How modern cyber security maps to the OT Purdue Model
How the Latest Security Technology Maps to the Purdue Model
There are numerous technologies and ways to interpret the Purdue Model.? Like everything in technology, there is no “right” answer.? This list and mapping are to pare down the complex task of taking cyber-security products and incorporating them into a modern OT network with SCADA, OPC’s, and historians.
Data is essential for monitoring, optimizing, reporting, and conducting normalized operations in a modern OT infrastructure.? With the additions of sensors, safety equipment, and advanced monitoring, all wanting to “communicate,” it exposes the once isolated, manual OT network to cybercrime.? Adding to this is a false sense of security since these networks didn’t often need internet access, had a very manual process for control and updates (if they could even be applied), and relied heavily on specialists.
This mentality has not kept up with a modern environment where we are heavily connected, and if not…it’s coming.
The Federal government of the United States seems to have similar concerns.? In March of 2024, in coordination with the EPA, the White House asked each governor to produce a plan in roughly 90 days to secure one of the most vulnerable OT environments, the municipal water supply.? The same can be said for just about any national asset, whether that’s a U.S.-based manufacturing plant, the water supply, our power grid or various other critical infrastructure.?
Sadly, the US has often taken a lackadaisical approach to our critical infrastructure technology developments and has suffered for it.? Stolen technology, interruptions to business continuity, and sabotage have happened far too often in our nation, with these headlines becoming more common.? Hopefully, this document will help secure our critical infrastructure from O.T.-based cybercrime more effectively.
With thousands of cyber-security products and eminent concerns, many OT professionals have turned back to the Perdue Model, which was developed to map technology to production—no matter the production environment, the Perdue Model maps to any combined OT and IT environment.?
CIA Triad and the SAIC Square
In security, there is something called the CIA Triad.? This is the basis of everything related to cybersecurity as it defines a resource and its cyber-security needs.? The primary triad includes these elements, which can be quantified to address the cyber-security needs of said resource.
·?????? Confidentiality – is the resource accessing, storing, or processing data that an organization doesn’t wish to share without proper qualifications?? What level of protection is needed to keep that information confidential?? How do security professionals ensure that the information or process is kept confidential?? If the resource contains data that shouldn’t be shared, viewed, or exposed…confidentiality might be the essential factor.
·?????? Integrity – does the resource get impacted by unauthorized changes, additions, deletions, or alterations?? If that resource relies on set data and process parameters, then we need to consider integrity.? If the resource relies on tight parameters to ensure proper functioning, where modifications impede the proper output, then integrity becomes critical.
·?????? Availability – is this resource essential to the proper functioning of output?? At what level can the organization accept an outage?? If, for example, it’s essential services such as technical equipment in the operating room, I would suggest this may be the most important factor.
Let’s look at some examples of how we would quantify the CIA triad:
A database containing social security numbers, driver's licenses, and contact information used by customer services to verify the identity of the population served.? Accessed from 8-5 M-F.? Used to verify voting eligibility.? How might we rate this in terms of 100% of the resource spent, time, and effort for cyber security:
·?????? Confidentiality: 60% of the data is highly confidential, containing beneficial and damaging information if leaked to a criminal element
·?????? Integrity: 30% as modification of the data could be problematic but not as critical as exfiltration as large-scale data manipulation takes time and effort that is uncommon for criminal activities
·?????? Availability: 10% as citizens are not alarmed by system outages and short-term interruptions in service.? While annoying to them, they largely have come to expect outages.
In the OT space, there is a slightly different paradigm, adding in a key aspect of volatile and dangerous environments…safety.? Thus, we have the SIAC square instead of the CIA Triad (I didn’t create this; I took it from a very intelligent gentleman, Kevin Kumpf from Cyolo).? This additional element adds complexity to the equation where the Square is Safety, Integrity, Availability, and Confidentiality.
·?????? Safety – OT environments have hazards, and the most important function of the OT department, before anything else is considered, is the safety of the workers, operations, and the greater community.? Allowing a boiler to overheat, for example, could have catastrophic results and could even lead to death for the staff.? Thus, overarching the CIA Triad is the need for safety.
