For IT Professionals: Industrial Controls Systems (ICS) and Operational Technology (OT) - Cybersecurity and Risks Implications

For IT Professionals: Industrial Controls Systems (ICS) and Operational Technology (OT) - Cybersecurity and Risks Implications

This article provides information on Industrial Control Systems (ICS) and Operational Technology (OT) components for IT people interested in cyber security risks, drawing some parallels, and exploring some differences. And it discusses various security implications of each component category. In addition to the practical experience as a consultant for a multinational that has already worked on some projects related to ICS/OT in the Mining & Metals and Oil & Gas industries, I am also applying the teachings and class discussions of the doctors and experienced professors of the Master in Global Security, Conflict, and Cybercrime that I'm doing at New York University – NYU, in Manhattan, mainly the debates addressed in the classes of Cyber Technical, Operational & Strategic Perspectives and also Cyber Power & Global Security. Thanks to NYU doctors and professors who supported me during classes with their constructive comments. This article does not represent NYU or the views of NYU, but my personal views. #OT #IT #ICS #cybersecurity #risk #operationaltechnology #industrialcontrolsystems #informationtechnology #cyber #nyu #msgscc #gscc

1.?Operational Technology (OT)

Introduction. Information Technology is a broad, generic term that encompasses a range of equipment, technologies, and systems that include communications networking equipment, traffic security and inspection equipment, operating systems, applications, electronically stored databases, and much more. Those who work in networks and IT security, with views of topologies, realize that their IT administration premise’s environments usually start and end within the premises of some router in that entity. The same happens with OT personnel, where the premises of their administrations will normally be limited to some element with the role of a firewall or router. So, to allow physical communication between OT and IT, in addition to firewalls and routers, some proprietary elements of data translation conversion as well as information flow filtering may also exist in the design topology.

Objectives and Initial Questions. The purpose of this article here is to specifically discuss the term Operational Technology (OT), which is often linked to another general term called Industrial Control Systems (ICS). The focus of OT/ICS is on industrial systems that, theoretically, are not commanded or controlled by the same IT teams, due to industrial business focuses, sectorial managerial specializations, some risks, and concerns with limitations on both sides (IT and OT) of not seeing in depth the work of the other.

• Why is there a movement to converge OT with IT? I have noticed that it has happened for the sake of visibility for top management has trying to “unify” the administrations because traditionally IT has more practice in reporting quickly, collecting from different sources, keeping up to date on equipment, and protecting its equipment. In IT, the typical planned useful life of servers is 5 years; for OT, it usually reaches or exceeds 10 years in many cases. For networking equipment, I have seen IT work up to 10 years or more for L2 switches and OT can reach 20 years with many of these field devices.
• Can OT equipment converge with IT equipment? For technical issues, yes, but for administrative issues and segregation or collaboration between functions in these two areas, I notice that things are much more complicated, for various reasons that would make writing a book. Many global manufacturers have been positioning themselves in this sense of convergence and gateways for many years if not practically all of them. Some started well before others and are more mature in this movement. There is always something new in the relevant facts announced by suppliers of the ICS chain, even if it is timid or conservative. The concern with the security of the OT is what makes the movements more timid and slow acceptance by parts of the industries.
• Is OT completely isolated from IT? The most common answer lately is “It was completely isolated, but the tendency is for it to be gradually integrated.”
• Does anyone from IT need to know OT? It depends on whether the industry you are evaluating has superior orders to integrate reports, alarms, and other monitoring to the general reports issued by IT - to have a single view coming from a single management source, such as feeding an ERP that the company is adopting in scale – reaching the “extreme” of wanting to unify IT and OT operations.
• Is it safe to integrate IT and OT? It depends on the equipment in your IT security layer, it depends on how much OT developers have invested in securing their equipment (hardware, software, firmware) and supervisory systems, and it depends on how the firewall layers in OT are doing. This is precisely the biggest risk, with a heated discussion. And, even more, it depends on how sensitive and strategic the voice of the industrial operation is for that specific sector.

