Cybersecurity best practices for facilitating IT/OT integration
The German government released an incident report in December detailing a targeted cyberattack on a steel mill blast furnace that resulted in "massive" damage. The translated report reveals that attackers were able to compromise the steel mill’s corporate network, and from there reach into the production network.
Fortunately, no lives were lost, but this event serves as a rallying cry for the safe integration of IT networks with operations technology (OT) networks. Simply applying IT-style defenses to OT networks is not enough to ensure the safe and reliable operation of industrial control systems (ICS), which is why OT cybersecurity best practices continue to evolve to address modern-day targeted, persistent attacks (TPAs).
Firewalls alone are not enough
Common wisdom has it that "if I have a firewall, and encryption, then I must be secure". The problem is that firewalls are software devices, and all software has bugs. Some of those bugs are security vulnerabilities, and so in practice, all software, including network firewalls, can be hacked. The limitations of software-based firewalls are well-known to anyone with a moderate level of cybersecurity education.
Worse, OT network security generally lags behind IT security. Any security update must be tested thoroughly to ensure that the changed software does not impair control system operations, and such testing takes time. This means OT networks will always be softer targets than IT networks, and so compensating measures such as physical perimeter and cyberperimeter protections will always be more important for OT networks than for IT.
Protecting soft interiors with a hard shell
While advanced data exfiltration prevention technologies are being used to address these targeted attacks on corporate networks, the technology does little to prevent the cybersabotage of industrial networks. Best practices for OT security are evolving in different directions to meet the threat of modern targeted attacks. OT security advice is evolving to recommend hardware-based network perimeter protections to protect soft OT network interiors. These protections come in the form of unidirectional security gateways, which are embraced and endorsed by regulations and guidelines such as NERC CIP, IEC 62443-3-3, the ANSSI guidelines and others. Unidirectional gateways shut down the two-way communication channels permitted through firewalls and used by targeted attacks by allowing information to travel only out of a protected network, thus making it impossible for any targeted, remote control cyberattack to access the sensitive OT network from the Internet-exposed IT network. This greatly reduces the security risks associated with IT/OT integration.
OT cybersecurity programs are generally part of larger safety and reliability-assurance programs at industrial sites. OT network administrators therefore have a very different set of priorities than do IT network administrators. To facilitate safe IT/OT integration, hardware-enforced defenses must be deployed to support IT processes and infrastructures, without putting industrial sites at risk. The German steel mill attack is a good example of IT/OT integration done wrong. Modern defenses are needed in the face of modern cyberthreats, and industry leaders are answering this need by applying new best practices in the form of unidirectional security gateways.
Andrew Ginter is the vice president of industrial security at Waterfall Security Solutions, a provider of Unidirectional Security Gateways for industrial control networks and critical infrastructures. Ginter has 25 years of experience leading the development of control system software products, control system middleware products and industrial cybersecurity products.