·?????? Availability – OT environments often provide essential services to their populations. Thus often, Availability takes a center stage as outages in power, water, sewer and even sanitation can have a major impact.? We are used to turning on the faucet and water comes out.? If it’s out for an hour, we get over it…extend that to days and in places like Arizona, for example lives can be at stake.?
·?????? Integrity – we expect bills to be accurate, meters to be precise and power to be delivered without spikes.? We enjoy a constant pressure from our hose and it often works so smoothly that it’s taken for granted.? Turn on the hose, water comes out at a consistent rate without variations in pressure and flow.? Mail comes to the correct home, generally and if there is an issue it’s easily corrected.
·?????? Confidentiality – it’s assumed that the water or electric bill is not mailed to our neighbors but if there is a mistake it’s not usually an issue.? A simple call to our municipality can make simple alterations to errors and it’s unlikely that my neighbor will call in, pretending to be me, request my meter values and change my contact information, thus there is less to consider often times.? At times, more complexity is introduced into the equation, if for example the township decides to process credit cards, but the transaction volume is typically low in these environments.? Amazon warehouse fulfillment might be another circumstance…
Technology is ubiquitous these days and we see massive gains to productivity, continuity, and performance, using the IoT “Internet of Things” coined by Cisco.? The IoT is simply the proliferation of devices, connected that provide data or serve a function.? A camera at the home, a sensor in the basement to check for sump pump failures (for those that have basements) and even our home thermostat used to be isolated, non-connected devices.?
Why would we put these devices on the network?? Simple, that connected data gives access to previously restricted monitoring, adjustments, and access.? Instead of walking downstairs to see a flooded basement, the sensor texts me of a failure.? Instead of coming home to a broken window, I can be alerted immediately to a non-standard condition.? Instead of leaving my air conditioning on all day, the thermostat optimizes the cooling time to reduce usage.
Similarly, OT environments are increasingly utilizing connected devices to provide access, information and continuity and alerting to key personnel for cost savings, improved outcomes, and long-term continuity.
Sadly, with this increased access comes increased risk which is often not considered in the equation.? OT environments utilize the Perdue Model to understand the physical, logical and informational layout of their environment.? This tested model can help bridge the gap between corporate functions and OT/production functions.? The Purdue Model allows the typically non-technical production folks to categorize their devices, processes and equipment.
The Purdue Model accurately maps various aspects of an organization that delivers physical outcomes and the technology involved in that process.? Here is a basic diagram of the Perdue Model, courtesy of MITRE.
he diagram shows the basic components of a modern organization with OT based delivery however there are now missing components that have been added in a modern environment.? Sensors, cameras, flow meters, thermostats, testing equipment, monitoring stations and various other equipment is part of a modern environment.
For example, in a manufacturing plant located in Michigan, the output of a line is 1000 units per hour, while a plant in Mexico produces 1200 units per hour with the same basic equipment, staffing and inventory control.? Management wants to understand the “why” behind this deviation between plants.? In prior, non-technical environments often executive management either didn’t know about the output variations or would physically travel between locations to optimize processes.? In a modern environment a variety of sensors and reporting instruments can help to decipher differences in output in real time so adjustments can be facilitated to improve an outcome.?
The ability to monitor production from a beach in Costa Rica requires these resources to be “networked” and with connectivity comes risk.? Risk to the CIA triad in IT environments or risk to the SIAC square in OT environments need to be considered and then technology can be employed to reduce that risk.
Key Technologies to Consider
With the literal thousands of products to assist in that effort it might be overwhelming for the average “shop rat” who has now taken, through hard work, responsibility for these connected devices to understand where SOME of them might fit into a modern OT environment.? This whitepaper isn’t to be considered an all-encompassing security discussion more accurately, this will outline some key technologies for you to consider in designing an OT/IoT environment with increase cyber-security using the Perdue Model as our mapping model.
The technology:
SASE/ZTNA – Secure Access Service Edge with Zero Trust Network Access is the technology for securing remote access to both cloud delivered and on-premises applications utilizing modernized monitoring and risk reduction algorithms.? Often replacing a corporate VPN for remote access, this technology allows for increased security for distributed resources, focusing the connectivity to a cloud provider instead of the corporate IT network for analysis and monitoring.? Via direct access from large providers, the SASE solution allows for semi-privatized access on cloud hosted applications to first pass through various security checks and functions.