Background. This article aims to help, with a linear and simplified view, IT people who need to have contact with OT and ICS, by explaining the new concepts. It is assumed that the reader has reasonable experience with IT, for better understanding. I needed to understand OT/ICS 15 years ago, from the first projects I participated in, both in the consultancy where I have been working for the last 12 years and in the Mining & Metals and Oil & Gas markets of previous projects, including Logistics and Search. As I already had to do, you will probably need to meet with industry suppliers, discuss convergence and security concepts for both IT and OT sides, and evaluate integrations and other more detailed issues for some industries and specific projects. There are so many different industrial suppliers, with completely different solutions, that it is impossible to know the details of everything. Precisely because the focus of OT/ICS has specific needs to meet specific industrial solutions (even if they are from the market) then it has its advanced and differentiated production method, requiring different suppliers for each moment that the industry reached in its timeline. The basic concepts I'll explain below allow for some interoperability. So, this article is the starting point, but the details will depend on your project type and current moment in that industry. I would also like to point out that this article was written using my corporate experience and coming from master’s class discussions, and no AI-based content generator software was used anywhere.

Fundamentals of the term OT. Operational Technology, henceforth abbreviated to just OT, involves a way of distinguishing the technological environment from the IT environment, although they follow many similar principles. So, when talking about OT hardware and software, reference is being made to a set of solution implementations that range from the physical equipment layer to the highest layer of software, operating systems, and firmware that have specific specialized functionalities to meet the OT team. The literature considers that OT is not only associated with industrial environments inside factories but also with some other operations specialized in sensing and acting on varied physical environments at the service of corporations, agencies, and concessionaires, such as in railways or automated opening of doors in commercial buildings, for example. The concept of OT, due to convergences with other more recent lists of terms (i.e., IIoT, IoT, “smart”, PIT), is already beginning to raise doubts about the scope and limits of the use of the term, as new terms are entering in a common, gray zone. In many cases, the word OT leaves no doubt that it is referring to something related to an industrial control system, but in some cases, it may raise doubts as to whether it has crossed the boundaries of OT to refer to an Industrial Internet of Things (IIoT), for example.

Fundamentals of the term ICS. The term Industrial Control Systems, now abbreviated as ICS, tries to make clear the purpose of its equipment park, software, and specific applications. And the Operational Technology (OT) team – not IT – provides support. To confirm, note that the word “Systems” is part of the term ICS, indicating a broad term that encompasses a set of hardware and software solutions with a common purpose.

“OT and ICS are not IT”. It is common to find texts that mention OT associated with the word ICS immediately beside it. Both are broad terms and are not associated with IT. There are different teams to manage IT and OT, different cultures, and different boards and, normally, one team does not understand in depth the environment and problems of the other. Those who have experienced this in practice, in the real world, would certainly quickly write a list of bullets about the advantages and problems arising from these segregations.

OT layers. For those who have only lived in the IT world, there are many new terms for those who need to understand OT/ICS. So, the best starting point is to understand the layers of industrial-technological operation – in the same way, that IT discusses the 7 layers of the OSI model, standardized by ISO since 1983. If these layers of industrial control system developments did not exist at all, then there would be no reasonable interoperability between technologies from different global vendors. And yet, speaking of the real world, some projects combining technologies from different manufacturers sometimes do not work correctly, requiring interventions and manual controls in some part of the process for some time, until a definitive solution can be adopted. It is common for an industry to have solutions from an industrial supplier A in one part, from a supplier B in another, and supplier C in another, with systems developed in different languages, and with different communication protocols between industrial equipment that need to communicate state one to another. the other. As a certain industry expands its activities and needs to automate some processes by adopting OT in it, some suppliers prove to be better than others in some fields, so the industrial park becomes a hodgepodge of different suppliers.

There are two important generic acronyms, SCADA and DCS, and the first pretty much defines the concept that will be discussed below. SCADA is an acronym for “Supervisory Control and Data Acquisition” and DCS for “Distributed Control System”. In this dissertation, importance will be given to SCADA.

