OT stands for operational technology, which is understood to comprise both hardware and software that control and monitor physical devices. OT is used not only in production plants, but also in many other sectors such as energy and water providers, and in medical technology. Industrial control systems, known as ICS for short, count among the important components of OT. ICS can include, for example, supervisor control and data acquisition (SCADA) systems, programmable logic controllers (PLC), and programmable automation controllers (PAC). In OT, you always look at processes and not the individual product.
What is OT security?
What is OT security?
The purpose of OT security is to protect devices and networks in OT environments. It comprises technologies, organizational measures, and processes aimed at monitoring and protecting the availability and integrity of the systems. Its key objective is to ensure fault-free operation. Considered in depth, OT security means something different to everyone – depending on what their role is. Plant operators, as asset owners, have a different perspective and different priorities than integrators or component manufacturers, i.e. product suppliers. This is why OT security concepts always have to be individually coordinated and agreed.
IT and OT – what's the difference?
IT and OT – what's the difference?
OT networks are more complex than information technology (IT) networks, comprising many assets that may originate from many different manufacturers who are not known in the IT world – assets such as ICS, sensors, and actuators. This broad range also increases the attack surface, lending cybercriminals more attack vectors. Operational technology also features specific OT protocols and OT transmission paths. At the lowest level, for example, there are often no Ethernet connections, rather BUS technology with electrical signal transmission is used.
What is changing with the convergence of IT and OT?
IT and OT used to be two separate worlds. More and more, however, the advancing digital transformation is causing them merge and coalesce. Internet-of-things (IoT) and industrial-Internet-of-things (IIoT) projects require IT and OT systems to be interconnected. The most advanced concept is called the smart factory: here, online shopping and enterprise resource planning (ERP) systems are directly linked to production so that data from the order processes flow into the industrial controls. This enables efficient manufacture right from the first production batch. The trend towards customized individualization is as an important competitive factor the German economy. Yet, networking with IT means that OT systems are also far more exposed to cyber risks than ever before. Attacks that we know from IT security – such as ransomware – can now also impact OT systems. Overall, the attack surface increases.
What are the challenges that collaborating IT and OT security teams face?
As IT and OT converge, two worlds that were previously separate are now colliding. In the past, IT security teams and OT security teams worked in parallel, separate silos. They often don't speak the same language and find it difficult to understand each other's point of view. Responsibilities are distributed quite differently. While in OT the plant operator is responsible for the entire production plant including its security, IT security is often divided into sub-areas. Their priorities, too, can diverge. The core goals of IT security are to ensure the confidentiality, integrity, and availability of data. In OT security, on the other hand, the focus is on ensuring availability. What's more, conflicts often arise between the teams because requirements dictated by regulations governing OT security and IT security contradict one another.
In OT, safety also plays an important role in addition to security factors. While security is understood to mean information security, safety addresses operational health and safety, i.e. protecting people and the environment from physical harm.
Increasing threat to OT systems
What cyber threats is OT exposed to?
In the past, impacts to OT systems were often "just" collateral damage. Attacks that were actually aimed at IT systems – such as WannaCry or NotPetya – ended up in the OT environment more or less by chance. Cybercriminals have meanwhile developed malware specifically dedicated to targeting ICS and SCADA systems – LockerGoga, Snake/Ekans or DoppelPaymer, for instance. With an IoT search engine like Shodan, networked devices that are directly connected to the Internet can be easily tracked down. It even reveals the current operating system version so that hackers can pick out particularly vulnerable targets.
Cyber attacks on OT systems can have seriously adverse effects on the security of people and systems, cause enormous costs and, in a worst case scenario, endanger human lives. Doing so doesn't require any particularly sophisticated malware attack. Even the slightest manipulation of a sensor is enough to significantly impair production. Attacks on OT may be driven purely by desire to wreak destruction, or be monetarily or even politically motivated.
Here's one example: Hackers attacked the control system of a steelworks' blast furnace and brought it under their control. As a result of the attack, individual components initially failed, and ultimately the blast furnace could no longer be shut down and was in an "undefined" state. In this way, the hackers caused entire systems to fail with little effort. The entire system was massively damaged as a result.
What particular challenges do OT security efforts face?
In addition to outdated, non-patchable operating systems and a lack of integrated security, there are a number of other challenges for OT security. One problem, for example, is shadow IT. In large production environments there is often a lack of transparency as to what IT is actually installed in the various machines, and what operating system versions are running there. This means that vulnerabilities remain undetected. In addition, it is often not clear which devices are communicating with what or whom. Many manufacturers are now equipping their machinery with an Internet connection to enable services such as remote maintenance, usage-based billing models, or predictive maintenance.
Operational technology also puts its own special demands on security systems, which must master the OT-specific protocols and be able to cope with the ambient conditions on the shop floor, such as dust or extreme temperatures. What's more, production machinery often require extremely low latency.