VPN – legacy connectivity for applications and network access.? A Virtual Private Network allows for a “tunnel” to be built from an asset to a network, allowing typically open communication between resources.
MFA – Multi Factor Authentication is another set of criteria in addition to the common username/password combination to ensure access is restricted to only authorized users while limiting impersonations and unauthorized access.? OT environments are notorious for equipment utilizing default accounts, default passwords, and shared access.? These “habits” introduce both risk and reduce auditing and reporting on asset utilization.? Similar to providing two pieces of identification at a bank, this secondary verification is used to reduce unauthorized access.
Corporate Next Generation Firewall – the technology used to privatize a network from the Internet or other untrusted networks.? NGFWs provide intelligence and threat detection for IoT and IT devices but often lack specific OT protocol detection.
Advanced Email Security – everyone uses email, and there is often a loosening of OT/IT demarcation in exchange for business needs.? Email is one of those applications.? We all need it; it’s the #1 way bad actors gain entry and the most ubiquitous.? Email threats with fishing, malware, and most recently, deep fakes are easier than ever to create, leaving this very commonly used “security hole” in place as email is often our preferred form of communication.
Active Directory Security – if you print with anything but a direct connection, you are going to utilize Microsoft’s Active Directory.? Similarly, if you have a corporate email address, access applications, or pretty much perform any function, you will likely have an active directory account.? It’s the literal focal point for most applications in both the IT and OT networks, and when compromised and “locked up,” you are dead in the water almost all functions cease to work or have partial functionality.? Often, when a phishing attack is successful, the next target is Active Directory.
OT Firewall – In an effort to better secure the OT network, these specific devices understand and can monitor threats based on the various OT protocols such as SCADA, Modbus, PROFINET, EtherCAT, BACNet, DNP3, OPC-UA, etc. Whether the protocol is polling or non-polling, specific metrics are utilized to look for and filter out potentially damaging commands functions or may simply be used to alert on such behaviors.
领英推荐
Air Gap – like a firewall, the “airgap” is the most secure way to transfer information without allowing for direct connectivity between networks.? I often explain it in this way:
Consider a truck carrying goods entering a military base (information packet on the network).? The truck is often stopped at a “checkpoint” where the guard checks the paperwork, might inspect the contents of the truck, and verifies the arrival (Next Generation Firewall functions look at the header, check the packet contents, and look at previous communication patterns).? Once verified, the guard waives the truck through onto the base.? Contrast this with an AIRGAP…in this case, the truck is stopped.? The cargo is then unloaded, and a truck from the base picks up that cargo and delivers it to the destination.? The vendor truck never enters the facility, and thus, the utmost security is provided.? No outside access is allowed, deliveries are only done with base assets and drivers.
HMI Endpoint Protection – often utilizing very old software and hardware, OT workstations and Human Machine Interfaces are vulnerable to threats and exploits.? Certain vendors provide anti-virus and endpoint protection covering even the most oddball and ancient operating systems (anyone recall Windows Embedded?).? Protecting these assets from modern threats is very specialized as they cannot crash during normal OT operations.
Inline Patching IPS – utilizing OT specific protocol awareness for those assets that cannot be updated, patched, or protected an inline patch/IPS (Intrusion Prevention System) can reduce exposure to attacks directed at an asset or be put into monitoring mode for passive operation.
OT Specific IAM – Identity and Access Management for assets that require remote access, modern technologies like SASE and MFA are not available on legacy operating systems.? Most operating systems can export their screen functions, but allowing access would be a major security violation.? OT specific IAM functions allow modern security controls to be employed when accessing legacy assets utilizing MFA and SASE functions, thus allowing secure remote access to Level 2 assets.
