For those coming from IT, securing ICS systems can be frustrating at the beginning. This is because the technologies used and the ways of working are very different when it comes to OT systems. The objectives pursued in these two areas are also very different. How so? Let’s find out the differences between OT and IT systems.
Data protection vs. process protection
When securing IT systems, the main focus is on protecting data – such as intellectual property (IP), credit card numbers, emails and Personal Identifiable Information (PII) – thus trying to prevent hackers from gaining access to what, for a company, may be a great part of its assets.
This is in sharp contrast to what happens with ICS systems, where the main objective is to protect the process , as they are designed for continuous processing. In some cases, following an unplanned shutdown of a plant, it can take days, weeks or even months for it to restart, causing significant damage. And it is not just an econimic loss
Take, for example, an ICS system that controls power generation and distribution, or drinking water and wastewater systems: besides great inconvenience, their breakdown can also have serious consequences on people’s health, as well as deeply impact the society. Without going too far back in time, just think of the 2021 ransomware attack on Colonial Pipeline that halted plant operations for six days, leading to a fuel crisis and increased prices in the eastern U.S.
Differences between IT and OT systems: Technologies
In traditional IT systems, we are used to working with protocols such as TCP, IP, UDP, DNS, DHCP, etc. Most ICS systems use one of over 100 dedicated protocols, some of which are proprietary. The most popular on the market are Modbus, DNP3, ProfiNet/Profibus, OPC and others.
ICS systems base its operations on the Programmable Logic Controllers or PLCs. These are used for almost any type of industrial control system, be it production, oil refining, power generation, water treatment, etc. PLCs are comparable to industrial computers, with their own proprietary Operating System. They use programming languages derived from the world of electromechanical logic, such as Ladder Logic, to control sensors, actuators, valves, alarms and other devices. Hacking ICS systems often requires familiarity with the programming of such PLCs.
Although availability is one of most important concepts within information security, ICS systems take it to another level. As mentioned above, here the attention is on protecting the process , rather than the data. For this reason, applying a software patch and rebooting the system may often not be an option, except for discrete time intervals, such as annual or quarterly maintenance shutdowns. This means that operating systems and applications remain unpatched with known vulnerabilities for months or even years. Therefore, SCADA or PLC engineers should carry out adequate compensatory checks to prevent intrusions, unlike an IT security administrator who would be able to apply security patches more frequently.
Differences between IT and OT systems: A different access to components
With a few exceptions, in traditional IT security, the technical team has direct physical access to system components. In ICS systems, these components may be spread over hundreds or thousands of metres (e.g. pipelines, power grid, etc.), thus making the implementation of security controls even more complicated. For example, remote field stations can become an access point to the entire ICS system.
Security through obscurity
Recently, especially with the advent of Industry 4.0, many ICS systems have been progressively connected to the Internet via a direct TCP/IP connection. While the internal communication can still be managed with proprietary networks, remote access allows continuous monitoring by plant managers. However, there are still exceptions, such as some dams and other public infrastructure systems which are still off-line to protect them from the clutches of cyber attackers.
For years, these systems benefited from security through obscurity. What does it mean? They were somehow safe because few people knew of their existence and even fewer understood their technologies: the protocols used were only known to technicians in the industry who had gained first-hand experience with SCADA, PLCs and HMI terminals.
This is turning out to be a weak point, as they are being exposed on the network without having the most basic security measures implemented. An example is what happened in 2016, when the independent researcher Karn Ganeshen managed to break into a Schneider Electric building automation system by exploiting a 0-day vulnerability and gaining root access to the server.
With the advent of reconnaissance tools like Shodan, these systems will no longer rely on security through obscurity. The industry is only now beginning to implement modest security measures, but one of the biggest challenges that it’s facing is that many standard IT security products do not provide the same level of protection when it comes to industrial protocols. In most cases, firewalls and IDSs have to be customised to make them compatible and applicable to OT.
What can we do to protect OT environments?
Considering the differences between OT and IT systems in terms of different length of system lifecycles, and the sensitivity and safety-relevance of the OT systems and automation tools, the approach to security usually requires a combination of security technologies and services, including:
- OT security audit and governance – aiming at understanding the security risks and requirements for industrial infrastructures, as well as mid- and long-term cybersecurity strategy planning
- OT security solution integration to protect industrial networks, workstations and other assets
- Continuous security monitoring – for better security visibility through the analysis of the security events from multiple sources to spot out even complex cyber-attacks at their early stages
- Security training – aimed at continuous improvement of the cybersecurity skills among OT operators, cybersecurity experts as well as other non-IT teams and executives.