Whitepaper: Flow Analytics Platform for Operational Technology (OT)

Flow Analytics Platform for Operational Technology (OT)
3 Territory Solutions Whitepaper

Insight into the workings of an enterprise is essential to effectively and efficiently manage and defend its assets. However, in the operational technology (OT) space, which includes medical devices and equipment (MDE) and facility-related control systems (FRCS), stakeholders have a restricted understanding of what is actually happening within their organizations. This is painfully obvious when examining average dwell time (nearly one year), how quickly new devices are discovered (some ?new? devices have been on the network for years), and the difficulty engineers / managers have with quantitatively stating their positions and needs.

The following approach is intended to create a flow analytics platform for OT using security techniques whose scalability is compute-limited, functionally automatic, and agnostic to the network environment. The approach is not intended to establish an illicit network discovery process. The proposed techniques and tools will passively collect information and will, at no time, inject packets, nor will they dive into or rely upon packet contents. All techniques will be rooted in command-line inspection using common, open, and simple tools to enable scripting. The approach will not use tools or techniques that cannot be scripted or executed in batch. Further, to maximize applicability, the tools will be restricted to default / standard libraries and configurations. The approach is intended to be modular, meaning that new scripts can be developed and added to the overall batch as they are built out to allow for infinite scalability (as compute allows, of course). To minimize initial implementation costs, the tools and techniques should initially be used on traffic that will has a digestible Ethernet header. It is likely that existing sensors on the enclave will be or have been configurated to capture this protocol. Communication over twisted-pair and other less common bus protocols should be completed to round out the remaining 25% to 40% of traffic only after a stable baseline with Ethernet headers has been established.

Download Our Whitepaper

Proud to Support the Washington DC Cyber Security for Control Systems

3 Territory Solutions is proud to support the Washington DC Cyber Security for Control Systems Group

“The Washington DC Cyber Security for Control Systems is dedicated to all professionals involved in Cyber Security for Automated Processes and Control Systems including security for Operating Technology (OT), Industrial Control Systems (ICS), SCADA Systems, Transportation Systems, Building Control Systems (BCS), and even emerging Industrial Internet of Things (IIoT) systems.” — Washington DC Cyber Security for Control Systems



Why Air-Gapping Is Not a Long-Term Cybersecurity Solution

Why Air-Gapping Is Not a Long-Term Cybersecurity Solution

However, the air gap may work as a short-term solution under certain scenarios.

Only a few short years ago, air-gapping, also known as “security by isolation,” worked in all operational technology environments. Older ICS and SCADA systems, many of which are still in use today, were built without cybersecurity in mind. The internet as we know it today did not exist, OT and internal IT systems were completely isolated from each other, and no one foresaw any reason for them to ever connect.
However, as organizations embrace digital transformation, OT and IT are converging. For these reasons, many security experts have declared the air gap dead. While reports on the death of the air gap have been greatly exaggerated, security by isolation is not a long-term solution.

The Air Gap Lives – For Now

Many highly sensitive OT systems, such as those used by government agencies, utility companies, and manufacturing plants, continue to employ at least some degree of air-gapping. In some tightly regulated industries, such as electric utilities, organizations are required to air-gap OT systems.
Air-gapping is still very much alive and playing a relevant role in OT cybersecurity, at least as a short-term solution under certain circumstances, such as:
• The benefits of sharing real-time process data between the OT system and IT systems are outweighed by the risks of cyber attacks.
• The air-gapped system is truly isolated, with no connections to remote users, the internet, Bluetooth, or any internal networks, and is audited for unauthorized connections on a regular basis.
• Physical access to the system is tightly controlled to protect against “sneakernet” attacks such as the infected USB drive, planted by a malicious insider, that was responsible for Stuxnet.
• All software and hardware are thoroughly tested before being installed on the air-gapped system.
Additionally, air-gapping is a good temporary defense for highly sensitive OT systems in cases where organizations need to buy time to implement a comprehensive cyber security solution.
When properly implemented, air-gapping minimizes the risk of a cyber attack. However, like any other security precaution, it is not infallible. It is also not a long-term solution under any circumstances.

