Operational Technology (OT) Cybersecurity: 4 Best Practices

OT (operational technology) is responsible for critical processes that, if breached, could have catastrophic consequences, including loss of life. OT encompasses supervisory control and data acquisition (SCADA), industrial control systems (ICS), and distributed control systems (DCS). Emergency services, water treatment plants, traffic management, and other critical infrastructure rely on operational technology solutions to properly function.

Cyber-attacks on critical OT infrastructure have been on a stratospheric trajectory, increasing 2000% in recent years! Audacious attacks have been launched on everything from nuclear plants to water treatment facilities. In fact, a poisoning attack at a Florida water treatment facility was particularly scary because of how easily an attacker gained sensitive access via inadequate password management and how they were able to leverage unsophisticated actions via a consumer-grade remote access tool within the environment to order the system to increase the amount of lye in the water.

Why Cyber Risk to OT Systems is Increasing

For many years, industrial systems relied upon proprietary protocols and software, were manually managed, and monitored by humans, and were not directly connected to the public Internet. In those days, the only way to infiltrate OT systems was to obtain physical access to a terminal—and this was no easy task. OT and IT (Information Technology) integrated little and did not deal with the same kinds of vulnerabilities.

Today, it's a starkly different story as we see more industrial systems brought online to deliver big data and smart analytics as well as adopt new capabilities and efficiencies through technological integrations. This transition from closed to open systems has generated a slew of new security risks that are being actively targeted—often with success—by threat actors, and that need to be addressed.

As industrial systems become more connected, they also become more exposed to vulnerabilities. Add legacy equipment, safety regulations that may prohibit any modifications being made to equipment, and compliance regulations that require sensitive data to be made available to third parties, and you have quite a challenge on your hands.

Additionally, remote vendors, employees (operators), suppliers, and other contractors often remotely access OT systems to perform legitimate maintenance and other actions. Remote vendors and employees have further complicated the situation by using personal devices (BYOD) as well as working from home networks that are not properly hardened. These remote connections have further blurred the IT-OT segmentation and expanded the attack surface, providing new entry points for hackers to exploit.

Often, VPNs are used for privileged remote worker or vendor access, but this is an inappropriate and insecure VPN use case as VPNs lack granular access controls and cannot perform session monitoring or management. While VPNs can provide a secure tunnel from one location to another, the access permitted by a VPN is unrestricted—which is completely unjustifiable for any sensitive environment, let alone OT systems. Of all users, privileged users—whether employee or vendor—pose the most risk as the attacker can ride on whatever privileges that worker has to move laterally from the IT network to the OT and ICS system on the production floor. Once in the ICS network, hackers can potentially monitor and manipulate operational components, including reading commands or changing parameters, which can cause dangerous conditions to the environment, jeopardize the safety of plant personnel or the community, and potentially cause monetary loss due to shut down or a disruption in production

4 OT Cybersecurity Best Practices

How can organizations securely address a large volume of operators, contractors, and vendors connecting remotely into their network, without the use of a VPN and without compromising processes, operations continuity, or inhibiting business agility or productivity?

At minimum, you need to know at all times who (identity) is doing what on your network, from what device, and when. And, critically, you need to be able to exercise complete, granular control over that access at all times—whether it is for an employee or vendor, and whether they are on site, or connecting remotely.

Here are four best practices for protecting Operation Technology environments from cyberthreats:

#1 Implement a Zero Trust Framework

While the zero trust security philosophy is commanding more attention and seeing increased adoption, most organizations remain stuck operating with the traditional network perimeter security model and using VPNs and other tools to grant access for remote access.

Securing any network begins with understanding every connected user and device and every bit of data they are trying to access. This is a basic premise of any security framework—including zero trust. To truly embrace zero trust across your OT network, consider implementing the following:

• Apply network segmentation: Provide application access independent of network access. This entails enabling contractors and vendors to access only the applications and systems they need--without requiring complex firewall configurations or VPNs.
• Provide application-level micro-segmentation, which prevents users from discovering applications that they are not authorized to access. In addition to protecting against malicious insiders or external threat actors, this step also helps protect the environment against human errors, which is the one of the leading cause of breaches and system downtime.
• Establish a centralized point of visibility and accessibility for different systems that require various connectivity methodologies. As more OT systems are integrated with IT systems to drive automation, efficiency, and lower costs, keeping these systems known and available on the internet only for authorized users eliminates the biggest attack surface.
• Monitor and record all activities performed over remote access via on-screen video recording, keystroke logging, etc. Session monitoring is essential both for security and for compliance.
• Exert granular control over the sessions by enforcing least privilege and restricting commands that can be executed by identity/user.
• Implement API Security - Protecting APIs is essential to safeguarding the integrity of data communicated between IoT devices and back-end systems. Only authorized devices, developers, and apps should be permitted to communicate with specific APIs.

#2 Align the Right Remote Access Tools with the Right Use Cases

Over the last year, with the largescale shift to remote work, VPN usage has spiked to an all-time high. Unfortunately, VPNs and other remote access technologies, like RDP, are being stretched beyond their legitimate use cases in ways that are clearly reckless. No where is the risk more potentially dangerous than within OT networks. VPNs and RDPs need to be eliminated from usage in those instances involving privileged access and third-party access.

While adequate for providing basic remote employee access to non-sensitive systems (i.e., email etc.), VPNs lack the granular access controls, visibility, scalability, and cost-effectiveness demanded of third party and remote worker access to OT/IoT devices. VPNs cannot enforce the granular least privilege access or monitoring/management over sessions that is imperative for security and oversight of privileged user access.

#3 Understanding IT Security Versus OT Security

In most organizations, the policies and service agreements to manage IT systems do not extend to the operational technology environment, creating a security and management gap. Managing security and risk in OT environments isn’t as simple as porting over IT security best practices into the OT system. Relying on consumer-grade remote access / support and other such IT solutions is certainly not adequate when it comes to protecting the most sensitive environments.

OT technology obsolescence periods are much longer than IT. Legacy systems that have sometimes been in place for 20-25 years proliferate in OT environments. Compare that to the IT world where equipment rarely lasts more than five years. This results in outdated, diverse endpoints where patches aren’t available, or updates can’t be made due to low compute power.

IT has had decades to mature security practices and minimize exposure. But the need to manage risk is universal, and organizations must adopt solutions and strategies to secure their OT environments based on their specific needs.

#4 Apply Robust Privileged Credential Management Practices – And No Password Sharing!

Password malpractice abounds in OT environments, and it continues to be a leading cause of breaches. Credentials are often shared internally and externally, and access is not limited to specific network devices or segments.

Reduce the risks associated with privileged credential compromise in your OT environment by safeguarding access to privileged account passwords and SSH Keys. Implement an enterprise-grade privileged credential management solution that provides full control over system and application access through live session management, allowing administrators to record, lock, and document suspicious behavior with the ability to lock or terminate sessions. Such a solution should also eliminate embedded and default passwords, and bring them under active, centralized management.

OT and Military-Grade Cybersecurity from BeyondTrust

BeyondTrust PAM solutions give OT security managers the tools they need to manage privileged access in a challenging OT environment.

To learn how BeyondTrust can help you secure privileged remote access for employees and vendors, enforce least privilege and application control across your OT environment, and ensure all privileged credentials and secrets are consistently security and managed, contact us today.