As operational technology (OT) networks become increasingly connected to the rest of an organization’s network infrastructure, they become a growing target for increasingly sophisticated cyber criminals. In fact, Fortinet’s 2021 State of Operational Technology Cybersecurity Report indicates that nine out of 10 OT leaders had at least one intrusion in the past year, with 63% having experienced three or more.
Understanding the critical nature of OT system cybersecurity
OT systems typically integrate physical, network-connected devices serving domains such as manufacturing, energy and utilities, transportation and oil companies. These systems have been historically isolated via air gaps, meaning that they had no direct connection to the outside world and thereby were not exposed to vulnerabilities. With the growth in dependence on Industrial Internet of Things (IIoT) devices, OT systems experiencing digital connectivity to accomplish the transaction of high volumes of data. The advent of this IT/OT digital transformation has resulted in an expanded attack surface and certainly amplified the necessity of cybersecurity best practices to achieve timely situational awareness.
The importance of protecting critical infrastructure has gained importance after DarkSide criminals gained access to the network, attempted to steal nearly 100 gigabytes of critical data from Colonial Pipeline’s network. These events caused Colonial Pipeline to halt all 5,500 miles of their pipeline operations as well as some of their IT infrastructure while they work to clean and restore compromised systems. Colonial Pipeline is the largest supplier of gasoline, diesel, and jet fuel on the East Coast in the United States. They transport 2.5 million barrels of fuel per day—nearly half of the East Coast’s total fuel supply—through their network of pipelines linking refiners on the Gulf Coast with distribution centres across the eastern and southern United States. Fortunately, alert IT team members identified the attack and proactively took specific systems offline to contain the threat. This prevented the attackers from stealing any data while protecting their critical energy distribution infrastructure from even further compromise.
Many organizations address security challenges with an array of point solutions, but this strategy isn’t sustainable in the long run. In many instances, dependence on multiple integrated point solutions fall well short of delivering true visibility and control across the entire network and can lead to security gaps and response latency. OT networks must be able to rapidly recognize and neutralize security threats to avoid critical service outages, especially since a breach could lead to industrial sabotage and even loss of life.
OT infrastructures can no longer rely on an air gap as a primary Defense mechanism. Instead, OT security strategies should centre on Zero Trust Access (ZTA), which doesn’t allow access to any user, device, or application without proper credentials (identification and permissions). This helps neutralize threats from both inside and outside the network and ultimately prevent data breaches.
The OT Zero Trust Access Process
Zero Trust Access begins with applying a consistent policy of “never trust, always verify” for every wired and wireless network node. This is not always straightforward to accomplish across a complex landscape, but implementing known best practices can enable significant progress. For example, practicing the principle of least privilege across internal and external network communications limits threats by providing users and devices with only the minimum access they require and no more.
Integrating an internal segmentation firewall at multiple points within the network protects against an array of attack vectors while providing both network visibility and least privilege enforcement. Containment strategies also prevent vertical or horizontal movement within the OT environment.
Next-generation Firewall (NGFW) technology that employs an internal segmentation configuration and intelligent switching can also provide a ZTA foundation across IT/OT networks. Configuring the NGFW with secure and scalable Ethernet switches allows micro-segmentation and policy enforcement that prohibits any unapproved east-west or north-south network movement, making network security more granular while improving attack resistance.
How multi-factor authentication can help
Heightened protection is achieved with multi-factor authentication (MFA), which only grants access after the user has successfully presented two or more factors to an authentication mechanism.
Possessions of items that only the user possesses such as a badge or a smartphone; unique identifiers that include biometrics such as a finger print or voice recognition; and knowledge of information known only to the user, such as a password or a PIN number are the factors to an authentic mechanism.
Requiring several of these factors or pieces of evidence is how MFA makes network breaches much more challenging for bad actors.
Balancing secure OT with sustained operations
Digital transformation and the convergence of IT/OT present many inherent risks, requiring proportional cybersecurity investment. However, security perfection is not the goal. Instead, the focus should be on protecting the most important assets as much as possible while still enabling safe and continuous operations that prioritize speed, scale, and solution longevity of the OT system.
We can expect cyber adversaries to remain committed to developing sophisticated tradecraft as part of delivering cyber campaign toolkits that present newer attack methods. While the implementation of ZTA strategy significantly raises the cybersecurity bar for the protection of highly valued cyber physical assets, there remains a need to achieve comprehensive protection employing a broad spectrum in a defensive strategy. For example, ZTA doesn’t protect against distributed denial of service (DDoS) attacks.is also not practical when it comes to inspection of encrypted payloads, such as virtual private networks (VPNs), due to the overhead and delays.
As cybersecurity best practices are adopted to proactively defend OT systems, it is equally important to be committed to execution such that latency of event or anomaly detection is latency is avoided or minimized. Elements of an OT security strategy should always be considered in relation to the larger ecosystem. Internal behavioural analysis and ZTA enable greater situational awareness and create a more proactive security posture for OT systems. But the return on OT security investment should be valued in proportion with safe, trusted, and sustained operations.
Rajesh Maurya is the Regional Vice-President, India & SAARC, Fortinet.