Physical security meets OT

In operational technology (OT) cyber security situations, the purpose is to protect the process and keep it running in high-value applications such as factories, pipelines and jets rather than protecting data.

04/22/2016


Several years ago, the key word used by security pundits was "convergence." And, although different marketers came up with variations of what the term meant, the primary definition covered the intersection of physical and logical security.

An example was when physical security systems such as access control devices intersected with information technology (IT) systems such as using the computer system. Convergence occurred when the same ID badge provided access through the front door and onto the company computer system. Both the physical infrastructure and the data infrastructure became more secure through this integration.

Meanwhile, in an industrial setting beyond the front offices and data centers and, often, miles away, were the industrial control systems (ICS) that helped create the organizations' revenues.

Used in industries as diverse as oil and gas, power generation and distribution, healthcare (i.e. MRI's), transportation systems, manufacturing and many others, ICS, by connecting sensors, machines and instruments were creating automated solutions that increased productivity. They could control local operations such as opening and closing valves and breakers, collect data from sensor systems to turn up the heat of furnaces and monitor the local environment for alarm conditions. And, although the basis of these systems is a computer, IT could do little to protect them from attack. And this is still very much the case.

This very fact emphasizes the difference between IT security and operational technology (OT) security. IT security lives in the context of an IT stack with tools from many vendors—networks, servers, storage, apps, and data. It's in a periodically updated ecosystem where most hosts are talking to lots of other hosts and where there are frequent patch cycles—in weeks or, sometimes, days—in response to expected and known cyber threats. IT security basically protects data (information), not machines.

In OT, high-value, well-defined industrial processes—such as in factories, pipelines and jets, which execute across a mix of proprietary devices from different manufacturers—need protection, not data.

Many of the devices and software used in operational environments are 10 to 30 years old. Many were not designed to be connected, have not been patched very often, and were not devised to withstand modern attacks. Surprisingly, many operators don't know what's actually transpiring on their Industrial Internet and, even if hacked, have no knowledge of the assault.

While the primary goal in IT is to protect data, OT security strives to keep the process running. Whether from outside threats, like hackers or state sponsored actors, or inside threats, like human error, in an environment where companies are operating drills, electric grids, MRIs or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities, and transportation systems in which even a couple minutes of downtime can yield tens of thousands of dollars lost.

To gain access into critical infrastructure OT systems, hackers will leverage different physical assets, including those within the enterprise security system itself to potentially infiltrate an OT system.

Physical security and OT intersection

The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. However, patch management is a particularly painful operation in an OT system; organizations don't have the infrastructure for qualifying patches to ensure they do not impact any of the software running on their system and, so, have to depend on their vendors to test and ensure new patches will not impact control of their processes. That takes quite a bit of time.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. Courtesy: ISSSource, Wurldtech Security Technologies

Secondly, many of the security controls that are effective in IT are not effective in OT; they must be adapted to the technical requirements of OT systems.

Lastly, to apply the patch to an OT system usually means the operation must be shut down. Closing down the refinery, production floor or electric grid periodically to add yet another patch is not a remedy that works when minutes of downtime can cost immense amounts of money. To eliminate turning off the operation when patching, hot patches must be delivered to a security solution that resides directly in front of the control unit while the system continues to produce. Since that solution is hardware, we've now found the intersection of physical security and OT cyber security. 

This verifies why physical security professionals should be concerned about critical infrastructure cyber security.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. This content originally appeared on ISSSource. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.

ONLINE extra

- See additional stories from Kube and from ISSSource linked below.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me