The main objective of industries has always been to automate their processes, with so-called industrial automation. So, the manufacturers follow a certain pattern of producing solutions, differentiating themselves in the technologies that one dominates in a more advanced way than the other. The standardization of technology adoption, using layers and levels, will favor interoperability between different OT/ICS vendors, meaning the customer could buy a part with one supplier and another with another supplier, and both will try to make everything work together. And the answer to this was initiated by the SCADA standard, created in the 70s, to control these processes of different technological integrations, in the different manufacturing levels.

These fundamental layers below are the most recently released by the general SCADA concept and can be associated with virtually any equipment from any supplier in the world, being represented by a pyramid (which ends up conveying a notion of hierarchy and volumes at each level). A version of this pyramid can also be found called the Industrial Automation Pyramid. When it comes to OT/ICS, there is also no shortage of standardization of layers, because without this each developer of industrial technology (ICS) would do completely in their way, forcing industries to have only that exclusive supplier.

2. SCADA Pyramid and Industrial Automation

Summary View of SCADA Pyramid and Industrial Automation

• Level 0 – At the base of the pyramid are the sensors, actuators, and some other industrial hardware (field level).
• Level 1 – Programmable Logic Controllers (PLCs) and other equipment and other equipment with the same function (control level).
• Level 2 – The SCADA network (supervision level).
• Level 3 – MES (planning level).
• Level 4 – The top of the pyramid is represented by the ERP (management level).

Detailed View of SCADA Pyramid and Industrial Automation

• Level 0 (sensor, actuator, hardware)

It represents the possible hundreds or thousands of pieces of hardware that an industrial production or commercial operation can have in the field network of its industrial park to do the most fundamental work of all levels. The equipment in this Level 0 can be in an internal or external environment of the production to sense (sensor) the environment where it was installed or act (actuator) to physically modify that environment. It could be a temperature sensor and it could be an electromagnetic mechanism to close a door, for example, and they could be in extreme environments for a human being. This fundamental hierarchical concept of the automation pyramid is that the sensor “feels” and communicates its state to the level above (Level 1) which contains a specific reaction programming to return a command to the actuator that “acts” (i.e., closing a door in somewhere). In principle, it is not fundamental in SCADA representation that the sensor communicates independently with the actuator. This is a more conceptual approach for IIoT, whose device would have autonomy for reading and reaction. When imagining that the devices of this Level 0 of industrial automation do the most menial work, then it would be equivalent to the work of the field level technician who regularly goes to each remote location to read the levels of some sensitivity display for pressure, temperature, humidity and write it down on your clipboard to communicate to management, who decides what to do, and orders another technician to close a door, gate, to reduce pressure, increase ventilation to compensate or balance the internal or external environment of that production line. If the field technicians have autonomy (conceptually like an IIoT) they will probably sense the environment themselves (sensors) and act (actuators). The idea of automation, when inserting equipment to do this fundamental industrial work in the field, can be to improve performance, obtain quick response action, reduce the risk of accidents or risk of human exposure, produce more, etc. We must remember that many concepts are dynamic fundamentals, being able to add more technologies in common areas.

Level 0 Security and Risks. Sensors and actuators can be located inside the plant, in visible or difficult-to-inspect locations, and they can be located thousands of miles away. And what cannot be watched and monitored is vulnerable. If this equipment does not communicate its presence to the PLCs with some kind of network keepalive signal to their supervisory levels (i.e., PLCs), then they run the risk of being lost, damaged, intentionally exchanged and intentionally altered in their functionalities. This is a relatively common problem in many industries with an extensive industrial park. It is an almost unsolvable problem in many industrial plants with remote and inhospitable fields, such as underground mines for the Mining & Metals industry. In some cases, a CCTV camera can monitor, but in others, it must rely on periodic human inspections when this is possible and in some cases, industrial field equipment (i.e., switches, sensors) can go years without inspection.

