Nowadays, there is no need to convince anyone that Cybersecurity must be a central point in the design, development and operation of any computer based system.
By its nature, in the IT area things have evolved in this way in the last 20 years, and every IT manager works daily with the cybersecurity parametres. Words like “patching”, “firewlling”, “policies”, “access control”, “logging management” or “defense in depht” are in the vocabulary of any IT worker in any company in the world.
Sometimes these cybersecurity tasks lead to a loss of connectivity problem, which is normally solved in few hours, during which the workers can make other kind of office tasks. The consequences of these loss of connectivity can be annoying, but never dire.
But when speaking about OT devices, everything changes. They are sensitive to change or traditional IT security scanning. They are highly integrated. They do operate many legacy operating systems due to long lifecycles. They include many embedded systems that cannot be scanned or managed in the same way a Windows PC or cloud server can. And the downside risk of acting on a false security alarm can be operationally devastating.
Under these conditions, Vulnerability Management becomes a huge task for cybersecurity managers, who spend much of their time just evaluating how to upgrade these legacy machines, or even evaluating the upgrading process itself.
Of course, there are several ways these guys can take to keep their systems as secure as possible. Thus, we can talk about countermesures such as isolating these machines in secure areas, analyzing their network traffic or installing an antivirus, measures that will help them to keep these systems safe even if they aren´t upgraded.
Unfortunatelly, not all of these machines can handle comercial antivirus. Antivirus softwares usually need very high CPU consumption, and therefore slow down system processes, which cannot be allowed in an OT environment.
In those places where the system can not be upgraded or an antivirus installed, other types of internal system countermeasures could be implemented (in addition to isolating the system behind a Firewall). These contermeasures should act as barrier withing the device itself, making it stronger against any threat.
So, the idea here is configuring the system by giving it only the minimal privileges to accomplish its mission, shutting down all unused sevices, forcing it to use the most advanced cryptography, using advanced user authentication / authorization, recording logs for forensic, and so on. In this context, systems must follow the minimum privilege rule.
Of course, not all systems will accept all these requirements. But considering all possible contermeasures in each device is of vital importance for the whole system.
Some of the characteristics of this device hardening could be:
- Follow international standards. If possible, international standards and suggestions should be taken into account when implementing device hardening. It´s not about making anything up, but about using the community knowledge (even maybe the manufacturer) for your purpose.
- Using native languages. If possible, native operating system commands should be used in the hardening process. This way, the system will accept the commands naturally, and these policies will have a very little impact on system performance.
- Acknowledgement procedures. Not only hardening procedures must be implemented, but also mechanisms to verify that the hardening process was successful.
- Rollback procedures. What happens if a rule (or set of rules) interferes with the normal system behavior? Rollback procedures must be established to have a tool to return to normal behavior (prior to the hardening proccess).
- Automation: if possible, the whole process should be made in a way that frees the performer from the tedious proccess of hardening each similar device. For so, automated procedures must be implemented for all types of devices.
- Of course, the hardening proccess will depend on the capabilities of the devices and their role in the whole system. It is not the same to work with a PLC than with a temperature sensor. The effects of a system threath in both devices are different, and so are the consequences.
- The process will also depend on the manufacturer. Devices from some manufacturers are more advanced than others, and therefore have more hardening capabilities. It´s not the same to harden a home appliance than an industrial one. But in all cases, we´ll have to reach the system limits as fas as cybersecurity is concerned
In conclusion, we can say that given the nature of OT devices, it is always difficult for their manager to keep these systems safe from cyber threats. Many OT devices are usually too old, too critical or too weak to run conventional antivirus.
A good alternative to antivirus, and which can also be used simultaneously used with these or other conventional countermeasures, consist of harden the devices to be protected. Although it is true that the hardening level will depend on the capacities that each manufacturer implements, it will always be necessary to reach the protection limits that each technology can offer.
Likewise, verification and roll back mechanisms will be necessary, as well as those mechanisms that help operators to automate the entire process.
Article by: Fagor Arrasate