Security Global Forum

 View Only

What is needed to be known about Operational Technology (OT) in relation to cyber security

By Mike Kehoe posted Sun June 02, 2024 11:06 AM

  

What is needed to be known about Operational Technology (OT) in relation to cyber security

In association with

ibm logo

obrela

Learning Objective from this Blog 

Who needs to understand the importance of OT security ?. Why is understanding the impacts of cyber attacks on the OT environment so important ?. What exactly is an OT environment compare to an IT environment ? . How can IBM Security with its business partner Obrela address the growing threats in the OT environment.

WHO? 

Any operation which has an OT environment needs to have an understanding of what the high level points of OT is, so they can explore what is needed to address OT cyber defences. 

OT has been around since the 1980s and the base architecture has changed very little. As IT cyber defences systems have increased their cyber attack resiliency , the poorly defended OT environments have recently become a target for cyber criminals. Cyber criminals are early adopters of technology and employ agile business models that allow them to adapt quickly to exploit new opportunities for their illicit activities, unfortunately  OT systems have caught their attention.

 

WHY ? 

Cyber criminals have reached a level of sophistication that allows them to abuse both IT and OT operations for their own nefarious agenda. To ensure there is a well managed holistic approach to cyber defences, organisational leaders must understand what exactly is IT/ OT security. 

The motivation for cyber criminals can range from 

Monetary gain:-             Using ransomware to lock up operations for a release fee

Nation State actors:-      Causing infrastructure failures in opposing  nations

Industrial Sabotage:-     Unethical organisations trying to hinder competitors

Insider Threat:-             Disgruntled employees seeking revenge on organisations

Regardless of the motivation of the cyber criminals these type of attacks can cause major impacts to organisations. 

These impacts can be classified as the” 4+1 Rs “, these are not mutually exclusive. The “4 Rs” are common to both IT and OT while OT has an additional “1 R” which is its most important 

5r

Revenue impact:-

This is associated with frauds that effect the income and expenditure of a business, examples could be an account take over or masquerading as other individuals to divert funds.

Reputation impact:-

This is the impact on an organization by their customers’ losing confidence in the organization as it fails to prevent system abuse. With this loss in confidence can come withdrawal of business or account closure by the customer. 

Regulation impact:-

Fines imposed by data privacy laws such as GDPR that mandates organisations via a legal requirement to the  protection of individual’s information else be fined for a data breach 

Run Operations  impact:-

Once an operations like an airport conveyor , manufacturing line , traffic management systems , etc are put out of action , they organisations ability to deliver its value will be operationally and financially impacted.  If this is achieved by a cyber attack , cyber criminals will have calculated this financial  impact to the organisation and demand a ransom appropriate to the financial impact. 

Responsibility to Safety  impact:-

It is a true but scary fact that cyber criminals are connected to organised crime, this means that they can have low regard to human safety. Many OT environments have human and industrial machinery working in close proximity.  Should the industrial controllers be compromised and this could cause injury or even death. 

WHAT ?

OT is the world where virtual and physical control systems meet. These systems are all around us but only their results are evident.  Examples of what industrial controllers do on a daily basis 

    • ·       Our safe drinking water quality has been managed from collection to consumption.
    • ·       Our traffic management systems are fully aware on the volume of vehicles and adjust accordingly traffic flows
    • ·       Airports ensure correct baggage is delivered seamlessly via massive interconnected conveyor systems
    • ·       Manufacturing can sites produce goods in high quanity and quality

For the physical world to meet the virtual world at an enterprise level there are 6 different levels of operations. Consider the automotive industry , from enterprise planning systems for global order management all the way down to the actual assembly of the smallest part of a vehicles will have control levels. 

The most common way to describe OT environments with these levels is actually via a 6-layer model called the Purdue Model. The Purdue Model separates OT (Operational Technology) systems from IT (Information Technology) systems, focusing on network and operation  segmentation.

6-layer Purdue

 Enterprise Levels 4 & 5:

Primarily IT territory, including corporate networks, business systems, and the internet.

Production Levels 0-3:

Encompasses the OT environment, focusing on physical processes, control systems, and plant management.

The 6 Levels ( 5,4,3,2,1,0 ):

Level 5: –

Business Level: This level includes enterprise resource planning (ERP) systems and other high-level business functions.

Level 4: –

Enterprise Network: This level represents the corporate IT network, housing business systems, email servers, and internet access.