• Level 1 (PLC, PC)

Following the SCADA hierarchy represents OT industrial equipment with which Level 0 sensors and actuators should communicate to receive commands to act (when actuators) and report their ambient readings (sensors). This Level 1 historically represents programmable logic controllers (PLCs), among others, which are physical equipment that communicates with sensors and actuators by some means of cables/radio and their best specific network protocols. These PLCs are minicomputers with memory, firmware, and the ability to be programmed with a specific language (the best known is Ladder Diagram, but many others depending on the manufacturer), in addition to being typically built with resistance to the environment where they must be inserted. Being a PLC programmer is a profession demanded by the industries because it is the PLC (and equivalent) that contains the intelligence of the direct controls of the actuators, and this programming is proprietary according to the manufacturer, needing to be changed and updated according to the new requirements for sensor and actuator functions. PLC hardware boxes are not usually large, and usually have some kind of display for visual consultation or to give feedback to the operator during use containing some buttons for local commands on the box itself. Industrial PCs, which operate at the same level, are equivalent to IT PCs and are like PLCs, as they also have microprocessors, memory, and storage, and are programmable. They also may have operating systems, accept popular programming languages on the market, be more flexible and more capable of being updated (being more expensive than PLCs), and be more oriented to more complex tasks, with more external interfaces than a PLC. In short, the basic architecture of both PLCs and industrial PCs is identical to that of IT PCs, with a CPU (processor), volatile memory (RAM), non-volatile memory (ROM), and various interfaces for external communications (communications ports). Please remember that I am describing fundamental concepts that certainly work on older models, but the convergence being worked on by ICS vendors is packing too many concepts into too few modern devices.

Level 1 Security and Risks. The most common OT security risks are in equipment that no longer accepts updates and has been discontinued by manufacturers. Industrial equipment is designed to run for 10 years or more, and you'll find many running for 20 years or more without intervention, even in a harsh environment. So, they may contain vulnerabilities from programming that is no longer possible to fix, they may not accept firmware updates, and they may have risks of vulnerabilities triggered by the upper levels of the SCADA pyramid or directly injected into their communications ports. Field network switches without port blocks and wireless networks may also be vulnerable. So, in some cases, blocking physical access is necessary, with remote monitoring to mitigate security issues.

• Level 2 (SCADA Network)

SCADA stands for “Supervisory Control and Data Acquisition”, and at this level is the system chosen by the industry to control industrial automation from a single, centralized location, with data collection to feed the so-called “historians” (which are other servers with access to the same network as these supervisory servers). Each supplier of industrial control system equipment has its own SCADA system to offer and will typically successfully oversee equipment from many other OT/ICS manufacturers at the levels below (Levels 1 and 0). As the equipment below can communicate using different protocols of industrial communication networks in the “Fieldbus”, then SCADA suppliers strive to produce supervisory systems that speak as many protocols as possible to interpret and communicate with them. The biggest risks at these levels are integrations not working out well for the proposed design, with unreliable status readings in some cases.

Level 2 Security and Risks. Supervisory and Data Acquisition (SCADA) systems are run by traditional servers, the types known to IT people but managed by OT people who call their vendors when they need help since are PIT. So, they are part of an integration solution from that supplier and are usually sold customized hardware and software for this exclusive purpose. The Department of Defense (DoD) and the National Institute of Standards and Technology (NIST) treat Platform Information Technology (PIT) as dedicated mission-critical hardware and software solutions for special purposes. When doing your inventory surveys in different industries, you will probably realize that many still have OT servers with out-of-support solutions (EOS, EOL) such as obsolete hardware and no possibility of exchanging parts because they use components that are no longer in use (i.e., serial comm cards, IDE cards, VGA video cards, obsolete slots in motherboards), as well as out-of-support operating systems (i.e., Windows Server 2000, Windows XP in workstations). It's a good idea to research whether the industry vendor platform you're advising has old and new vulnerabilities identified here in the Common Vulnerabilities and Exposures (CVE) database, powered by the non-profit organization The MITRE Corporation.

