I have a long-term perspective on Information Technology. My history of working with IT predates the LAN, goes through the introduction of the Internet to the DoD/ IC, cyber, and the migration of Computer Operators to System Administrators. It is from an IT perspective that I continue this look into how Operational Technology (OT) is emerging as a national vulnerability. In my last article, I pointed out that OT systems, Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) are vulnerable to being hacked.
Function over Security
Our Industrial Control Systems (ICS) were designed to monitor, sense and actuate based on readings. They are real-time systems that are primarily used in industry to interface with or “operate” machinery. Hence the term Operational Technology. These systems perform important roles. Where in the 1940’s or 50’s, we may have had a person doing the monitoring and actuating, today a machine can do it for less, work for longer hours, require no pay, and does not need to sleep. These machines simply do what they need to do, without fail, and with minimal or no latency. The systems are often deployed up a pole, down a mineshaft, or out in the field – away from support personnel. It must have been an excellent feature when they began deploying these units with IP addresses. Support personnel no longer needed to get in the truck, put on safety gear, or step out of the office to be able to reach out and touch them.
Two Big Problems with OT security
The two biggest problems are that ICS machines have Internet connectivity and that they are often connected directly to IT networks. Anything that is connected to the Internet becomes a target, minimized only with security-minded steps taken by competent engineers and support personnel. With the vulnerabilities in mind, it is easy to see why these systems should not be connected to corporate IT systems. It is like locking the front door of the house, throwing the deadbolt, but leaving the garage door unlocked. These are important systems performing critical functions. Real damage, injury and death can result from unsecured systems.
Steps to Take to secure OT networks
I’d like to highlight some minimal steps that can be taken to secure your OT networks. You could bring in a security firm to access and make recommendations, for a price. But here are some no-cost or low-cost solutions that will help and begin moving you towards better security.
- Determine exactly what you have and where, noting all details (model numbers, serial numbers, operating system and any application versions) and connectivity. If you don’t know what you have, then you will have a difficult time performing and maintaining an adequate defense. There are actually free tools that will help you do this. GRASSMARLIN is a open-source tool developed by the NSA. It performs passive mapping of your OT network, determining the devices on your network, communications between those devices, and metadata obtained from device to device comms. Unlike other mapping tools such as nmap or plcscan, GRASSMARLIN does not send packets out onto your OT network. GRASSMARLIN comes with pre-loaded signatures and filters. The signatures are “fingerprints” that help to identify the protocols (mostly industrial) being used. NSA also recently released UNFETTER, a Cyber Threat Intelligence Collaboration Platform, a suite of tools meant to provide wider access to insights on systems security research to help facilitate network-protection approaches, and to develop, share and use intelligence on digital activities to enhance security. There is even a Threat Dashboard app where cybersecurity analysts can create and track reports on attacker behavior, techniques and tools for customers.
- Isolate your OT network from your IT network. Unauthorized access to one should not result in access to both. If your ICS systems have an IP address, move them behind a firewall.
- Monitor your OT systems. Know exactly who is logging into them, when, and what they are doing. There should be no unauthorized access to your systems. If you see something suspicious, track it down and know for sure. Log any changes to controller logic, configuration and state.
- Monitor US-CERT, the US Computer Emergency Response Team website for new vulnerabilities. Using your list of systems and versions, have alerts set up in Google for VU# and your ICS model numbers. For example, if you have a Siemens S7-300 PLC, and you want to know if a new vulnerability is discovered, set up a Google Alert for S7-300 +VU#. Do this for all of your ICS/SCADA devices.
- Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes ELK (Elasticsearch, Logstash and Kibana), Snort, Suricata, Bro, OSSEC, Squil, Squert, NetworkMiner and other security tools. It comes with a set-up wizard to help you to build an army of distributed sensors for your enterprise. (Note: Security Onion may be useful in some applications that are primarily IT, not OT. However, it is included here in case, after analysis, it may be of benefit for your organization.)
Keep in mind that OT systems are typically real-time. Be very cautious about putting anything on a real-time system that could interfere with its ability to operate effectively. OT engineers need to work with system administrators and security personnel to assess their company’s situation and develop a plan of action to increase their security posture and reduce the threat. Install first on test systems. For an overall approach, determine the current state of your vulnerabilities, identify some potential courses of action and the time and cost to implement. Brief your management on your current state, what you want to do, the time and money it will take to do it, and the end result you expect to achieve. Learn about these issues and tackle these problems head-on. Your company and your career with be the better for it.