Step zero in improving your OT security: don't do anything else before this.
Industrial Automation and Control Systems (IACS) such as PLCs, HMIs, scanners, labelprinters, … never exist entirely on their own. They are always connected to the network, the network is connected to a number of IT systems. Think about the network equipment itself (switches, routers), the Enterprise Resource Planning (ERP) system, Manufacturing Execution System (MES), Warehouse Management System (WMS), … Oftentimes there is also a connection towards the internet to allow remote access for suppliers, or for them to receive statistics about ‘their’ machine in your factory.
Problem: OT is infected through IT
Problem: IT is infected through OT
Cyber criminals also target IT systems by coming in through OT to get to IT (to steal data, to encrypt data and demand ransom, …). This can happen for instance through badly-configured or badly-managed remote access gateways. Such gateways are often brought in by installers of machines in the factory (the system integrators) to gain remote access during installation and for support.
What can you do?
At the very foundation of OT security lies the separation of IT and OT networks. Unfortunately, a lot of companies still have a single network for both. To separate IT and OT networks, you must place a firewall with tightly controlled rules between them. This firewall must be configured by ‘deny-by-default, allow-by-exception’.
Industry 4.0 is here, and it brings magnificent opportunities which we should embrace. This entails that IT and OT are coming closer and are gently merging. But it is very important to that this merging is done in a controlled way to avoid security issues from happening.
6 steps to take
- If the IP addresses in your IT network and OT network are in the same range: carve out the IT assets and move them to a new, separate network. Leave the OT network untouched as you do not want to interfere with production. You will need a router between the new IT network and the existing network (which has now become the “OT-only-network”)
- Log the traffic flowing through that router to get a view on what is currently required for your factory to work properly. Do this for a certain period of time (a week, 2 weeks, maybe longer, depending on your type of business).
- Introduce firewall rules only allowing the required traffic as discovered above. For now, keep a rule at the bottom allowing all traffic and logging that traffic. This will allow you to see what rules you possibly forgot to add to your firewall.
- Every month, review the logs of this ‘allow all’ rule and add firewall rules above it accordingly.
- After a couple of months (depending on your type of business), change this ‘allow all’ rule to a drop + log rule. This will prevent unwanted traffic from flowing between OT and IT and between IT and OT while still allowing you to see what traffic is being attempted. This will give you insights in possibly unwanted traffic, or in traffic which you need to explicitly allow in the firewall (which you apparently forgot earlier, for instance because it only takes place during maintenance periods, which only happen twice a year).
- Ask Spinae to assist you 😉
Congratulations: you now successfully created a separate IT from OT network! This is considered to be step 0 when starting to work on OT security.
Be aware that you will also have to inform the people involved about this change, and introduce some new process/procedure to request a change to the firewall rules when changing something in the factory. In other words you always have to consider People, Process as well as Technology to successfully improve on cyber security.