Cybersecurity: Understanding IT Needs from the OT Perspective

Corey Foster || Valin Corporation

“We don’t need to worry about cybersecurity. Who would want to attack us?”

Many have heard this before. More have thought it themselves. And others have had thoughts such as the following:

  • Who would want our data? It is not worth anything to anybody but us.
  • None of our machines are on the network so we are safe.
  • Our machines are all run by PLCs so they are safe from hacking.

Digging around online for current events will produce viable answers to each of these thoughts. 

"Who would want our data?"

Current data on cyber ransom is alarming. Most companies do not report their attacks because they do not want it to be advertised.

"None of our machines are on the network"

Many organizations think that if their systems are "air gapped" then there isn't a way in. That is not true. One of the most famous viruses, Stuxnet, made its way to its target which was air gapped.

"Our machines are all run by PLCs"

That same virus, Stuxnet, specifically targeted PLCs.

These are just a few examples of reasons OT (operational technology) personnel do not think they need to worry about cybersecurity and leave it to the IT (information technology) teams. The result is definitely not teamwork.
 

IT Security Education for the OT

Many OT personnel may be familiar with risks assessments for machine safety. IT personnel have something similar, but for cybersecurity. It starts with a framework, of which there are numerous available. Using this cybersecurity framework example from National Institute of Standards and Technology (NIST), we can quickly learn that one of the first steps a team needs to do is to identify all their potential vulnerabilities.

OT personnel should think about all the entrance points into systems that the IT team does not know about. Typically, there are many old computers, USB ports, HMIs, PLCs, ethernet ports, non-password protected, default password protected and intermingled networks among the machines. Every single one of those is a potential vulnerability.

Unless an OT person is interested in an IT person poking around the machines to understand them, then they should do it themselves and help the IT team.  In the process, if OTs know a few things, they can get the blessings of the IT team to implement a few new technologies that they have been saying no to. These technologies will provide better and more flexible access with an added layer of security.
 

Slow Intruders Down

It is common to hear people say that anything can be hacked. They use this as an excuse to not allow any products to be put on the network. While, this is true, mischievous players can be slowed down, minimizing the damage they can do and giving the IT personnel time to recognize there is an intruder. Most of the hacking is intruding into low hanging fruit that is relatively easy anyway. So, by putting obstacles in their way, systems are no longer “low hanging fruit.”
 

Industrial Firewalls

IT personnel are well acquainted with firewalls as useful and necessary tools. OT personnel classify them simply as obstacles that keep them from getting their jobs done. For the OT personnel, though, they can use products designed for them — for their types of systems — to monitor and direct network traffic among their machines to make them safer and perhaps even performing better.

Segmenting networks is one tactic to slow intruders down. Once an intruder gets through one firewall into an unsegmented network with 10 machines on it, they have access to all 10 machines. But, if they get through that first firewall onto that same network that was segmented, divided into several mini networks, then the intruder must go through multiple more firewalls to get to those 10 machines. That is assuming they have the skills, desire and time to do it.

One may not know it, but putting a controller onto an open network with a lot of traffic is like walking into a crowded room and trying to have a good conversation. It is doable, but there is a lot of noise. However, when controllers have quirky communication issues, few people stop to think about it getting hammered with network traffic. Modern networked products are well adept and designed for such environment, but that does not mean they work best in “crowded rooms.”

An industrial firewall or managed switch can be used in an ethernet network to identify which devices should be allowed to talk to which devices. On a busy network, this quickly limits the amount of network traffic that each device sees, ultimately helping them to perform better.
 

Remote Access

IT personnel are very quick to tell their OT counter parts "no" to any sort of remote access. And it is difficult to blame them. The OT personnel can rarely understand how the remote access works, much less be able to explain it to an IT person.  All the IT person sees is the OT person adding one more thing they do not understand to their network, creating more work for them. But what if an OT person can explain it in terms the IT person can understand? This will work much better if the OT person has already worked with the IT team to identify all the vulnerabilities as suggested above and developed trust and teamwork with each other.

When an IT person hears an OT person talking about “remote access,” the IT person is hearing that they are being asked to open a virtual door so an outsider can be let in. This is said to be “punching a hole in the firewall” or “opening a port” which also opens doors for unwanted intruders. So, yes, they are right to say no. That is, however, where the misunderstanding of remote access starts.

IT departments let their companies use virtual conferencing. Especially over the past 18 months, their company would have come to a grinding halt without it. They also let their employees have access from outside the premises through VPNs (virtual private networks). So, if there is an industrial remote access solution that does that same thing, why not let their OT team use them?
 

Access Out, But Not In

Surfing the web from your computer is a good way to look at it. One opens software which goes out of their company to get information. That connection is instigated by the user, not by the website they are visiting. The same thing happens with virtual conferencing using the same firewall ports. When one uses a virtual meeting platform, they are actually communicating out of their company to a computer and software service (i.e. “the cloud”) that then connects them with other people and returns information back upon request.

An industrial remote access unit does the same thing. For example, a person can add a device between their PLC and the company network that manages the calling “out” of the company to a third party when they desire the information out there to be let back in. That desired information out there is probably one of the company’s own people or perhaps a support person from another company.

Once this connection is made, there is another layer of security that the IT department is already familiar with, which is that VPN they already let their people use. Once that same industrial device establishes that connection, it establishes its own VPN between the two connect parties that even the cloud hosting it cannot look into.

Such devices establish the connection, then make it private.
 

Bringing it All Together

If an OT person comes to an IT person saying, “let me help you do your job so I can do mine better,” why wouldn’t they listen and learn to work together better? That IT person would probably be shocked if an OT person came to them with a full documentation of all the risks they already have on the floor. And what if that OT person is asking for help to plug them without hampering their ability to work? And what if that OT person proposes a better solution for them to look at together? How could that not promote teamwork, better security and perhaps more productivity for both?

Now that would be a whole new world.

Article featured in Processing Magazine