Physical security meets OT

In operational technology (OT) cyber security situations, the purpose is to protect the process and keep it running in high-value applications such as factories, pipelines and jets rather than protecting data.

By Nate Kube April 22, 2016

Several years ago, the key word used by security pundits was "convergence." And, although different marketers came up with variations of what the term meant, the primary definition covered the intersection of physical and logical security.

An example was when physical security systems such as access control devices intersected with information technology (IT) systems such as using the computer system. Convergence occurred when the same ID badge provided access through the front door and onto the company computer system. Both the physical infrastructure and the data infrastructure became more secure through this integration.

Meanwhile, in an industrial setting beyond the front offices and data centers and, often, miles away, were the industrial control systems (ICS) that helped create the organizations’ revenues.

Used in industries as diverse as oil and gas, power generation and distribution, healthcare (i.e. MRI’s), transportation systems, manufacturing and many others, ICS, by connecting sensors, machines and instruments were creating automated solutions that increased productivity. They could control local operations such as opening and closing valves and breakers, collect data from sensor systems to turn up the heat of furnaces and monitor the local environment for alarm conditions. And, although the basis of these systems is a computer, IT could do little to protect them from attack. And this is still very much the case.

This very fact emphasizes the difference between IT security and operational technology (OT) security. IT security lives in the context of an IT stack with tools from many vendors—networks, servers, storage, apps, and data. It’s in a periodically updated ecosystem where most hosts are talking to lots of other hosts and where there are frequent patch cycles—in weeks or, sometimes, days—in response to expected and known cyber threats. IT security basically protects data (information), not machines.

In OT, high-value, well-defined industrial processes—such as in factories, pipelines and jets, which execute across a mix of proprietary devices from different manufacturers—need protection, not data.

Many of the devices and software used in operational environments are 10 to 30 years old. Many were not designed to be connected, have not been patched very often, and were not devised to withstand modern attacks. Surprisingly, many operators don’t know what’s actually transpiring on their Industrial Internet and, even if hacked, have no knowledge of the assault.

While the primary goal in IT is to protect data, OT security strives to keep the process running. Whether from outside threats, like hackers or state sponsored actors, or inside threats, like human error, in an environment where companies are operating drills, electric grids, MRIs or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities, and transportation systems in which even a couple minutes of downtime can yield tens of thousands of dollars lost.

To gain access into critical infrastructure OT systems, hackers will leverage different physical assets, including those within the enterprise security system itself to potentially infiltrate an OT system.

Physical security and OT intersection

The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. However, patch management is a particularly painful operation in an OT system; organizations don’t have the infrastructure for qualifying patches to ensure they do not impact any of the software running on their system and, so, have to depend on their vendors to test and ensure new patches will not impact control of their processes. That takes quite a bit of time.

Secondly, many of the security controls that are effective in IT are not effective in OT; they must be adapted to the technical requirements of OT systems.

Lastly, to apply the patch to an OT system usually means the operation must be shut down. Closing down the refinery, production floor or electric grid periodically to add yet another patch is not a remedy that works when minutes of downtime can cost immense amounts of money. To eliminate turning off the operation when patching, hot patches must be delivered to a security solution that resides directly in front of the control unit while the system continues to produce. Since that solution is hardware, we’ve now found the intersection of physical security and OT cyber security. 

This verifies why physical security professionals should be concerned about critical infrastructure cyber security.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company’s chief technology officer, is responsible for strategic alliances, technology, and thought leadership. This content originally appeared on ISSSource. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.

ONLINE extra

– See additional stories from Kube and from ISSSource linked below.

Original content can be found at www.isssource.com.