Operational technology (OT) is critical infrastructure that enables IT networks to function. OT management relies on both open and closed protocols — both threat actors and OT professionals must pick one protocol to attack and defend.
Safety is priority number one for OT professionals, with reliability coming in a close second. But based on its nature, OT presents additional physical security risks, which have to be protected against physically as well.
Air-gapping networks is typically the solution suggested by cybersecurity and OT professionals. But the rising trend of convergence and cloud-based computing is closing this option down. Protective services that secure both OT and IT networks do so by understanding and seeking out converged networks.
Operational Technology: Built to Last
“Operational technology” (OT) is a term that escapes easy definition.
In the briefest sense, OT can typically be seen as hardware or software that has an impact on change via monitoring. But more important is how it detects or causes change: While IT controls data, intellectual property, and compliance, OT drives organizational revenue in critical sectors like energy, manufacturing, and healthcare. It’s what makes the factories run.
OT has always been here: Long before the internet of things (IoT) — along with industrial and medical IoT variants — was a thing, OT was built. And it was built to last.
Giants like General Electric, Siemens, Mitsubishi, and Honeywell are big fish, and they’ve all been operating for over a century. The ostensibly mysterious reason that they’re not using the latest technology is simple: Their OT still works.
But it’s only now that OT professionals are having an awakening. They’re realizing that security has, for too long, been deprioritized. And now it’s coming back to bite the industry.
Just Following PrOTocol
There are a lot of protocols in OT — particularly for managing the OT subset of industrial control systems (ICS). But what exactly is a protocol?
Plainly, protocols are lists of rules for communication. They come in two varieties:
Open protocols are often found in the public domain and used to network industrial equipment. One popular protocol created in 1979, called Modbus, is still used today in many devices despite having no 32-bit addressing. It’s an interoperability protocol — just like XML and JSON — which essentially automates our need to focus on how a single system operates.
Closed protocols — such as Siemens’ own protocol — aren’t ideal. This is because, once we’ve chosen a closed protocol, we can’t switch from badly performing OT companies that utilize them to better-performing companies.
Those securing or attacking systems have to pick specific protocols and markets. Protecting — or targeting — the oil and gas industry might necessitate focusing on the Siemens protocol, but because it’s closed, threat actors and cybersecurity professionals are both locked into systems that utilize that protocol. On the other hand, the more widely available Modbus is an open protocol, which opens up the scope of both protection and threats.
Illuminate the foundations of operational technology and current vulnerabilities present within a converged IT/OT ecosystem and how to defend against them.
Programmable logic controllers (PLCs) are OT that’s built into the fabric of many industrial business processes. PLCs are connected by wire which depends on the environment in which the PLCs are operating.
Connecting PLCs Safely and Reliably
If you want reliability, you can do worse than 18 gauge (ga) shielded double wiring.
Over its long life, 18 ga has significantly risen in price — $400 for a 1000-feet spool, which is approximately double what category 5 cable (cat 5) costs. So why use the older, more expensive 18 over cat 5?
If it ain’t broke, don’t fix it: 18 ga has connected PLCs for a long time — and it works. There’s a single protocol with no port numbers, and this setup avoids network collisions.
More bang for your buck: 18 ga goes further, giving you 1200 meters where cat 5 would give you just 100. 18 ga can run a network across an entire building.
Tough as nails: Rebooting switches and routers is painstaking, but 18 ga eliminates the need for additional infrastructure. Once you get a PLC network up and running with 18 ga, it doesn’t fail.
The number one priority for professionals working with OT is safety. Number two — and all the way down — is reliability. Using 18 ga isn’t a fast network like ethernet, but it’s robust. When organizational security is on the line, robustness — not rapidity — is what keeps you safe.
PLC As OT Physical Security Risk
The beauty of PLCs is in their potential: If you understand how to operate PLCs, and can write code that harmonizes with how they operate, you can do anything. This is also their curse.
PLCs have places to provide power and network cables, and wire sensors to inputs. They’re very physical in nature. PLCs measure temperature, air velocity, and chemical composition via these sensors, which come into the controller as either binary (open or closed) or analogue (zero-10 volt) signals. Temperature values are analogue, while a fan being on or off is binary.
Once the inputs are wired up, the outputs — what is being controlled — are wired up as well. Then users write the code — giving particularly smart users a lot of freedom to be, well, smart. Smart users can be threat actors as well as enterprise technicians, infrastructure managers, and other OT professionals.
Some PLCs use line-based instruction code, which is similar to Beginner's All-purpose Symbolic Instruction Code (BASIC). Others use visual coding systems that don’t rely on BASIC, and users can simply drag and drop blocks of code. For those who don’t want to write their own code, these systems are useful.
A typical PLC comes with two similar ports: one for an ethernet connection and one for a registered jack-11 (RJ-11) connection. The ethernet connection wires to a hundred other controllers thousands of feet away, while the RJ-11 service port allows physical access to the network.
If a bad actor wanted to gain access to a network via a single PLC, all they’d need to do is plug a laptop with an adapter into the RJ-11 port and they’d have full access. Since there’s no security once you get this far, simply being able to do so is a huge security risk. That’s why all security must be physical at this level.
SecurOT Concerns
It’s getting tougher to keep OT secure. Most security professionals typically recommend air-gapping the network, but that’s changing.
The cloud has rocketed in popularity, with cloud giants promising improved management of users’ data through the use of AI and ML — removing the air gap. The trend of convergence ensures that ever fewer networks are as air-gapped as they often claim to be, amid a growing use of more — and more integrated — services.
Understanding and seeking out this convergence is the key to securing both OT and IT networks. If port network traffic is showing up on the OT network, or vice versa, organizations need to know. Effective monitoring of DNS traffic shines a light on converged OT networks.
With air-gapping declining as part of a protection strategy, alternatives must include network segmentation, intrusion protection and detection, and physical security. Without the ability to install agents on most endpoints, external protection is mission-critical.
One of the biggest security breaches of the last ten years — involving a hack via a third-party HVAC company — happened at least in part because of a lack of network segmentation. Target was able to shift the blame to an OT company, but a small mechanical contractor shouldn’t be taking the hit for a failure of this magnitude. All organizations — regardless of size — must take responsibility for their security.
