Security Controls to Reduce Cyber Risk in Operational Technology Networks
In our last post, we discussed a ransomware attack that forced a natural gas compression plant to shut down operations. The attacker compromised Windows 10 systems on the company’s IT network, then was able to access the operational technology (OT) network due to a lack of network segmentation. Luckily, the plant never lost control of its operations, but the incident highlights the need for stronger OT security controls.
The operational technology network comprises industrial control systems, process control networks and related technologies that collect and analyze data and automate many operational functions. Supervisory control and data acquisition (SCADA) is a well-known management tool for OT systems. These systems have been around for decades but traditionally have been “disconnected” from the IT infrastructure. The Industrial Internet of Things (IIoT) is changing that, enabling OT systems to deliver data to the data center or cloud for processing and analysis.
IIoT Security Risks
The problem is that SCADA systems were designed for “security by obscurity,” with weak authentication and authorization controls. An attacker who gains access to a SCADA device, whether through a physical connection or compromised credentials, could work his way through the network via inter-site sessions. The IIoT increases this risk by exposing these devices to the Internet.
The growing OT threat is hardly unique to the energy sector — organizations in a wide range of asset-intensive industries are increasing their IIoT implementations. It’s critical that these organizations implement security controls to protect their operational infrastructure from cyberattack.
IT and OT security
Gartner defines operational technology security as, “Practices and technologies used to (a) protect people, assets and information, (b) monitor and/or control physical devices, processes and events, and (c) initiate state changes to enterprise OT systems.” While IT systems use information for decision-making, OT systems use data to change the state of the environment. Despite this fundamental difference, Gartner acknowledges there is significant overlap between IT and OT security, particularly as OT systems become more digitized with the IIoT.
It's critical that organizations implement security controls to protect their operational infrastructure from cyberattack.
Mitigate the Risk of Attacks
Network segmentation is an essential security control that can mitigate the risk of attacks that cross the IT / OT boundary. Next-generation firewalls and other techniques are used to break data center and campus networks into smaller zones of control, limiting the ability of attackers to move laterally inside the enterprise IT environment. Similarly, segmentation can be used to isolate the OT network from the IT side of the house. Firewall policies should be very strict given that OT systems have a limited number of valid requests compared to IT systems.
Content filtering should also be used to block malicious links and attachments sent via phishing emails and accessed using IT systems within the OT network. This helps protect against the growing ransomware threat, as well as malware that steals user credentials and takes control of systems.
Multifactor authentication helps reduce the risk of weak security controls within SCADA devices. By requiring an additional factor beyond a username and password, multifactor authentication ensures that only those with appropriate permissions can access OT systems.
This is merely an introduction into the types of security controls needed to protect OT networks. GDS has extensive experience implementing security systems for organizations in oil and gas, maritime and other industry sectors that rely on operational technology. Let us help you reduce the risk of a cyberattack that could shut down your operations.
Benefits of Managed IT Services from Global Data Systems
- Strategic Managed IT: We help you solve your technology related business problems.
- Connectivity: We get you reliable, secure connectivity anywhere in the western hemisphere in 48 hours.
- Support: When you need help simply call our 24x7x365 support number.
- Billing: Instead of managing hundreds of vendors - get one, easy to read bill from GDS.