Physical security meets OT

In operational technology (OT) cyber security situations, the purpose is to protect the process and keep it running in high-value applications such as factories, pipelines and jets rather than protecting data.

04/22/2016


Several years ago, the key word used by security pundits was "convergence." And, although different marketers came up with variations of what the term meant, the primary definition covered the intersection of physical and logical security.

An example was when physical security systems such as access control devices intersected with information technology (IT) systems such as using the computer system. Convergence occurred when the same ID badge provided access through the front door and onto the company computer system. Both the physical infrastructure and the data infrastructure became more secure through this integration.

Meanwhile, in an industrial setting beyond the front offices and data centers and, often, miles away, were the industrial control systems (ICS) that helped create the organizations' revenues.

Used in industries as diverse as oil and gas, power generation and distribution, healthcare (i.e. MRI's), transportation systems, manufacturing and many others, ICS, by connecting sensors, machines and instruments were creating automated solutions that increased productivity. They could control local operations such as opening and closing valves and breakers, collect data from sensor systems to turn up the heat of furnaces and monitor the local environment for alarm conditions. And, although the basis of these systems is a computer, IT could do little to protect them from attack. And this is still very much the case.

This very fact emphasizes the difference between IT security and operational technology (OT) security. IT security lives in the context of an IT stack with tools from many vendors—networks, servers, storage, apps, and data. It's in a periodically updated ecosystem where most hosts are talking to lots of other hosts and where there are frequent patch cycles—in weeks or, sometimes, days—in response to expected and known cyber threats. IT security basically protects data (information), not machines.

In OT, high-value, well-defined industrial processes—such as in factories, pipelines and jets, which execute across a mix of proprietary devices from different manufacturers—need protection, not data.

Many of the devices and software used in operational environments are 10 to 30 years old. Many were not designed to be connected, have not been patched very often, and were not devised to withstand modern attacks. Surprisingly, many operators don't know what's actually transpiring on their Industrial Internet and, even if hacked, have no knowledge of the assault.

While the primary goal in IT is to protect data, OT security strives to keep the process running. Whether from outside threats, like hackers or state sponsored actors, or inside threats, like human error, in an environment where companies are operating drills, electric grids, MRIs or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities, and transportation systems in which even a couple minutes of downtime can yield tens of thousands of dollars lost.

To gain access into critical infrastructure OT systems, hackers will leverage different physical assets, including those within the enterprise security system itself to potentially infiltrate an OT system.

Physical security and OT intersection

The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. However, patch management is a particularly painful operation in an OT system; organizations don't have the infrastructure for qualifying patches to ensure they do not impact any of the software running on their system and, so, have to depend on their vendors to test and ensure new patches will not impact control of their processes. That takes quite a bit of time.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. Courtesy: ISSSource, Wurldtech Security Technologies

Secondly, many of the security controls that are effective in IT are not effective in OT; they must be adapted to the technical requirements of OT systems.

Lastly, to apply the patch to an OT system usually means the operation must be shut down. Closing down the refinery, production floor or electric grid periodically to add yet another patch is not a remedy that works when minutes of downtime can cost immense amounts of money. To eliminate turning off the operation when patching, hot patches must be delivered to a security solution that resides directly in front of the control unit while the system continues to produce. Since that solution is hardware, we've now found the intersection of physical security and OT cyber security. 

This verifies why physical security professionals should be concerned about critical infrastructure cyber security.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. This content originally appeared on ISSSource. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.

ONLINE extra

- See additional stories from Kube and from ISSSource linked below.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Sensor-to-cloud interoperability; PID and digital control efficiency; Alarm management system design; Automotive industry advances
Make Big Data and Industrial Internet of Things work for you, 2017 Engineers' Choice Finalists, Avoid control design pitfalls, Managing IIoT processes
Engineering Leaders Under 40; System integration improving packaging operation; Process sensing; PID velocity; Cybersecurity and functional safety
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Flexible offshore fire protection; Big Data's impact on operations; Bridging the skills gap; Identifying security risks
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
click me