Asset Discovery and Vulnerability Management – most OT operations have been built over 20+ years, and for large organizations and even smaller ones, new devices, and IoT assets are often added without proper documentation, Standard Operating Procedures, and inventory.? Over time, this “asset creep” can yield an environment where the Level 1 and possibly Level 2 operations are aware of the assets, but almost never level 3 or level 4 oversight is possible.? These security controls can classify assets for both discovery and GINGERLY probe for vulnerabilities so as not to “panic” a PLC or connected hardware.
Physical USB Scanning Engines – still a common way to deliver software and programming changes is the familiar USB.? Modern USB’s have been found to contain factory installed malware, back doors, and embedded threats.? A dedicated USB Scanner ensures that uploaded code or firmware is relatively free from exploits.? The most famous worm Stuxnet was believed to be delivered by an exploited USB device.
Physical Security – automated locks, camera’s, motion sensors…not really part of the discussion, but to work optimally, these require connectivity.? I once read an article on what a handgun would do to the power grid if a bad actor decided to shoot up a transformer…I try not to think about it.
?
Hopefully this brief demonstration will offer a baseline of some of the security controls that can be deployed in a modern OT network and how they fit within the Perdue Model.
The Threats are Exponentially Multiplying
With the accessibility of AI, unfortunately, it does more than write my child’s book reports, create weird pictures and videos, and get me quick answers from the web and other sources.? AI is also being used by the “bad actors” to attack nearly every aspect of our society.? Luckily, most of the attack are from individuals or groups wanting a quick payout. Still, with the ever-increasing threat from foreign and domestic adversaries, it is more critical than ever to consider these very vulnerable and valuable resources when we look at our cyber security posture.
AI Tools are multiplying and creating a hazardous environment that was once only reserved for the most skilled threats.? Couple that with the business of hacking, where there are entire organizations devoted to the business of hacking along with our traditional nation-state adversaries, and we have a bit of an issue.
The Most Critical Step for being a Good Cyber Citizen
BE AWARE! This is a community and organizational effort.? If something doesn’t look right or seems off, SAY SOMETHING, as it’s often these little signs that are ignored that could tip off an organization it is under attack.? Off-behavior from pumps, transformers, or even office computers is one sure way to prevent threats.? This is free, easy, and incredibly effective!
?
Aligning to Risks
WHAT WOULD I SUGGEST ARE THE MOST CRITICAL PRODUCTS AND SERVICES FOR AN OT (OPERATIONAL TECHNOLOGY) NETWORK?
OT networks are often very insecure as the job of these data pipes is to keep machinery up and running and provide essential services for the manufacture, distribution, and service of critical goods and services.? In the municipal space, this could take the form of essential services like police and fire, EMS, and other emergency services or critical services like water and power.
OT networks often have old equipment that can’t be easily upgraded to keep up with the latest patches, security updates, and technology.? As one customer put it, “We can’t replace a 30-million-dollar machine just to get it on a modern computer with encryption”.? This is pretty much the same in every OT environment, including water and power, which makes proper security even more important for these environments.
Sadly, because these networks and computers have traditionally not held private information, they have been largely ignored, but that’s all changing.? With the increased attacks in the OT space, securing these environments has taken center stage for much of the world.?
There have been “incidents” such as Honda’s plant takedown in 2020 that likely cost millions of dollars, and of course more recently, Clorox had an attack that took down production of their cleaning products.?
These two incidents accrued major financial losses to their companies, but they luckily didn’t have a cost in terms of human life.? That would be a major tragedy and headline.? To that point, it’s more important than ever to secure our nation’s water, power, and other critical services.
OT hacking might not be something we can control or even know until it’s too late, so it’s important that we better secure our national water supply served by over 9000 communities across the country.? The best place to start in my opinion, is to do the basics of security.? While this might be a little different for the OT space, there are some universal truths that are good suggestions for everyone.
·?????? Follow proper cyber processes – make sure all employees and contractors follow proper cyber security processes.? We are all aware of the Unitronics “default password” issue from 2023, where thousands of PLC’s had the default password of “1111” still in service.
·?????? Use endpoint software that covers OT specific operating systems and hardware – many of the PLC/HMI combinations in an OT environment are running rarely patched or even unpatched for many years.? These HMI’s or workstations often run very outdated software, even some running windows NT 4.0 or Windows XP.? There are companies that support these legacy operating systems and it’s a good idea to at least run anti-virus or EDR software on these systems.
·?????? Have an OT next generation firewall – IT networks usually have their own firewall to protect them from the Internet, but it’s a very good idea to have a specific OT firewall to segment off the network and also be SCADA aware so commands and threats can be prevented.? They often call these systems as “on the fly patching” as the network traffic is analyzed.? These modern systems have OT features like ruggedized enclosures, fail-open capabilities if there is an outage, and PLC specific protocol analysis to prevent infection and stop/alert on entry onto the OT network.
·?????? Use clean scanned USB drives for patches and contractors – “sneaker” infection can be a real problem if contractors or even employees pull down firmware and patches from the Internet and introduce them onto the OT network.? Make sure there is at least a scanning station, or even better, use only USB devices that are enabled with scanning onboard to reduce the chance of infection.
·?????? Make sure only peripherals from known vendors are used – keyboards, mice, USB sticks, and other devices can contain malware.? It was a compromised PC keyboard that was first thought to deliver the most infamous OT malware Stuxnet, to Iran’s nuclear enrichment program.? It’s often cheap for a reason.
·?????? Know Your Assets – you can’t protect what isn’t known, keep a detailed accounting of all assets, connectivity, and ensure proper policy and security controls are in place for each asset.
·?????? Ensure adequate physical security – make sure cameras and door locks are up to date, sufficient, and if these are smart devices…patched and updated on a regular basis.? Take keys out of PLC’s and DCS’s, and please don’t leave them in the “open” position.
·?????? Consider 24/7 monitoring and containment – just like home security firms that are always on the lookout for the property, there are Cyber XDR (extended detection and response) firms that will monitor your critical infrastructure 24/7.? Often, these can be paired with the IT network for complete monitoring where there is a “Response” for IT assets and “Alerting” for OT assets.
·?????? Utilize MFA and IAM – proper password and access are critical. ?Shared passwords, default logins, and unmonitored access are major security issues in OT networks.
·?????? Consider Privatized Networks – whether it’s using microwave, cellular, or another more privatized form of connectivity, consider increased privatization of Level 1 and Level 2 Facilities with direct connectivity to Level 3 Operations.
How about Services?
Simple services like Standard Operating Procedures, Policies, and verification like off hours (if possible) Penetration Tests are good but should also be coupled with a good incident response plan and employee training.? These basics should be part of any modern municipality cyber-hygiene program or OT operational security program.?
These are really just the basics for securing the OT network from cyber-attacks, but they will vastly reduce the chance of infection, ransomware, and corruption.? In a world where “getting the job done” is usually the most important, we also now need to consider connected devices as containing a real risk to our nation’s critical infrastructure and will go a long way at protecting this critical aspect of our nation’s continuity.
About the Author:
Eric Marchewitz is a security solutions architect who is a recovering former CISSP.? His career in information security has spanned 25 years, working for companies such as PGP Security, Cisco Systems, and Check Point.?Most recently, he is a field solutions architect for CDW Corporation.? This article doesn’t reflect the views of CDW is for information purposes only, and should not be considered professional advice or legal advice.? No warranty of the information contained within is given.? Copyright 2024. ?Free to distribute with proper consideration.
#OTsecurity #cyber-security
Acquiring talents to create a world that runs entirely on green energy
4 个月Thanks Eric for such wonderful article about OT Purdue Model, my company is hiring Infrastructure Architect with experience in either Purdue / ISA-95, wondering if you know any talent in Malaysia or willing to relocate to Malaysia for such opportunity? https://orsted.my/careers/vacancies/2024/04/28542-infrastructure-architect
Open source zero trust networking
5 个月I am working with several vendors who are embedding a zero trust network overlay into their OT products so that it can be connected but cannot be attacked from an external network, with Purdue-compliant, private, outbound-only network connections. This includes connectivity in lv2 and 3 of Purdue, incl. M2M and M2 compute in the factory environment (e.g., HMI). The key is ensuring no single point of failure, ability to run airgapped, support for L2 & deterministic networking. While other tech may exist that supports this, the other vendors are doing it with technology built on top of open source OpenZiti - https://openziti.io/.