Level 3 –

Plant Management: This level deals with coordinating and optimizing plant operations. It might include MES (Manufacturing Execution Systems) and engineering workstations.

Level 2 –

Control Level: This level houses HMIs (Human-Machine Interfaces) for operator interaction and potentially SCADA (Supervisory Control And Data Acquisition) systems that collect data from the field level.

Level 1: –

Field Level: Devices directly connected to physical processes reside here, such as PLCs (Programmable Logic Controllers) and DCS (Distributed Control Systems) that monitor and control those devices.

Level 0: -

Physical Process: This ground level represents the actual physical equipment being controlled, like motors, sensors, and valves.

prudue layers

6-layer Purdue

Enterprise Levels 4 & 5: 

Network topology is based on on TCP/IP where TCP/IP communication relies on data packets, these packages are the individual units of information that travel across networks. Understanding TCP/IP packets is essential for cyber security to make a determination on if they are an anomaly. This is protected by the many different solutions like EDR , NDR , SIEM , ASM, etc.

Production Levels 0-3: 

In the production levels 0-3 the hand off from the TCPIP topology to the Industrial control buses happens. Industrial control buses differ from TCPIP topology in a few key ways. Industrial control buses are specifically designed for the harsh realities of industrial environments and focus on real-time communication for process control. Here's a breakdown of industrial control buses Vs TCP/IP:

compare

Even if the both topologies are very different they both can be abuse by cyber attackers and in some case the attacker can cross over from one topology ( industrial ) to the other ( Enterprise )

Basic Concept of the Industrial control Networks

The main components of industrial networks are 

      • ·       Sensors and Actuators ( electrical input / output devices )  
      • ·       PLCs ( programmable logic controllers aka industrial controllers )
      • ·       Control bus wiring ( Messaging between industrial controllers )
      • ·       SCADA Systems ( supervisory control and data acquisition  ) 

plc

PLC with interconnect control bus wiring

Where are cyber attacks targeted in OT networks 

PLCs (Programmable Logic Controllers):

These are the brains of industrial control systems, vulnerable to malware that can disrupt operations or alter control logic.

HMIs (Human-Machine Interfaces):

These are the operator interfaces, and attackers might target them for manipulation or to display misleading information.

Control Networks:

These networks carry critical control data between devices. Infiltrating them allows attackers to intercept or manipulate communication.

Engineering Workstations:

These workstations are used for configuring and monitoring control systems. If compromised, they can provide attackers with a foothold in the control networks.

Interconnections between IT and OT:

Weaknesses at the connection points between IT and OT systems can allow attackers to jump from the IT network to the more critical OT environment.

SCADA (Supervisory Control And Data Acquisition) Systems:

These systems collect and manage data across the control network. Vulnerabilities in SCADA software can be exploited to disrupt operations or steal data.

OT Cyber Attacks Impacts 

Disrupting operations:

This can cause production slowdowns, equipment damage, or safety hazards

Stealing data:

Attackers might be after intellectual property, trade secrets, or sensitive operational data.

Holding systems for ransom:

Ransomware attacks are becoming increasingly common in OT environments.

Espionage:

Infiltrating OT systems can provide valuable insights into industrial processes for competitors or nation-states.

HOW ? 

How to address the OT security issues ?.  IBM Security recognizes the power of “better together” and has long be an advocate in a strong partner ecosystem. This allows IBM and its partners to deliver a more holistic solution to its customers. In relation to Operational Technology,  IBM security is proud to work with Obrela https://www.obrela.com/ .  Obrela, a leading cyber security provider and in June 2024 has announced an EMEA-driven partnership agreement with IBM. Obrela and IBM Security partnership will address  the growing demand for OT cyber security services. Obrela’s MDR for OT product offers advanced specialized Threat Detection and Response capabilities for OT environments.

Obrela’s MDR for OT service leverages the company’s MDR technology stack which is built on Open XDR architecture principles. This enables customers to experience an MDR ecosystem with the best-of-breed security technologies over multiple vendors.

MDR for OT is a mission critical service that combines artificial and human intelligence to dynamically protect customers’ OT assets by identifying, predicting, and preventing cyber threats in real time. Obrela’s purpose-built Global and Regional Cyber Resilience Operation Centers (ROCs) provide continuous visibility and situational awareness to ensure cyber resilience across any OT environment.


#Highlights-home

0 comments
27 views

Permalink