical attacks. Going back to Colonial and JBS Foods as probative exercises, we now see that China, NoKo, Iran and Russia have been testing the resilience of ours, in order to find a destructive gateway through which they may attack in earnest with confidence that we will scream Uncle.
Just in case diplomacy doesn’t work.
ICS Vulnerable And Under Attack
As most of you know, ICS stands for industrial control systems (and is frequently substituted for operations technology or OT and even IIoT). It is a generic term used to describe a broad variety of control systems.
ICS are handles for controlling and monitoring the industrial processes used in manufacturing, energy, utilities, chemicals, and many other industrial sectors, many of which are critical.
ICS acts like an auto integrator, bringing hardware, software, and networks together for the operation of our day-to-day critical infrastructure (electricity, gas, water, etc., and are aka, life support systems).
ICS systems operations are simple and so are their sensors, which take remote data and send commands to the operational machinery (valves, pipelines, storage facilities, etc.) for specific actions (shutting off a valve, increasing the allowable pressure on a pipeline, raising the mix of poisonous chemicals found in water treatment plants).
Back in the Stone Age, ICS were built with a primary focus on safety, reliability, and availability. Physical gates and locks were used as primary protection mechanisms.
As a result, some folks developed some mythical beliefs about ICS cybersecurity (such as the air gap, proprietary ICS protocols, and security through obscurity), which, at the time, were sufficient to justify zero intervention policies.
Support for these beliefs was further strengthened because there was no evidence of any reported cyberattack against ICS until around 2010 or so.
The first myth is that an ICS network can be air-gapped and isolated from the internet and corporate networks.
With increasing digitalization (Industry 4.0 and smart grid networks), the use of the air gap has eroded or disappeared altogether. OT and IT networks are unfortunately converging and resulting in the evolution of a new threat landscape.
In addition, existing air-gapped ICS networks are being asked to share configuration files, software patches and files from system integrators or contractors.
The Stone Age left a lot of stone, but the Stone Age is over.
We See a Lot
Our marketing team is increasingly working with ICS/SCADA companies either on the end-user side or on the Factory Automation side, and one of the things that have challenged us is a lack of basic understanding on the customer side around the Purdue model and the nuts and bolts of Level 0 and Level 1 devices, those controlling sensors that make things go.
And makes them stop.
We thought everyone understood that the Purdue Model serves as a sort of NIST framework for the OT Network. Divided into 5 layers and starting at layer 5, which is the Internet DMZ, flowing down through the enterprise DMZ at level 4, to level 3, the control layer, where the communication with local points connect with human machine interfaces at level 2 and then ultimately the interaction with level 1 controllers and level 0 field devices.
To be clear,
Level 0 defines the Physical process: The physical equipment that actually does the work and is known as the equipment under control. This consists of valves, pumps, sensors, actuators, compressors, etc.
Level 1 defines Basic Control: These are the control devices such as programmable logic controllers (PLCs) that monitor and control Level 0 equipment and safety instrumented systems.
Both levels are about steel and stone.
But the world is now changing and in IIoT deployments, data is no longer constrained by traditional Purdue hierarchies, and in fact, data no longer lives entirely within the enterprise.
A flood of new technologies, driven by Digitalization initiatives, especially cloud services and 5G wireless networks are challenging the foundational, hierarchical approach to designing and operating OT systems. And, numerous IT solutions designed to enhance traditional OT has created an entire class of solutions typically called the Industrial Internet of Things (IIoT) which generally are composed of 3 parts:
The Big Three
- The Edge: Includes traditional OT equipment and an IIoT Gateway that performs a host of tasks such as data filtering, aggregation and storage and analytics, as well as device management, access control and shared communication to networks and applications;
- The Cloud: Aggregates data storage and analytics, event processing, process orchestration, network communication and other functions;
- The Enterprise: Supports backend applications such as databases and data warehouses, applications services, etc.
This combined and coalesced architecture seriously changes the Purdue Model by ignoring hierarchical levels and allowing communication directly from physical devices to cloud services or through an IIoT Gateway, where data lives unconstrained.
This new IIoT Gateway is a critical security concern because a successful attack will open up the entire OT infrastructure to attack.
For companies who are stuck with the traditional Purdue Model and/or who have yet to abandon the coalesced architecture approach, and there are many, they must continue to treat level 0 and 1 security differently from Level 2 to Level 5. For example, although some valve actuators may have password protection to operate, they are hardly at the complexity of IT encryption. Simple programming is stored on printed circuit boards (PCB) with no password policy or hashing.
In fact, operators often disable password login or use the same default passwords so that they can configure the actuators easily for fear of getting locked out during an emergency.
Physical security remains highly important in lieu of cybersecurity and may take the form of physical locks or closed-circuit television (CCTV) monitoring.
What is Needed And Now
Companies like this ought to have implemented security devices that monitor and manage the flow of electromechanical telemetry between these 0-1 devices and send an alert into the stream on network monitoring software operating at the 2-5 level just as a network monitoring system should be doing.
Modifying or moving away from the Purdue Model does not mean moving away from ICS security, but it does mean that cybersecurity needs to be reconsidered at every level and that even levels themselves need to be reconsidered in today’s era of ICS protection.
The very nature of network anomaly detection and process anomaly detection are complementary but entirely different.
Network detection is easily achieved by implementing Security Information and Event Management (SIEM) solutions. Systems such as Claroty, Dragos, Crowdstrike, ON2IT and Nozomi are able to detect a comprehensive list of ICS protocols for asset discovery and anomaly detection at level 2 and above and for those ICS implementations who have adopted the combined and coalesced network architecture, they work great.
However, network anomaly detection can only travel as far as monitored packets will allow – no packets, no monitor.
Availability is the top priority in ICS and the aim of a cyberattack on ICS is to cause maximum damage with catastrophic failure and maximum downtime by targeting the component with the longest lead time for recovery. Hence security by design and graceful degradation of the system is required. Operators must correlate malicious cyber activities with physical impact through network anomaly detection and process anomaly detection, while not forgetting physical security and verification of Level 0 and Level 1 devices.
At the end of the day, OT and IIoT security teams need to operate in a world where business imperatives drive technology investments. A best-case scenario for security teams is to be brought in early enough in the acquisition cycle to raise concerns about security implications through thorough vetting of security performance through the audit of operational functionality.
Modifying or moving away from the Purdue Model does not necessarily mean moving away from ICS security, but it does mean that cybersecurity needs to be reconsidered at every level and that even the lowest levels need to be examined in any comprehensive solution.
Russia and China aren’t waiting on us.