Creating a defendable OT network

This article is about posture management and continuous improvement. By focusing on actionable posture improvements, organizations can improve their robustness to cyber attacks. That means better return on security investments, reduced risk from cyber attacks, and faster recovery when attacks succeed.

Envision yourself as a factory manager at a facility that produces polymer coatings. Eighty percent of your output goes into insulating wires, fifteen percent decorates Christmas ornaments, and the remaining five percent coats billboards. While not deemed critical infrastructure, your products are nonetheless vital to many. Consider the possibility that a drone manufacturer supplying surveillance drones to NATO might use your insulation in a crucial component, potentially making you a target for nation-state cyber attacks. Recognizing this risk, you've resolved to prepare for such threats. What measures should you take?

Conversing with your local OT cybersecurity expert, you realize the importance of managing your security posture. Subsequently, the neighborhood OT security sage shares a link to IEC 62443—a comprehensive 900-page document! While it contains numerous best practices within its standards, diving in can be overwhelming if you're looking to get started promptly. Here's a shortcut to some of the key practices: CASIC!

Security posture

Posture management is really about managing the key factors that make up your cybersecurity condition. How robust is your process? We can divide security posture into 5 key areas - which we can abbreviate CASIC.

• COMPETENCE: Do you have the right training and competence in your organization at the individual and organizational level?
• ASSETS: How well do you know your current assets? Think about vulnerabilities, exposure, and risks.
• SECURITY ARCHITECTURE: How have you put your system together so that attacks are difficult, discoverable and containable?
• INCIDENT RESPONSE: Do you have actionable plans and capable responders in place?
• COMPLIANCE: Do you know that you satisfy all regulatory and other important requirements

Security posture management is a continuous process, but these components are laid out in a logical manner. Start with getting basic competence in place and assigning some roles and responsibilities, and then make sure you undertand what systems you have, and how important they are. For more details on the role of asset inventory for security, see Impact of OT attacks: death, environmental disasters and collapsing supply-chains – safecontrols.

Security architecture is the technical foundation for safeguarding your factory. There are some key practices that can significantly reduce the risk of factory crashing cyber attacks:

1. Segregate the OT system from your IT system, preferably with a DMZ. The Purdue model is still a helpful model, even if cloud computing may be part of your control system.
2. Separate the various systems into defendable zones, based on functionality, network connectivity needs, and security requirements. Only allow traffic that is strictly necessary between segments.
3. Make sure you can isolate away non-essential systems if there is a suspected compromise. Say our factory has a conveyor belt. This belt has a critical control system controlling its speed, and some safety functionality such as emergency stop. Without this, the system cannot run. In addition we have a condition monitoring system collecting data about temperature, vibrations and sending this to a cloud service for analysis and maintenance optimization. If there is a sign of a compromise of the condition monitoring system, it should be possible to isolate this system without affecting the main conveyor belt operation.
4. Plan detection capabilities into your architecture. Monitor endpoints and networks to detect cyber attacks early and make them possible to respond to in a timely fashion.
5. Consider proactively reducing connectivity if you think there is an increased threat level. If you would normally allow remote access into your control system for vendors, you may want to deny this for a while if the threat level is higher.

In some ways it can be useful to think that the more automated your process is, the better it has to be at defending itself. For a discussion about self-defense for autonomous systems, see Teaching smart things cyber self defense: ships and cars that fight back – safecontrols.

Incident response is a critical part of your security posture. Organizations that plan their response, and build the right capabilities to respond, stand a much better chance of a speedy recovery than those that don't Fast response is closely linked to security architecture; when you have planned redundancies, fail-overs, containment methods and detection in a good way, response can happen with less adverse impact, and a faster path to full recovery.

In IT and cloud environments the "fast path to response" has in many situations been automated with pre-determined incident response actions in SOAR systems. This is less common in OT, and perhaps it would be a bad idea to try to automate a full response action in most OT networks, but an ounce of preparation is still worth a pound of cure. Going back to our conveyor belt, let's say that we have an endpoint detection on a Windows computer used in the condition monitoring system. Say a reasonable response for us here is to block all network traffic for the condition monitoring system on the firewall, and to reassign the affected server to a dead VLAN until it can be further investigated. These decisions can be prepared with response scripts, or even manual checklists of actions to take, to make it easier and faster to perform the necessary actions.

It is hard to make detailed plans for any event that may happen, but preparing to contain, and then investigate, is helpful. In addition we need to train to be able of executing. During an incident it is always a challenge to understand what is going on, and to make good decisions. Maintaining good shared situational awareness is perhaps the most difficult aspect of response, and no plan can solve that for the team without practice.

Continuous improvement of posture

Not every part of your security posture needs to be measured and tracked. However, defining key issues to work on improvement for, and creating metrics or reports for these can be very helpful in achieving and documenting progress. The desired result is improved ability to withstand and recovery quickly from cyber attacks, but the day-to-day focus typically is more basic. For our factory manager, the following may be interesting metrics to track (just an example):

• Number of vulnerabilities with high CVSS in network segments
• Number of people who have completed the planned trainings the last 12 months
• Average time-to-patch for known vulnerabilities
• Evaluation metrics from cyber incident exercises
• Detection coverage for identified TTP's in critical system threat models

By focusing on metrics for key initiatives it will be easier to assess whether things are moving in the right direction or not, and make course corrections. It will also make it easier to report on security initiatives to the rest of the management team and other stakeholders.