An overview of OT cybersecurity options

OT cybersecurity

As attacks increase OT cybersecurity has never been more important. In February 2020, IBM Security released its IBM X-Force Threat Intelligence Index 2020. The annual report examines the biggest cyber risks facing organizations according to data collected over the past year.

According to the recent report, there has been a dramatic increase in targeted attacks on industrial control systems. The report indicates that attacks targeting Industrial Control Systems (ICS) and operational technology (OT) have increased by more than 2,000 percent since 2018. According to the data, the number of attacks targeting these assets in 2019 was greater than the activity volume observed in the past three years combined.

As this recent report demonstrates, protecting your ICS/OT has never been more important. However, navigating the plethora of OT cybersecurity offerings can be daunting. Here’s a rundown of different technology options and how they can enhance cybersecurity efforts at your operation.

Network Asset Discovery

Asset discovery involves the process of detecting and collecting data on the technology assets connected to an OT network for management, tracking and cybersecurity purposes. This process typically maps and documents the interaction between devices and is often used to establish a baseline for anomaly and threat detection. Asset discovery helps users create a complete and up-to-date picture of their operation’s technology landscape, which enables organizations to identify devices that need attention to prevent or minimize disruption.

Endpoint Cybersecurity

A key component of  OT/ICS cybersecurity is endpoint protection. Endpoints include application servers, database servers, manufacturing systems, data historians, Human Machine Interface systems, engineering workstations, and more.

Endpoint security is designed to protect these endpoints,  thereby securing a network by blocking access attempts and other risky activities. This typically involves a centrally located security software, which is located on a centrally managed server or gateway within the network, and the client software that is installed on each endpoint or endpoint device.  Anti-virus protection, personal firewall and USB/removable media sanitization agents all fall into this category.

Patch Management

Patch management involves the process of installing and managing the latest patches on various systems within a network. This includes tasks like deciding what patches are appropriate for particular systems, ensuring these patches are installed correctly, and testing systems after installation. The objective of patch management is to keep various systems in a network up-to-date and properly guarded against different types of hacking and malware.

Most automated enterprise patch management tools carry out the patching process by deploying or installing agents on target computers. These agents provide a connection between the centralized patch server and the computers to be patched. They also execute patching related tasks like sending alerts to the server, storing patches locally on the target computer before installation, and automatically retrying failed patch installations.

Identity and Access Management

IAM enables security managers to control both physical and cyber user access to critical information, assets or infrastructure within an organization. These products offer role-based access control, which lets system administrators regulate access to systems or networks based on the roles of individual users within the enterprise. These products generally include single sign-on, multi-factor authentication, and privileged access management. These technologies also allow users to securely store identity and profile data and include data governance functions to ensure that only data that is necessary and relevant is shared.

Privileged access management is an element of OT cybersecurity that enables users to control access and permissions for users, accounts, processes, and systems across an IT environment. PAM helps organizations condense their attack surface, and prevent or mitigate damage arising from external attacks as well as from insider wrongdoing or negligence. A central focus of these products is restricting access rights and permissions for users, accounts, applications, systems, devices, and computing processes to the absolute minimum necessary to perform routine, authorized activities.

Anomaly Detection

Anomaly detection is a technique used to identify unusual patterns that do not conform to expected behavior.  Products in this category are designed to establish a baseline for behavior on a network.  Thresholds can then be set to flag traffic patterns or behavior that is classified as abnormal/unusual.  Once normal traffic patterns are established, these solutions will continuously monitor and alert on any outliers in the short term. They also provide long-term historical reporting which can be helpful for planning and auditing purposes.  These products allow for swift attack identification. Anomaly detection also helps users  identify non-malicious  complications, such as a system failure, disruption or misconfiguration.

Products in this category are also designed to rapidly identify zero-day attacks as well as unknown security threats since they rely on a learned knowledge of a specific network instead of signatures. Additionally, some vendors pair their anomaly detection with external threat analysis feeds to enable vendors to anonymously share behavior and threat patterns with other clients.

Deep Packet Inspection

DPI is a method for examining the content or payload of network protocol traffic. The method is used to inspect data packets sent from one device to another over a network which enables users to track down, identify, categorize, reroute, or stop packets with undesirable code or data. This can be used to identify protocol anomalies to determine if protocol commands are being misused, abused, or are likely to cause damage.

Perimeter Security and Network Segmentation

OT/ICS cybersecurity products in this category are designed to prevent unauthorized communication between or into networks and lateral movement between network segments.  While there is an emphasis on protecting the perimeter between  OT and  IT networks, products in this segment also restrict the flow of traffic between zones or segments within the OT network and from external memory devices such as USBs carried into production environments.

This category includes unidirectional gateways, which involve hardware data diodes and accompanying software and are used to control the flow of information, ensuring that information can only travel in one direction. This eliminates two-way transfer, preventing leakage and manipulation from taking place.  Unidirectional gateways facilitate the safe replication of data into the IT/cloud environment without putting the production environment in danger.

Other products include industrial firewalls which execute a set of rules that will allow or deny the flow of traffic based on a number of criteria,  including the identification of various OT specific protocols and the use of deep packet inspection techniques.

Additionally, USB sanitization or data sanitization helps protect operations from external memory devices. Product offerings in this category often take the form of service kiosks placed outside production environments at which the USB device can be inserted and scanned.   The kiosk will run multiple virus engines and possibly content disarm and reconstruction technology to certify the contents of the device.  Endpoints can also be configured to only enable access to clean, certified devices, preventing any access by unauthorized devices.

Risk Management and Compliance        

While many of the OT cybersecurity categories here help to identify risks and vulnerabilities, this category focuses on products that specifically help quantify that risk and compare it to an organization’s risk posture. Products in this category enable industrial companies to determine their risk appetite and facilitate alignment and compliance with key industry standards (NERC CIP, NIST CSF, IEC 62443 or AWIA). These products also often include dashboards, analytics and reporting tools that highlight compliance and/or identify gaps.

Secure Remote Access

This product category focuses on securing and managing the authorized access of remote access requirements.  This includes products that enable the deployment of  secure, vendor-agnostic, remote-access solutions that integrate with IAM for authentication and authorization purposes, and provide auditing and accounting that meets compliance and standards requirements. These products enable granular role-based access and should provide a single, secure remote gateway into the OT environment only when it is essential.