Create a secure network for shop floor devices
In an increasingly connected world, it is critical for manufacturers to strengthen their defenses against cyber threats. However, securing industrial operations is a unique challenge because plant floors can’t be secured with the same approach used to secure information technology (IT) networks. Operational technology (OT) has evolved tremendously over the years, creating very complex environments. There is a dizzying variety of devices from different makes, models, and generations communicating through different protocols. Plant operators need to learn to speak these devices’ different languages in order to begin securing them.
To begin securing a plant environment, operators need visibility into all the devices and software on the network. To gain that visibility, operators need a way of communicating with their devices. This is easy in a corporate IT environment because these devices are all IP-based and speak the same language. This is more difficult in OT environments because of the variety of devices and protocols and languages involved.
What language a device speaks can depend on the type of device, the age of device, the manufacturer, and more. Programmable logic controllers (PLCs), for example, communicate in a range of different protocols including Ethernet/IP, Modbus, and Simple Network Management Protocol (SNMP). This gets even more complex when considering the different variations of remote terminal units (RTUs) and distributed control systems (DCSs). If operators can’t talk to all the devices on the network, it’s difficult to know what needs to be secured.
So how can operators approach that tough conversation with OT devices?
In IT environments, automated processes can be used to discover devices on the network. In OT environments, security teams need to overcome the language barrier. However, even if the team is able to send signals to their devices, it is possible incorrect communication with these devices can cause a shutdown and disrupt operations.
Plant operators should start with understanding what languages their devices are speaking and learn to speak them. This involves taking an inventory of the assets that will be critical to secure, then choosing a solution that can speak natively to these devices and monitor a wide variety of systems not typically monitored, including routers, switches, gateways, and firewalls. They should also identify which of those devices are critical to operations and therefore highly sensitive.
In this case, a "no touch" approach is the approach for these devices. The "no-touch" approach uses integration with an intermediary device that talks to the PLCs in order to configure the devices and backup these configurations. Once integration is in place, configuration data can be obtained from the intermediary device by querying the intermediary’s database and ingesting the configuration data.
Once network visibility is established, operators can start hardening the environment. OT security solutions should identify what’s on the network, detect changes, identify where the risks are, and mitigate them. Hardening the environment starts with looking at how the devices and software are configured. Misconfigurations, though many of them are simple to fix, continue to be the main vector for successful cyber attacks.
A good security solution should be able to assess configurations and enable users to easily fix any that are not in a secure and compliant state. Unpatched vulnerabilities are another major reason for successful cyber attacks. Security solutions should scan for vulnerabilities in the environment and prioritize which vulnerabilities are most critical.
Once the attack surface has been minimized through proper configuration and vulnerability management, the plant’s security solution should continuously monitor and alert to any changes made in the environment. Changes made to the environment can indicate an intrusion, and/or point out configuration changes that have weakened the security posture or put systems in a non-compliant state.
Even if certain devices are air-gapped, isolated, and disconnected from any external-facing network, internal staff may introduce system changes without understanding the effect on security or compliance. Or worse, an intruder can bypass the air gap by gaining physical access, for example, through an infected USB drive, to carry out a cyber attack.
Foundational security boils down to understanding the attack surface, minimizing it, and monitoring it. Again, that first step traditionally has been particularly difficult for OT environments because of the language barrier around the different devices. With the right technology, plant operators can navigate past OT language barriers for enhanced visibility and the ability to harden and monitor their environments for more secure and compliant operations.
Gabe Authier, senior product manager at Tripwire. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, firstname.lastname@example.org.
Gabe Authier is a senior product manager at Tripwire, a leading provider of security, compliance, and IT operations solutions for enterprises, industrial organizations, service providers, and government agencies. He has over 15 years of experience in product management and information technology, with certifications in Agile practices and Pragmatic Marketing methodology. He is passionate about software development that brings solutions to the marketplace to solve customer problems. Gabe holds a BS in Systems Engineering from the University of Arizona and an Executive MBA from the University of Oregon.