• Level 3 (MES)

The Manufacturing Execution System (MES - Manufacturing Execution System) is another genetic term that designates a system that can control the entire manufacturing of the industrial plant for production managers, with the supposed ability to visualize from the planning of the input of raw materials to the output of the finished product. When the MES implementation project in that industry manages to achieve the best levels of integration of the various industrial processes and business rules into it, then it starts to work as a planning and decision tool. The fact is that in many industrial environments, several old systems still coexist and work in isolation, there is a lot of segregation of management in different plants of the same industry and there are still many “slow” manual processes in many of them (i.e., spreadsheets that need to be filled out and calculated so that the chain of planning and decisions is fed). But practically every industry has its MES tool, to extract the best from it, implementing them in waves, in a timeline planning for years, because it also needs to readjust several internal processes to adapt.

• Level 4 (ERP)

The SCADA pyramid indicates that, at the highest level, Enterprise Resource Planning (ERP) is state-of-the-art when it comes to integrated management, as the company was able to take relevant information from the MES (OT domain) into your existing ERP (typical IT domain). The ERP is the tool that the administrators of that industry will use to visualize and control the operations of the business within this suite of applications generically denominated ERP. Theoretically, if there is an ERP implemented and working, it is at this time that the industrial administration, the top-level management, and the IT and industrial management come together to work on the global goals directions and provide their fulfillment, in addition to other matters to be reported, because the ERP in addition to manufacturing also should integrate other management, such as sales, purchasing, finance, etc.

Level 3 and 4 Security and Risks. In these two levels of typical OT and IT responsibilities, we are talking about types of application servers such as those known to IT, database servers, and other servers that require separate application installations for performance or security reasons, with all the inherent risks that the IT team already knows and usually mitigates. To name the most common ones in this current phase, after having visited some infrastructure critical sectors, we have DoS/DDoS, ransomware, zero-day attacks, SQL and XML injections, etc. At these levels, the fact that the business is industrial does not differentiate the risks known to IT personnel.

3. Typical hierarchy of major components of the industrial automation network

In addition to the vision of the industrial automation pyramid together with the SCADA pyramid, it is also useful to know some components whose operation and in-depth knowledge are typical only of the OT team and not of IT, as they are levels of industrial automation (from Level 0 to Level 3 in the general topology below).

For industries that have made more recent acquisitions, supervisory systems, PLCs, and sensors/actuators (i.e., Levels 0, 1, and 2) will also be able to communicate via TCP/IP protocol. The typical industrial protocols Modbus/TCP (Schneider) and Ethernet/TCP (Rockwell) despite dominating almost 50% of the global market, can present performance matters when the reaction time is critical in a few milliseconds. The various industrial components on the factory field can talk to each other using more than ten different protocols, selected for that project according to their performance and peculiar characteristics.

• Network Level 0 – Fieldbus industrial equipment (sensors, actuators, and other hardware)

This view states that equipment on the Fieldbus (factory floor) interacts directly with the production medium, doing front-end manufacturing work. This general category includes equipment and sensors/readers such as gauges (pressures, temperature, flow, levels) and a few others. And in this category are also the equipment that acts on the environment, such as valves, actuators, and many others. In the industrial environment, this actuation equipment (actuators) normally will not act standalone because, in the fundamental industrial vision of process, safety, and control, they must receive commands from the upper level (Level 1). As well as the equipment that senses and perceives (sensors) they must only notify their status to the equipment to which they are subordinated, also in Level 1. The network segment where the field equipment is located is known as Fieldbus. In more modern industrial parks, there is a tendency for edge equipment to have more autonomy, integrating sensitivity and action, as in the IIoT (Industrial Internet of Things) concept. However, thousands of industries around the world still use millions of pieces of equipment in the traditional way in their industrial plants.

• Network Level 1 – Industrial process management equipment (PLCs, PCs, and other types)

Fundamentally, equipment in the prior Fieldbus level 0, must report their readings to the PLC/PC types of equipment on this level 1. At level 1 is the process manager’s equipment, with programming made by humans, that then returns the actuation command to another piece of equipment back to the Fieldbus level 0. In level 1, we have programmable logic controllers (PLCs), industrial personal computers (PCs), and any hardware that allows this type of function to manage processes. All of these communicate over the industrial switches that integrate the Fieldbus segment, which contains more than 10 different possible communication types under industrial protocols.

