As I mentioned last time, the biggest difference between an OT environment and an IT environment is that the operating conditions of OT devices are limited. It is not expected that any action other than what is required will occur for the OT device.

In other words, in an OT environment that is not connected to the Internet or the corporate network, only the functions of the OT device have been required to operate as designed. Conversely, no other behavior is expected, but rather the extreme elimination of resource consumption due to excess behavior is the first design guideline.

In such an environment, it is important to keep the OT device secure and to detect unexpected events as soon as possible. In terms of security measures, the IT environment is far more advanced, but the OT environment is different from the IT environment, so it is necessary to consider security measures after understanding these points. ..

Below are three techniques for securing your OT environment.

Separate the control network and the business network

The first, which is the most commonly adopted method, is to completely or logically separate the control network in the OT environment from the business network in the IT environment. This is quite natural in an OT environment, but isolating networks in an IT environment is a rather special case.

The term “logically separated” was used here to mean that in the past, it was common for OT networks to independently prepare a completely physically independent network for each OT device. However, the network environment separated for each device made it difficult to grasp the overall picture of the OT environment, and the operation and management became personal.

To avoid this situation, it is necessary to logically separate the OT environment and the IT environment while at least unifying the network infrastructure, which is useful both in terms of cost and operation.

As a concrete method of logical separation, a firewall that is familiar in IT environments is installed between networks that you want to separate (for example, the boundary between OT environment and IT environment), and communication peculiar to OT devices that occurs in the control network is performed. Prevent it from flowing to the business network of the IT environment.

And, most importantly, it is necessary to completely block communication from the business network in the IT environment to the equipment in the OT environment. This is to prevent malware that has invaded the IT space from entering the OT environment.

Tips: Data diode that allows only one-way communication

In the IT environment, a firewall is used for communication control, but in the OT environment, there is a product called a data diode that allows communication to communicate in only one direction. By introducing a data diode, communication can be performed only from the control network side to the business network, and vice versa, the security of the OT environment can be ensured. ..

  • “COLMINA Data Diode” which implements the complete one-way data communication function by the data diode method in the FPGA

Introduced a passive monitoring device

The second method is to install a passive monitoring device to detect security incidents and anomalous events in the control network.

Today, many security products offered in an OT environment offer this passive monitoring capability. Specifically, a span port (communication mirroring function) is set in the network equipment (switching hub, etc.) of the control network environment, and the traffic flowing through the control network is received and the communication packet is analyzed from the viewpoint of security. I will do it.

You may be wondering what you can find out by analyzing communication packets, but in fact, you can find out a great many facts.

First, you can create a communication map by visualizing which device and which device uses what protocol for that communication. As mentioned earlier, in control networks, OT devices were often installed very personally. In such an operation, it is difficult to know how many OT devices exist and which OT devices are communicating with each other. By introducing a monitoring device, it becomes possible to visually grasp the relationship between devices.

Next, you can visualize the “abnormality” in communication. Communication that occurred within a certain learning period can be recorded as “normal”, and communication that did not occur within that period can be detected as “abnormal”. Unlike the IT environment, the OT environment has a limited communication partner and communication volume, so it can be judged that the start of communication with a device that has not been communicating until now is an “abnormal” event.

Finally, the implication of monitoring communication packets is that you can observe the actual instructions (queries). Fortunately, unlike IT networks, communication packets in control networks are not well encrypted due to the fact that they do not want to consume extra resources on OT devices, so observe the details of the query. Is possible. Many OT security products have their own security intelligence, which also makes it possible to detect threat information from the bit strings contained in the communication.

Get device status by querying OT devices directly

The final security method for an OT environment is to query the OT device directly from a security product to get the device status.

Since availability is important in OT environments, the act of collecting information directly from OT equipment was not preferred. This is because if the system is stopped, it will cause more damage than in the IT environment.

However, some OT security products allow you to safely query OT devices directly. This is called “smart query” or “device query” by some security vendors. Security vendors already support many PLC and RTU manufacturer-specific languages, and you can get device status by querying those devices directly.

This technique of using queries to obtain device information has many advantages that cannot be obtained with the passive type.

For example, information on OT devices that generate almost no communication in the control network or dormant OT devices cannot be monitored by the passive type. However, by using device queries, it is possible to collect information from those devices as well.

In addition, with the passive type, it is impossible to detect attacks that directly connect to OT devices and perform operations without going through the network. In fact, in many OT devices, OS updates and software patches during maintenance are often executed by inserting the USB memory directly into the OT device.

In that case, no communication will occur on the control network. By exchanging information directly with the target OT device using a query, it is possible to monitor the state change of the device itself. For example, you can quickly notice when an OT device is stopped or a setting is changed.

  • “Tenable.ot” that can protect the assets of both OT and IT

As mentioned above, this time we have introduced three specific methods for achieving security in an OT environment. Next time, the final episode, I will talk about the future of OT security.

Author profile

Mamoru Kanooka

Tenable Network Security Security Engineer of Japanese corporation. In addition to Nessus, which is famous as a vulnerability scanner, he is in charge of comprehensive security products that integrate IT / OT, ​​such as Tenable.io, Tenable.sc, and Tenable.ot.