Why are OT systems particularly vulnerable?
Production machinery is usually designed for long service lives. As a result, many such machines may function on an outdated Windows operating system for which updates or security patches are no longer available. Such unpatched legacy systems have numerous vulnerabilities that can easily be exploited. Even if patches still exist for a system, companies are often prohibited from installing them, as any change to the system a production machinery is only permissible with the consent of the manufacturer. Otherwise, the manufacturer’s warranty becomes null and void. To make matters worse, many OT systems were not originally equipped with integrated security, yet retrofitting such security capacities is prevented by problematic warranty issues.
Why do even isolated OT networks need cybersecurity?
Even OT systems that have no connection to the Internet are never 100% protected against cyber attacks: because threats can also come from within. The so-called air gap is a myth. For example, any employee who carelessly plugs a USB flash drive into machinery could implant malware. In addition, external maintenance technicians are regularly on site, connecting their devices to the machinery. If a laptop of theirs is infected with malware, the supposedly isolated OT system is also at risk. This is why cybersecurity is also an important issue for isolated networks.
From risk analysis to suitable OT security solutions
How good is my company's IT security and OT security?
To answer this question, companies need to establish a risk management system. The aim of the first step is to gain an overview of all assets within the given environment:
Which assets are linked to which business processes and production processes?
What vulnerabilities do they have, and what attack vectors can be used to exploit them?
How high is the probability of a successful attack?
What impacts would it have in a worst case scenario have?
What processes are threatened as a result?
This information yields a risk assessment. Based on the outcome of this assessment, the company sees what organizational and/or technical measures are needed to minimize the risks. How good a company's IT and OT security is depends on how many of such measures have already been implemented. A comparison with requirements stipulated by common IT and OT security standards can help identify what measures are needed and assess your own security status.
OT security: where to start.
The first step to achieving OT security is always the risk assessment
outlined above. It makes clear what assets and processes must not fail
under any circumstances, and need to be particularly well protected.
Starting with the most important assets and the biggest threats,
measures are then implemented to reduce risks. Once implemented,
measures are assessed to determine who well they work and whether
further action is needed. This process should be repeated no a
What are the most important factors in protecting OT environments against ransomware?
As IT and OT systems converge, OT systems, too, are exposed higher risk of ransomware attacks. To protect themselves, companies need a defense-in-depth model that combines various measures at multiple levels. The most common entry vector for ransomware is email. Therefore, companies should definitely have a reliable email protection solution. Firewalls and network intrusion prevention systems are also important detecting and blocking suspicious traffic immediately. Network segmentation should be implemented to cleanly separate the IT and OT environments from each other so that threats cannot spread unrestrictedly. In addition, the OT environment should be segmented even further through micro-segmentation. It is also advisable to additionally protect critical assets with a whitelisting solution. This serves to ensure that only applications and services defined on the whitelist can be executed on the system. It is crucial that companies establish and practice a uniform system of risk management.
What security solutions are suitable for use in OT?
OT security requires custom-tailored technology that goes beyond conventional IT security tools and is specifically geared to the particular requirements of production environments. These security solutions have to cope with the ambient conditions on the shop floor, master the OT-specific protocols, and need extremely low latency. Both endpoint and network protection are required for a defense-in-depth model. Centralized monitoring is also recommended so that those responsible for security gain comprehensive insight into the threats in the OT environment.
Protection for endpoints
Endpoint security solutions for OT must also be able to protect systems on which only software with a small footprint or no software at all can be installed. For the former, application lockdown solutions (Stellar One) that do not exceed a size of 10 MB are suitable. If no software can be installed on the system, virus prevention can be carried out using specialized, portable tools with an interface.
Protection for networks
At the network level, it is recommendable to use intrusion prevention systems (IPS) supplemented with protocol filters or firewall systems that make it possible to implement segmentation without modifying the existing network infrastructure. These solutions should also use virtual patching to protect unpatched endpoints. Virtual patching closes a vulnerability by preventing it from being exploited. Doing so does not require changing the endpoint system.
Trend Micro is one of the few cybersecurity software producers that offers both endpoint and network security solutions with proven technology. Under the TXOne brand, a joint venture with the OT experts at Moxa, Trend Micro develops products that are specially tailored to the requirements of the shop floor.
Trend Micro network security solutions use virtual patching. This technology protects not only against individual exploits, but also completely covers a vulnerability. This renders it no longer attackable at the network level of cybercriminals.
Virtual patching is based on the data of Trend Micro's Zero Day Initiative (ZDI), a coalition of independent security researchers around the world. The ZDI is a leader in first detection of vulnerabilities: it has uncovered more than half of the vulnerabilities known worldwide. Customers who use Trend Micro OT security with virtual patching can therefore also protect their systems against zero-day attacks.
Protect your IoT devices in OT systems with the security solutions from Trend Micro