OT Assessment

One of the most worrying aspects of the enormous increase in cyber attacks is represented by their propagation towards targets which, until a few years ago, were considered immune from such problems.

Industrial environments were considered safe from these kinds of threats, thanks to their highly specific nature. One of the keystones was the isolation of industrial environments from traditional IT environments, as there was a virtually complete division between the latter and the world of industrial automation (“Operation Technology”, OT). The systems were, indeed, physically isolated (“air-gapped”, in technical terminology), without any connectivity with the traditional IT environment.

However, advances in processing technology has progressively introduced “intelligence” into all automation systems. Initiatives such as “Industry 4.0” will actually make the total digitization of manufacturing environments a salient characteristic. What’s more, the integration of the IT and OT networks, driven by the need to optimize corporate processes, has eliminated any real division between these two areas. Indeed, the most commonly used term in specialist documentation to describe these complex IT+OT+IoT is CPS (Cyber-Physical Systems).

Unfortunately, the mixture of IT, OT and networking has also led to the concrete possibility in the industrial world of the myriad attacks taking place on the Internet being launched against these environments as well. We must also remember how digital automation underlies the control systems not only of factories, but also of some of the core infrastructure of our technological society: power stations, distribution networks for fuel and water etc. etc. As a consequence, the cyber threat also looms over the technological foundations of our civilization.

The threat of cyber attacks on OT environments has, indeed, materialized in numerous episodes, some serious enough to attract media attention (for example the colossal black-out of 2017 in Ukraine, caused by the NotPetya malware).

How can you defend yourself from these threats? IT security teams, who have tried to transfer decades of experience in the fight against IT threats, soon learned that the OT environment is much more complicated than the world of IT.

For example, industrial environments are a world populated by hundreds of different and proprietary communication protocols, computing systems whose main priority is not the confidentiality of data but rather uninterrupted operation, so much so that they may often not be turned off or restarted for months or even years at a time. As a consequence, the firmware or software is often not able to be updated with patches for even longer periods. All this in a context where the concept of security is often considered to be a low priority compared to safety. Despite these difficulties, attempts have been made to adapt the security methodologies already successfully applied in the world of IT. And underlying any activities to improve security there must be the fundamental phase of understanding, as deeply as possible, the environment to protect: we are talking about the assessment stage.

Assessments are one of the best-known activities performed by cybersecurity professionals, particularly in the vulnerability research field. In the world of industrial security too, assessments often focus on identifying vulnerabilities, but there are other peculiar aspects.

The first relates to the fact that the numerous and complex nature of OT devices makes it always necessary to supplement the technological assessment with a round-table “discovery” process. This is to highlight technological islands strongly segmented from the rest of the systems, or else connected with protocols so unusual as to make their correct identification difficult, even to the most sophisticated OT traffic analysis systems.

The second peculiarity consists of the strong preference for completely passive analysis technologies. The reasons are numerous: there is a desire to eliminate any possibility of interference with the OT systems (remember that we are always working in production environments, test systems are rare in the industrial world); the timing of certain systems can feature very long periods (for example actuators which operate with very long time intervals), which therefore require long “observation” times. For these reasons, technologies which record the various traffic flows passively, without interference with the systems and which can therefore be left in operation for long periods, are undoubtedly the most suitable choice.

It is also useful to highlight how these peculiarities of the passive analysis systems combine perfectly with the concept of “continuous monitoring”, advocated both by IT and OT best practices. This means that these solutions can also be used for permanent monitoring activities, outside of the assessment period, which can typically last from a few weeks to a few months, depending on the complexity and specific nature of the infrastructure to be analyzed.

The assessment must then continue with investigation of all aspects related to external connectivity (Internet, cloud etc.). In this phase, the assessment of the OT systems blends into that of the IT sphere, in particular as regards remote access (VPN and similar).

Another very important side which has to be dealt with is that relating to the supply chain. The technology supply chain of OT systems must be analyzed and verified in order to limit the risks of attacks/infiltration which compromise security by passing through privileged connections that these suppliers usually have with customers.

Finally, the technical assessment cannot leave out examination of the operational context, meaning the set of policies, procedures, standards and methods of governance. While these are not strictly technological assessments, they are essential for correctly assessing and understanding the management of the OT (and IT) systems from an operational and security perspective.

OT cybersecurity is quickly becoming an element of the highest priority in the diaries of security officers at both industrial companies and firms operating in the field of critical infrastructure. It has nevertheless been highlighted how just the analysis of these environments puts up numerous challenges for companies undertaking them. Significant know-how, both technical and methodological, is required, ranging from IT and OT to IoT systems, with expertise and experience taking in both security and knowledge of industrial and IT environments.