OT and Cybersecurity — Part II, Recommendations and Best Practices

SOCFortress
5 min readOct 23, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

See previous blog entry, OT and Cybersecurity — Part I, Introduction

Operational Technology (OT) environments, which manage industrial systems like manufacturing, energy, and critical infrastructure, face unique cybersecurity challenges. These systems are increasingly connected to IT networks, exposing them to potential cyber threats.

Industrial control systems (ICS) have historically been isolated and less interconnected. Isolation was one of the things that kept these systems more secure behind air gaps, at the cost of lost coordination and collaboration. This is rapidly changing with the rise of Industry 4.0 with increased interconnectivity and integration of smart technologies like Industrial IoT (IIoT) and cloud computing in modern industrial processes.

OT intrusions have spiked since last year.

OT and Cybersecurity — Recommendations

Many OT systems were designed without cybersecurity in mind, lacking basic protections like encryption, authentication, or patching mechanisms. Upgrading or replacing these systems can be expensive and disruptive to operations. Moreover, OT environments prioritise uptime and availability, which makes regular patching or applying security updates challenging. Organisations often delay patching due to the potential for downtime, increasing vulnerability windows.

As OT and IT systems converge through industrial Internet of Things (IIoT) and digital transformation, the attack surface increases. The differences in priorities between IT (data confidentiality) and OT (system availability and safety) complicate security efforts.

Many traditional IT security tools do not understand OT-specific protocols or environments, leading to gaps in detection and protection. It’s also very common that OT systems rely on external vendors for maintenance and support, which can introduce vulnerabilities through remote access tools or unpatched systems. Managing third-party risks in OT environments can be difficult without strict oversight.

Securing OT environments requires a layered, holistic approach that combines network segmentation, strong access control, monitoring, patch management, and staff training. The primary challenge is balancing security with operational continuity, given the mission-critical nature of OT systems.

Physical Security

Ensure that OT systems, control rooms, and network components are secured physically to prevent tampering.
Use surveillance and monitoring systems to detect unauthorised physical access.

Network Segmentation

Reducing intrusions requires a hardened OT environment with strong network policy controls at all access points. This kind of defensible OT architecture starts with creating network zones or segments.
Standards such as ISA/IEC 62443 specifically call for segmentation to enforce controls between OT and IT networks.
Teams should also evaluate the overall complexity of managing a solution and consider the benefits of an integrated or platform-based approach with centralised management capabilities.

Use firewalls and demilitarised zones (DMZs) to limit traffic between OT and IT environments. This limits the spread of malware and unauthorised access.
Apply more granular segmentation within OT environments to restrict access between critical components, reducing the attack surface.

Strict Access Control

With IT-OT network convergence, organisations need to prevent common threats from accessing sensitive OT systems that were previously air-gapped. As stated previously, this requires the ability to segment networks and protect network boundaries but also monitoring and controlling access to OT systems based on the user’s defined role.

Enforce MFA for users accessing OT systems, especially for remote access.
Limit access to OT systems based on job roles, ensuring only authorised personnel can interact with critical systems.

OT Asset Management

Organisations need the ability to see and understand everything that’s on their OT networks.
Once visibility is established, organisations then need to protect any devices that appear to be vulnerable. This requires protective compensating controls that are purpose-built for sensitive OT devices.
Capabilities such as protocol-aware network policies, system-to-system interaction analysis, and endpoint monitoring can detect and prevent compromise of vulnerable assets.

See previous blog entry on how SOCFortress can help your organisation building and maintaining an accurate network inventory: SOCFortress Integrations — Network Discovery and Inventory Using NetDisco

Apply patches to OT systems and devices, despite the operational challenges. Where patching is not feasible, apply compensating controls like network monitoring.
Harden systems by disabling unnecessary services and using the principle of least privilege.

Network Monitoring and Intrusion Detection

Organisations should understand different events, anomalies, and their potential impacts to systems and the environment to establish an effective detection capability. Within any environment, numerous non-malicious and potentially malicious events and anomalies occur almost continuously.

Some examples of common events include:

  • Multiple failed logon attempts
  • Locked-out accounts
  • Unauthorized creation of new accounts
  • Unexpected remote logons (e.g., logons of individuals who are on vacation, remote logon when the individual is expected to be local, remote logon for maintenance support when no support was requested)
  • Cleared event logs
  • Unexpectedly full event logs
  • Antivirus or IDS alerts
  • Unauthorised configuration changes
  • Unauthorised patching of systems
  • Unplanned shutdowns
  • Unexpected communication, including new ports or protocols being used without appropriate change management
  • Unusually heavy network traffic
  • Unauthorised devices connecting to the network
  • Unauthorised communication to external IPs

Use Intrusion Detection and Prevention Systems tailored for OT protocols (e.g., Modbus, DNP3) to detect anomalies and potential threats.
Implement Security Information and Event Management (SIEM) systems to log and monitor traffic and activity across the OT network, identifying suspicious patterns early.

(Part III in this series will be about using network detection in OT environments).

Incident Response Plan

The IR function requires the establishment of several cybersecurity capabilities, including incident management, forensic analysis, vulnerability management, and response communication.
The purpose of the incident response capability is to:

  • determine the scope and risk of cybersecurity incidents,
  • respond appropriately to the incident,
  • communicate the incident to all stakeholders, and
  • reduce the future impact.

The plan includes the roles and responsibilities of personnel, the incident response workflow, incident type and severity classification, contacts of critical personnel who should be involved, contacts of external entities that may be useful in assisting with IR, information sharing policy, and internal and external communication.

Develop and test an incident response plan specifically for OT environments, considering operational continuity as a priority.
Regularly back up critical OT systems and maintain robust recovery processes to ensure quick restoration in case of cyber incidents.

Vendor and Third-Party Risk Management

With few exceptions, organisations that are responsible for OT rely upon suppliers, other third-party providers, and their extended supply chains for a range of needs.
These supply-side organisations perform critical roles and functions, including manufacturing and provisioning technology products, providing software upgrades and patches, performing integration services,or otherwise supporting the day-to-day operations and maintenance of OT systems, components, and operational environments.
For this reason, OT organisations should seek to understand and mitigate the supply chain-related risks that can be inherited from these supply-side organisations and the products and services that they provide.

Assess the cybersecurity posture of third-party vendors who access OT systems. Ensure they comply with security policies.
Limit third-party access to critical OT systems, and monitor and log their activities closely.

What’s next

In the next bog entry we’ll cover Network Monitoring and Intrusion Detection in OT environments.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet