Cybersecurity intrusions against factories and critical infrastructure have been on the rise over the past decade. At the 2019 ARC Japan Forum in Tokyo last month, Trend Micro shared its cyber-defense approach with the Forum’s approximate 250 attendees from various industrial sectors. Significantly, this defense approach considers both the cybersecurity knowledge of information technology (IT) staffs and the domain expertise of operational technology (OT) staffs.
Considering the current trend toward the convergence of IT and OT in today’s plants and critical infrastructure, Trend Micro believes strongly that IT and OT must work together closely to get the best results. This is consistent with ARC’s own thinking. Trend Micro also believes that keeping the operation running even when an incident is happening is the key to prioritizing safety and availability in OT. But given a vulnerable OT environment and the inherent insecurity of many legacy OT assets, how can defenses be implemented to keep the operation running? In its ARC Tokyo Forum presentation, Trend Micro (a Platinum Forum Sponsor) stressed the following points:
- Effective segmentation to identify and secure mission-critical assets are crucial steps to contain the damage and keep the operation running.
- Virtual patch and whitelisting control can help shield legacy OT devices.
- It takes both IT security expertise and OT domain knowledge to achieve the best defense for industrial control systems (ICS).
TXOne Networks : Trend Micro’s IT/OT Convergence
To be able to respond more effectively to today’s rapidly evolving ICS cybersecurity requirements, last year Trend Micro and Moxa combined the two companies’ many years of expertise in cybersecurity and operational technology, respectively, to create a new joint venture: TXOne Networks. Dr. Terence Liu, Vice President of Trend Micro, one of the speakers at the ARC Japan Forum, leads the new company. The sole focus of TXOne is to create solutions that help the industrial world secure automation and data exchange. Trend Micro will be white-labeling some of these products and combining them with existing products to address both IT and OT threats in enterprises.
Five ICS Cybersecurity Challenges
According to Dr. Liu, in its discussions with many end users over the last few years, Trend Micro has identified five main challenges in OT cybersecurity: legacy liability, lack of visibility, unclear responsibility, inadequate ability, and compromised productivity. Dr. Liu believes that legacy liability and lack of visibility, the two most common challenges mentioned, can be mitigated by modern technologies and equipment. The other three challenges involve leadership, resources, and priorities.
The roles and responsibilities of IT and OT people can differ from company to company, but need to be clarified. According to Dr. Liu, IT people often don’t understand OT operations while OT people don’t fully understand cyber threats and it’s not easy to recruit talent with appropriate expertise in both. Improving productivity is a priority, but implementing cybersecurity can get in the way. However, since effective OT cybersecurity is needed to avoid potential production outages, it is a must-have cost.
Vulnerable OT Environment and Legacy Liability
Further review is needed of legacy liability and visibility issues. Why is visibility important? If you don’t know what you have, how can you secure it? Visibility can have different meanings to different people. For example, if you buy an HMI for OT, OT personnel know how to use it. But for IT personnel, that’s not enough. They need to know more details about the HMI, such as its operating system. Is it Linux? Is it Windows? If it’s Windows, is it a new version like Windows 8 and 10, or a legacy one such as Windows 7, Windows 2000, or even Windows XP? Because Microsoft has stopped providing new patches for these legacy OSs, IT needs to provide more protection to the HMI. It could take a large manufacturing enterprise several years to investigate what it has in all its plants, which could be deemed too costly an undertaking.
According to Dr. Liu, legacy devices are the typically weakest and most vulnerable ones and, unfortunately, the security level of a system depends on the weakest link. Hackers are more likely to attack the point of weakness, typically the legacy devices rather than new, modern equipment. For those legacy devices, the two most severe issues are unpatched vulnerabilities and insecure authentication. Hackers can control these legacy devices by exploiting these vulnerabilities and weak authentications.
Changing the Threat Landscape
The threat landscape has also changed. Targeted attacks on critical infrastructure have been happening since Stuxnet in 2010. The hacker groups behind these attacks are usually sponsored by nations. They build device-specific exploits to cause significant damage to power generation companies and other targets.
However, in the last couple of years, we’ve seen major security breaches on even new smart factories, resulting in hundreds of millions of dollars in damages. According to Dr. Liu, many of these attacks were not targeted at any specific factory, but propagated by worms such as NotPetya/WannaCry. Only recently have targeted attacks started to emerge against smart factories by ransomware such as LokerGoga. Driven by the convergence of IT and OT and the fact that OT environments haven’t traditionally focused on security, many insecure protocols, legacy operating systems, and new OT-specific vulnerabilities are being disclosed and exploited.
Dr. Liu also suggested how important it is to learn from IT cybersecurity experience. There are more than 40 major IT cybersecurity product categories, but the current focus of cybersecurity is still to discern traces of hacking from a large number of logs and events. While we can never prevent cyber incidents 100 percent, it’s important to do as much as possible. But it’s also critical to consider the best response when a hacker does eventually break into the OT.
Keeping the Operation Running, Even During an Incident
While IT security prioritizes confidentiality and integrity above availability, OT security prioritizes safety and availability above integrity and confidentiality. Trend Micro believes that keeping the operation running, even during an incident, is the key to safety and availability in the OT environment. Interrupted operations in energy sectors could jeopardize both public safety and the environment and interrupted operations in factories could have significant costs in lost revenues and poor customer satisfaction. But since most OT systems are so vulnerable, how can defenses be implemented to keep the operation running?
Fortifying in Depth Cyber Defenses for Defense Against OT Cyber Threats
To illustrate the defense-in-depth concept needed to “keep the operation running,” Dr. Liu showed a picture of a model of the town of Los Millares, Spain, that existed around 5,000 years ago. He explained that defense in
depth involved more than just securing the perimeter. Instead, there is layered protection.
Dr. Liu used the (literally) prehistoric defenses at Los Millares to help illustrate Trend Micro’s modern layered, defense-in-depth approach to cybersecurity. If you consider the outside wall as the perimeter defense of OT, then it is equivalent to level 4 of IT operation in the Trend Micro scheme. The inside of the wall represents the level 3 manufacturing operation in the OT field, where the variety of OT servers are located. The inside layer is equivalent to OT level 0-2 (control and process), including field I/O, PLC controllers, and HMI/SCADA of OT. Each layer, from levels 4 through level 0-2, deploys levels and functions of prevention, detection. and mitigation, respectively.
Between the IT enterprise security zone (levels 4 and 5) and the OT manufacturing security zone (levels 3 and 0-2), there is a prevention space to build the demilitarized zone (DMZ) and deploy a firewall or intrusion prevention system (IPS) in the DMZ. The DMZ prevents IT talking to OT directly. Level 3 of OT (the most likely layer for a hacker to connect to, according to Dr. Liu) deploys detection functions (including endpoint protection), detects network attacks, and detects the command and control communications. The level 0-2 security zone deploys mitigation functions through segmentation and containment, network whitelisting control, and lockdown of mission-critical assets.
Segmentation and containment imply dividing a large, flat level 2 network into secured multiple segments and applying virtual patch (IPS) to shield device vulnerabilities, block worms, and inspect popular protocols such as SMB and RDP. Industrial-grade hardware is also required in this zone. Network whitelisting control helps provide fine-grained access control in different levels such as devices, communication protocols, and control commands. Lockdown mission-critical assets secure control terminals or severs by “lockdown” on applications, processes, configurations and so on. Only permitted USBs and content can be accessible in this case.
According to Dr. Liu, this layered structure provides pragmatic defense in depth to enable OT to continue operating to maintain safe operations, even during a cybersecurity incident in an industrial factory or critical infrastructure.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Cybersecurity, Legacy Liability, Virtual Patch, Whitelisting, ICS, Demilitarized Zone (DMZ), Defense in Depth, Lockdown, ARC Advisory Group.