Why the Air Gap’s Days Are Numbered

The air gap may not be dead, but digital transformation, the changing threat landscape, and modern business realities have put it on life support, at least as a sole cybersecurity measure. There are three primary reasons why air-gapping is not a sound security solution in the long run:

1. It causes organizations to miss out on valuable process data

Organizations that air-gap their OT systems are minimizing their risk, but they’re also not benefitting from the highly valuable process data these systems generate. When analyzed in real time, this data provides actionable business intelligence that can be used to cut costs, reduce downtime, and improve efficiency, quality, and worker safety. Eventually, the risks avoided by air-gapping will be far outweighed by the opportunity costs of eschewing modern predictive analytics, continuous process optimization, and the cutting-edge innovations of the Industrial Internet of Things (IIoT).

2. It makes maintenance and repairs more costly and difficult

An air-gapped system cannot be remotely accessed by hackers – or by employees or vendors for troubleshooting, repairs, or routine maintenance, such as software patches. Not only do maintenance and repairs end up costing more, but they also take longer, and the organization incurs higher indirect costs from increased downtime.

3. It may result in a false sense of security

The cold, hard reality is that there is no such thing as a system that cannot be breached, even a properly air-gapped system; the Stuxnet virus proved this. Some security experts argue that air-gapping can lull organizations into a false sense of security. They assume that an air gap is all they need and do not engage in active monitoring or other security measures; for example, some SCADA system administrators don’t change the default passwords on PLCs before connecting them. Meanwhile, cyber criminals are increasingly targeting ICS, SCADA, and other OT systems that power critical infrastructure, and today’s attacks tend to be sophisticated, intricately planned operations carried out by well-funded, organized groups.

A Layered Approach Is Better Long-Term

OT systems will likely always be air-gapped to some degree. There’s no reason for certain systems to be continuously connected to the internet, for example. However, air-gapping will be only one component of a layered OT security approach and combined with such measures as segmentation, identity-defined networking, special-purpose security appliances, and unidirectional security gateways. This allows organizations to enhance their OT security while allowing them to reap all the benefits of digital transformation and the IIoT.

7.5 Things You Must Know About OT Cybersecurity

In cybersecurity, there are two worlds. There’s IT or information technology, with its databases and business systems. And there’s OT or operational technology, with its consumer, medical, industrial, and other equipment. OT can be light years away in looks, functionality, and behavior from IT’s office servers, PCs and mobile computing devices. So, if you’re starting to work on OT cybersecurity, you may be in for a few surprises. Here are seven (and-a-half) things to know to help you get it right.

1. Glorious isolation.
In the past, there was not much need for OT installations or machines to be connected to the external world. Internal industrial or hospital networks existed, but often with no link to the outside. And therefore, no protection when connectivity started to become important.

2. A culture of reliability, more than confidentiality.
Staff working with OT installations may be obsessed with the equipment working properly, while paying little or no attention to security (see ‘Glorious isolation’, above). People are critically important in any security setup. Be prepared to educate as needed.

3. Hard-coded security data.
Devices connecting to the Internet of Things (IoT) often have a poor reputation, when it comes to access protection. Many of them only have a fixed ID and password, often printed for all to see in the device manual. Manufacturers are slowly improving but be watch out.

4. Delicate timing mechanisms.
OT is all about the real world, where moving parts and operations must synchronize precisely. Trying to bolt on cybersecurity software or hardware may introduce delays that wreck these timing mechanisms. In some contexts, such as critical patient care, the consequences could even be fatal.

5. Unprotected protocols.
On the web many consumers know how important secure connections are, for instance when making online payments. However, in the OT world, secure network protocols may be few and far between. In fact, some widely used industrial protocols have little or no security.

6. ‘If it ain’t broke, don’t fix it’.
There’s a reason why there is often so much older equipment in OT installations: it works. Trying to upgrade the software of an OT system, even to improve security, can be painful. This is especially true when it is connected to other systems from other vendors (which is frequently the case).

7. Cyber-physical attacks.
It’s bad enough having confidential data stolen or damaged. However, in an OT installation, attackers might also shut down life support systems, stop heating and lighting from functioning, wreck production lines, open dam gates, and much, much more. Remember to factor this into your OT cybersecurity plan.

The good news is that with the right approach, you can eliminate or sufficiently mitigate the issues above. Now, here’s our remaining half-a-thing-to-know. While your OT machines and IoT devices may appear to be functioning properly and doing their job for you, they may have been infected by malware that makes them attack other systems. There have been high-profile cases recently like the Dyn cyberattack in which ‘hijacked’ IoT devices were used massively to bring the target system down. So, don’t delay – Use the information above to start putting your OT cybersecurity in order today.