Operational technology (OT)* networks, which control equipment in critical infrastructure such as utilities and manufacturing assembly lines, have been traditionally air gapped / separate from information technology (IT) networks, which control data in all organizations. In recent years, compelling innovations in IT such as artificial intelligence (AI) and big data analytics promise to bring improved outcomes to OT networks.
As a result, the integration of OT and IT networks is accelerating, and this expands the digital attack surface, exposing OT networks to attacks coming from IT networks.
In the 2020 State of Operational Technology and Cybersecurity Report found that OT breaches are now commonplace.
To thwart attacks and minimize OT risk, implement five best practices:
- Increase network visibility
- Segment networks
- Analyze traffic for threats
- Enforce identity and access management
- Secure both wired and wireless access
These practices are presented as a foundation for enhancing OT security posture.
Recommended OT Cybersecurity Best Practices
The following are five areas OT leaders need to have checked in order to protect against malicious cyberattacks.
Identify Assets, Classify, and Prioritize Value
Improving security posture starts with visibility: you cannot protect what you cannot see. Lack of visibility is a critical security gap at many organizations, with 82 percent acknowledging they are unable to identify all the devices connected to their networks.
Security teams need an up-to-date inventory of devices and applications running on the network.
Segment the Network
Network segmentation is one of the most effective architectural concepts for protecting OT environments.
The idea is to divide the network into a series of functional segments or “zones” (which may include subzones, or microsegments), and make each zone accessible only by authorized devices, applications, and users.
ISA/IEC-62443 (formerly ISA-99) standards provide practical guidance on how to segment OT networks. Strict access controls limit access to each zone and conduit based on the authenticated identity of the user or device.
Analyze Traffic for Threats and Vulnerabilities
Once OT network is divided into segments and conduits, it is valuable to analyze network traffic for known and unknown threats.
Security teams should seek to integrate a Next Generation Firewall (NGFW) capable of inspecting encrypted application traffic, with a live-feed service to provide updates on the most common OT protocols and OT application vulnerabilities. A service of this type enables the NGFW to inspect OT application traffic and spot exploits. Real-time global intelligence alerts update the firewall so it can identify even new and sophisticated threats. When integrated with a compatible endpoint security solution, the NGFW can monitor endpoints for indicators of compromise (IOCs) gleaned from a variety of sources around the globe.
The firewall can also learn from traffic on a network and establish a baseline or understanding of what is normal or abnormal across IT and OT systems. It can quarantine, block, or send alerts when it detects abnormal activity or IOCs. Integrated as part of the NGFWs, AI capabilities, which are delivered as part of a self-evolving threat intelligence system, develop signatures to catch zero-day threats before they are even written.
Control Identity and Access Management
Stolen credentials are an element of many OT cyberattacks, including three of the four profiled earlier. Spear phishing used to steal credentials was a key part of those attacks. In fact, two-thirds of installed malware in the threat environment is being delivered by email. A first layer of defence in controlling identity and access management (IAM) exploits should be a secure email gateway with signature- and reputation-based prevention.
Secure Both Wired and Wireless Access
In an OT environment, two attractive targets for cyberattacks are network switches and wireless access points (APs). Both should have security by design, administered from one central interface. Security management that is centralized not only reduces risk but it also improves visibility and minimizes administration time for security and operations teams.
In many OT companies, exposure to potential attacks through wired and wireless APs is growing. Every company in one survey had some wireless or IoT technologies, which may include connections to OT networks. An average of 4.7 IoT technologies were connected, with GPS tracking and security sensors the top two choices.
Convergence of IT and OT
To stay competitive, organizations are connecting OT environments to their IT networks. In most instances, IT and OT convergence is planned and strategic to an organization.
While IT and OT integration is becoming a strategic initiative, it is also increasing the likelihood of OT breaches. While breaches cannot be stopped 100% of the time, they can be limited through network segmentation, detected faster through traffic analysis, and minimized in frequency through identity and access management, and wired and wireless access control. Following these best practices can greatly reduce the cost and potential downtime if an attacker is able to get a foothold in an OT network.
Since 2005, Fortinet has protected OT environments in critical infrastructure sectors such as energy, defense, manufacturing, food, and transportation. By designing cybersecurity into complex infrastructure via the Fortinet Security Fabric, organizations can integrate cybersecurity protection across OT and IT environments, from the manufacturing floor to the data centre to multiple clouds.
Need help securing your environment? Contact Spectrum Edge, a Fortinet Authorised Distributor in Malaysia here.