OT Cyber Security

In today's world, companies are adopting digital space in a more rapid phase than ever before. As we continue to adopt and grow in digital space, it also creates a huge opportunity for attackers to tackle down systems. With digital 4.0, organisations integrate IT systems with manufacturing and industrial systems to make processes easier. The interconnected nature of Industry 4.0-driven operations and the pace of digital transformation mean that cyberattacks can have far more extensive effects than ever before, and manufacturers and their supply networks may not be prepared for the risks. In this article, let us explore industry 4.0 cyber risks and mitigate them. Earlier, OT and IT were not interconnected, meaning OT networks were not exposed to the internet, but as convergence took place, OT networks were exposed to the internet, leaving them vulnerable to cyber attacks.

Layers of OT:

Let's discuss how network segregation is being done in OT networks.?

• Layer 0: This layer consists of physical devices like sensors, motors, etc. that function based on the input given to them.?
• Layer 1: This layer consists of devices that are responsible for giving input.
• Layer 2: Has application/database layers that can support/manage the processes within the OT environment.
• Layer 3: Acts as a barrier between OT and IT where jump servers/patch deployment servers reside.
• Layer 4: Consists of database and email servers that would help in organisation logistics.
• Layer 5: Enterprise-wide network that faces the internet.

While certain layers of security come under IT security, let's discuss layers that are specific to OT security.

Security Usecases to be Monitored:

While there are security use cases related to IT that can be monitored by SIEM/EDR solutions, similarly there are use cases that can be implemented related to OT security to detect anomalies within the OT environment.?

User Account-Based Monitoring:

• Unauthorised access to OT systems that reside inside the environment. Look out for users who try to access OT systems in unusual hours or access systems that they do not have permission to do so. This can be achieved with a domain controller where we can look out for event ID 4625 (failed logins) in unusual hours in AD where the destination host is an OT system.
• Look out for user account changes or modifications to AD groups specific to OT systems. Event IDs(4720,4722,etc)
• Look out for login attempts from usernames that have recent changes in special admin privileges (Event ID 4672).

The reason behind Windows event ID's is that OT systems, though different from IT, still would rely on IT (domain controller) for authentication.

USB drive monitoring:

• Look out for any USB device connections towards OT devices where huge data transfer either from OT or towards OT devices is happening.

Network-level monitoring:

• Look out for inbound remote connections towards vulnerable ports like 3389. If you are using a third-party service provider for maintenance, make sure to provide JIT access, and once done, block the port immediately, as sometimes the service provider or third parties may be compromised and attackers can have a foothold within the network.
• Detect non-common ports of industrial control systems. To have a base line, we will provide a list of ports that are being utilised by ICS in a tabular format. Kindly exclude the above ports and detect for allowed traffic apart from baselined ports.

Vulnerability Management:

Organizations need to have proper asset inventory to make life easier for the vulnerability management team. Vulnerability management needs to ensure all devices are being reported to their tool to make sure they can identify/remediate vulnerabilities as soon as possible. As ICS systems have lived for decades, it becomes increasingly challenging for OT teams to patch vulnerabilities, as the patch might not be available if OT systems are outdated. Vendors of OT systems must ensure that they will provide updates at least for a decade or two to ensure the systems are secure.

Best Practices:

• Always have efficient incident response teams to ensure that cyber attacks are identified and remediated as soon as possible.
• Adhere to security best practices like the principle of least privilege, reviewing/auditing access controls towards OT systems.
• Updated OT systems can possibly minimise the attack surface by reducing the scope of attack.
• Always have network segmentation and make sure to have OT systems within a private network.

Conclusion:

As organisations continue to battle against cyber threat actors, we must find simple yet innovative methods to keep ourselves safe. Sometimes simple methods yet not so complex can be taken so as to keep ourselves safe. Organisations can render these services to a third party who takes care of the entire process, like incident response, vulnerability management, etc., so that they can focus on their business.