• Network Level 2 – The Human-Machine interface (HMI) equipment

These are also equipment for monitoring and managing industrial processes, in their most basic and direct form, with monitor panels (typically LCD, like a tablet) fixed next to the equipment whose operators in the field can monitor the states visually and accepts command for some changes by touching directly on the screen or by pressing the buttons on the box frame itself.

Vulnerabilities in the HMI. A good look at vulnerabilities in the Human-Machine interface (HMI) of industrial control systems (ICS) I found in the 2017 Trend Micro Vulnerabilities and Exploits Report, which lists the four biggest vulnerabilities for SCADA solutions:

Memory Corruption. These were stack-based buffer overflow vulnerabilities and out-of-bonds read/writes. These vulnerabilities are known to IT personnel and can also happen in applications running on IT servers and workstations due to flaws in vendor software development security processes.

Credential Management. These were the storage of hard-coded passwords embedded within the source code itself, passwords stored in recoverable plain text format, as well as insufficient credential protection. These are usually attributed to programmers/developers who developed without a code safety oversight process.

Lack of authentication, authorization, and presence of insecure patterns. These included some insecure standards, clear text transmission of sensitive information, lack of encryption, and insecure ActiveX controls.

Code injection. Lack of protection against SQL injection, command injection, operating system injection, and code injection, as well as some specific injection types, were also identified risks for SCADA solutions.

• Network Level 3 – Industrial supervision equipment (SCADA)

With oversight above management, at this level are any servers on the OT network with the traditional operating systems known to IT (i.e., Windows Server) and their applications and specialized functions. The two typical functions are to host applications suites to centralize the management operations of the industrial network equipment and the database servers that act as historians. As in IT, these servers are isolated in the racks of the industrial plant's server room, and access to them is via terminals containing the client software for that SCADA application or, more modernly, access via an HTML browser. Historians are servers whose specialized function is to collect and store each state and event time of industry components, as continuously fed logs, to be queried by management servers for the display of historical or snapshot data. When IT personnel work with OT personnel, historians will always be mentioned as points of concern and security due to their strategic importance to industrial production.

Vulnerabilities of industrial supervision. These are the same IT vulnerabilities as viruses, ransomware, SQL or XML injection, stack overflow, and hardware component failures, as well as the known risks of unsupported applications, obsolete operating systems, and obsolete, unserviceable hardware repairs. For safety reasons, the industrial control system equipment must have a strong layer of protection from the outside world and certain layers of isolation. There are cyber and physical risks, created by malicious actors, who could directly access this segregated network. There are risks in IT accessing OT networks because due to its intrinsic concept of physical isolation of OT, there is little or almost no protection in various equipment of ICS/OT. Some common cases could be unsecured ports (Eth, USB, serial, management) on servers, workstations, and unsecured industrial field switches (which could be tens of miles from the operations center) where a malicious actor could insert malware into the network using any remote switch. Industrial switches (or even regular ones) may not be managed, without port blocking and network presence control. In industries with active IT, their switches and servers tend to be protected against risks, as this equipment can be more exposed to corporate users. If there is a vulnerability in the IT of this industrial plant, then risks can be propagated to industrial production (i.e., in MES connections with ERP) when remote controls/consultations are allowed to industrial production throughout IT premises.

• Network Level 4 – Application Servers (ERP) and Databases.

Please check what was discussed above in Level 4 (ERP) as it applies in the same way.

Conclusion. While manufacturers of industrial solutions strive to create solutions for remote industrial control as well as remote visualization of industrial parameters without compromising security, on the other end there are thousands of malicious actors (and also “good hackers”) testing flaws in everything, all levels, as in this CVE List of vulnerabilities, already mentioned.

This article provides a foundation for IT professionals to understand more about the differences and similarities between IT and OT. In this article, I applied some of the most well-known real situations of security risks from my participation in industrial cybersecurity projects (and other matters) in the real world. This article was written entirely by me, without the use of any automatic text generation “AI” tools. Any constructive comments are welcome.