You can only protect what you know - The importance of OT environment visualization
With the acceleration of factory DX and the introduction of IoT devices in factory systems, there are increasing cases where OT networks unknowingly pose security risks. Cyber-attacks targeting factories and critical infrastructure can cause serious damage, including threats to human life. This article explains the importance of OT security and the steps taken to improve security in OT networks.
Yurika Sagawa
After joining NTT DATA, Yurika worked on the in-house operation of security solutions such as SIEM, UEBA, and SOAR and the implementation of the security products such as SASE and EDR to achieve Zero Trust in IT environments. Currently responsible for global strategy and service planning in OT/IoT security and automotive security.
1. Damage caused by cyber-attacks targeting factory systems
Cyber-attacks targeting the operational technology (OT) environment used in factories and critical infrastructure can result in significant damage, including loss of life and human-made disasters. In fact, in December 2016, a cyberattack on a power company in the Ukrainian city of Kyiv used an IT environment as an entry point into the OT environment, and malware sent commands to shut off the circuit breakers, resulting in a power outage of up to 1 hour and 15 minutes*1.
Figure 1 shows a simulation using an OSS called GRFICSv2*2. It shows the use of Modbus, a protocol commonly used in OT environments, to generate unintended commands to Programmable Logic Controller (PLC) equipment and blow up the plant equipment. Like this, if unintended commands could be generated, factory systems could easily be destroyed.
Conventional factory systems were assumed to be a closed network, disconnected from the Internet, but recent developments in DX have led to the introduction of IoT devices in equipment even within factory systems, and there are increasing cases where OT networks are unknowingly exposed to the Internet. Situations such as "unknowingly communicating with the Internet" or "unknowingly new equipment connected to the OT environment" are extremely risky from a security perspective.
-
*1
Case 2 of cyber incidents related to control systems, IPA
https://www.ipa.go.jp/files/000076756.pdf -
*2
Fortiphyd, GRFICSv2
https://github.com/Fortiphyd/GRFICSv2
2. Steps to improve security in OT networks
There are various methods and measures to ensure security in OT environments (hereinafter referred to as "OT security"). This chapter introduces the roadmap recommended by NTT DATA for assessment, product implementation, and operation support in OT security.
-
1)
Visualizing the OT environment
An essential part of considering security measures, whether in an OT environment or not, is identifying what assets to be protected. Therefore, the first step is to check the terminal devices and control devices used in the factory system, the models of the equipment and operating systems installed, and understand how these devices communicate with each other. -
2)
Understanding security risks
To identify and assess risks, the visualized assets to be protected are checked against common security frameworks such as MITRE ATT&CK*3 and NIST*4.-
*3
MITRE ATT&CK, ICS Techniques
https://attack.mitre.org/techniques/ics/ -
*4
NIST, Framework for Cyber-Physical Systems
https://www.nist.gov/publications/framework-cyber-physical-systems-volume-1-overview
-
*3
MITRE ATT&CK, ICS Techniques
-
3)
Determining strategy in OT security
A strategy for security measures will be determined based on the risk assessment results. For example, considering security measures that can reduce risks and determining priorities with consideration of cost. -
4)
Implementing measures for high-priority security risks
Measures for security risks in the OT environment should be implemented in order of priority. Measures include network segmentation, implementing secure remote access to the OT environment, implementing techniques to detect OT security risks, and implementing security measures on terminals in the OT environment. -
5)
Planning for long-term security measures
After implementing measures against high-priority security risks, it is necessary to consider security measures from a long-term perspective. Examples include developing training programs to help factory employees understand the importance of security in an OT environment, clarifying the responsibilities in case of a security incident, and developing a management plan for device patches and configs in an OT environment. -
6)
Implementing OT security operations
Ultimately, defining and implementing security operations in an OT environment is necessary. It is useful to educate members of the Security Operation Center (SOC)*5 by using a defined operational flow of the system implemented against high-priority security risks that were discussed in step 4.- *5 SOC is an organization that monitors various security devices, conducts incident investigations when alerts are issued and escalates to higher security operators based on predetermined thresholds and flows.
The steps taken to improve OT security are not significantly different from those for IT security, but the security measures chosen for OT security are often different from those for IT security. This is because the three major elements of information security -- confidentiality, integrity, and availability -- are valued differently in OT and IT environments. Availability is particularly important in OT environments such as production plants that require non-stop operation 24 hours a day x 365 days. In addition, safety tends to be valued in environments where human life is threatened when mechanical problems occur, as seen in the simulation images mentioned earlier.
3. Importance of asset visualization and threat detection
One effective security measure in an OT environment where availability is important is to monitor the OT network and detect threats. As shown in Figure 2, we can monitor the communication flowing through the OT network and visualize the control terminals and equipment, the models of the equipment, and the operating systems installed. By doing so, it enables the visualization of how the equipment communicates with each other. Then, by learning the visualized results as normal conditions, it is possible to detect "communication with new equipment" or "communication with the Internet" as abnormal behavior. Also, by monitoring the mirrored communication, it is possible to visualize the OT network and detect anomalies without affecting the actual operation of the factory system, i.e., without compromising availability.
The OT network can be accurately visualized by monitoring the actual communication flowing through the OT environment and visualizing the environment, as shown in Figure 2. It is also effective to understand the configuration of the factory system based on the network configuration diagram and parameter sheet, but as mentioned at the beginning, it would be difficult to notice dynamically the situation that "unknowingly communicating with the Internet" or "unknowingly connecting new equipment to the OT environment."
4. In conclusion
With DX accelerating these days, it is important to take security measures for OT networks in factories and control systems. In this article, we have introduced the implementation steps and the importance of visualization and anomaly detection to take security measures in light of the characteristics that make the availability of OT environments important.
NTT DATA will contribute to the security of OT environments by proposing OT environment security measures based on our rich cybersecurity knowledge, providing execution support for network segmentation, introducing visualization and anomaly detection products mentioned in this article, and providing SOC services.