Just like Batman’s utility belt, there are many useful accessories and strategies in the cybersecurity quiver that can multiply the impact of core cybersecurity tools. However, just like basic protections, they must also be applied diligently and consistently.
“We’re starting to see the tide turn on cybersecurity. Clients are beginning to move to resilient cybersecurity approaches, and incorporate IT-style cybersecurity into their OT networks,” says Craig Duckworth, cofounder and president of Velta Technology LLC, a system integrator in St. Charles, Mo., near St. Louis, and a member of the Control System Integrators Association (CSIA).
Dino Busalachi, cofounder and CTO at Velta, adds that cybersecurity must be approached holistically because multiple participants and groups are involved, especially IT and OT, who must learn to cooperate to develop a unified front on cybersecurity.
“Even executives are on the hot seat now because they need to secure their entire organizations or risk losing coverage or can’t acquire it,” says Busalachi. “Unfortunately, IT needs to recognize they have a blind spot in the OT space when it comes to industrial control systems, leaving many OT teams defenseless. A few organizations are designating an OT person to handle cybersecurity at that level, even though they may have little to no cybersecurity experience, resources or budget. They need IT on the field and in the huddle, but not as quarterback. This is because IT’s priority is confidentiality and installing patches immediately, while OT’s priority is safety, availability and uptime, and testing patches before applying them to make sure they won’t shut down any processes or adversely affect production or operations.”
Busalachi reports that Velta recommends using the five cybersecurity principles developed by SANS Institute, namely effective response, vulnerability management, continuous monitoring, defensible architecture, and remote access. Once these priorities are in place and understood, he advises performing a visibility study of a process or facility’s operations and devices, and assessing their cybersecurity risks and existing capabilities.
“This can include penetration testing, though not in the plant, where scanning controls could slow or stop machines, and be very costly,” says Busalachi. “In these cases, users can employ passive listening tools, collect data on network traffic, and build performance baselines.”
Roles and remote access
Beyond assessing industrial control system (ICS) architectures and infrastructure, and inventorying OT assets and processes, Busalachi adds it’s also crucial to decide who is ultimately responsible for what. “We often show clients their control system panels that house ICS and OT assets, and IT will say ‘not us,’ so OT will have to take on cybersecurity tasks that didn’t used to be in their jurisdiction, and develop new skills, and acquire new resources and OT-specific cybersecurity technology to do it,” he explains. “Fortunately, that gap is easier to fill now because there are more active-OT solutions available, such as passive monitoring tools from Claroty, Nozomi, Armis, Dragos and others. They’re used to interpret OT device types, relevant details such as vulnerabilities, malware signatures, and activity both warranted and unwarranted by using deep-packet inspections.”
To achieve secure, remote access, Busalachi reports a virtual private network (VPN) isn’t enough, and users need OT-specific, remote-access technologies that provide multi-factor authentication (MFA), auditing functions like recording interaction sessions between remote devices and PLCs, and make sure they only permit read-only access and don’t allow file transfers. Remote access also needs to be done using reverse tunneling, so it allows only one-way communications to limit open ports in the firewall.
“We can’t allow communications from remote users to wander anywhere in the network once access is gained. However, there are still a lot of logical ports and threads running that need to be open for remote access,” explains Busalachi. “This is because big organizations always have lots of patchworks of equipment, controls, power utilities and other packages—all using different languages and protocols. All these ports can punch a lot of holes in a regular firewall, so it’s better to have just one opening in a network. Cisco’s Secure Equipment Access or Claroty’s Secure Remote Access software can enable these efforts, which are crucial, because we’ve seen guys leave open laptops with cellular modems connected to elevator controls during maintenance.
Likewise, before OT clients give Velta remote access, Busalachi adds they need to do a visualization study like IT does according to NIST’s well-known cybersecurity framework. “However, many still don’t evaluate my laptop, check that it has antivirus software, scrub it, or look at what it might be able to do,” he says. “Even so, OT still doesn’t want IT in its critical infrastructure.”
Closing security gaps
“For example, we worked with one mid-tier manufacturer with 40-50 plants that were all set up differently with different lifecycles, and our client was the one guy assigned to cybersecurity, even though dozens were needed to gather all the tribal knowledge from those individual plants about what they were presently doing for cybersecurity,” says Busalachi. “Our client also had third-party infrastructure support based in India, but the question was, could it provide the same cybersecurity for OT as it was providing for the enterprise, and there’s often no good answer for that yet.”
To fill in cybersecurity gaps in its organization, Busalachi adds it would help if users like its mid-tier manufacturer prioritized and staffed cybersecurity in the same way they handle safety alerts, such as the notifications about ammonia, which it routinely ships in and out. “We need the same role for OT cybersecurity, so when we start to work with a client, we go straight to OT, talk their language, and look in their panels. It’s like having an interlock, such as requiring that your foot’s on the brake before you can start a car. In this case, cybersecurity is similar to having an interlock for machine-to-machine communications, and monitoring for any changes in behavior. Users need to have these sensor-ready tools built-in.”
