Securing OT: Five Key Areas to Fortify Industrial Control System Environments

In the field of critical infrastructure, the security of operational technology (OT) is paramount. The growing convergence of IT and OT, coupled with escalating global tensions, has led to a surge in cyber threats targeting critical infrastructure worldwide. Notably, 2023 witnessed a staggering 50 percent rise in reported ransomware attacks.

Here are five critical areas to focus on when securing your OT environment.

Asset Management and Risk Assessment

Asset management forms the foundation of effective security in operational technology environments. Yet, many organisations struggle with this aspect due to the diverse nature of technologies and devices deployed across multiple sites globally. Understanding these assets - from programmable logic controllers (PLCs) to human-machine interfaces (HMIs) - is essential for conducting thorough risk assessments.

Risk assessments in OT environments involve identifying vulnerabilities, exploits, and known issues associated with each asset. This process enables organisations to develop risk management strategies tailored to their specific threats. Industry standards such as ISA/IEC 62443 provide frameworks for conducting risk assessments and implementing risk management strategies effectively.

Access Control and Segmentation

Controlling access to OT systems is crucial for preventing unauthorised modifications or breaches that could disrupt operations or compromise safety. Implementing robust access controls based on the principle of least privilege ensures that only authorised personnel have the necessary permissions to perform specific tasks. Enforcing stringent password policies and integrating multi-factor authentication (MFA) fortify this principle, mitigating insider threats and limiting the potential impact of external attackers.

Segmentation of OT networks into isolated zones or environments is another critical aspect of access control. By segmenting the network according to functional areas or security levels, organisations can contain cyber threats and prevent lateral movement within the network. Following standards such as NIST SP 800-82 and ISA/IEC 62443 ensures that segmentation zones and conduits are designed and implemented effectively to enhance security.

In addition to segmentation, regulating and monitoring outbound communication is vital. This involves analysing default routes, gateways, firewall rules to external networks, and proxy configurations to prevent unauthorised data exfiltration and maintain network integrity.

Security Patching and Updates

Maintaining up-to-date software and firmware is essential for addressing known vulnerabilities and mitigating risks in OT environments. However, patching and updating systems in OT can be challenging, especially for legacy equipment that may not support automatic updates or require careful consideration of system criticality and potential impacts.

Organisations must develop a systematic approach to patch management, prioritising critical vulnerabilities and conducting thorough testing before deploying patches. In cases where patching is not feasible or may introduce operational risks, compensating controls such as network segmentation or application whitelisting can help mitigate vulnerabilities.

Network Monitoring and Anomaly Detection

Real-time monitoring and intrusion detection are essential for detecting and responding to cyber threats in OT environments. By monitoring network traffic, system logs, and events, organisations can identify indicators of compromise (IOCs) or abnormal behaviour that may indicate a security incident.

Deploying intrusion detection systems (IDS) and intrusion prevention systems (IPS) enables organisations to detect and block suspicious activities before they escalate into full-blown cyber attacks. Additionally, utilising anomaly detection techniques such as behaviour-based analytics and machine learning enhances the ability to identify deviations from normal patterns, empowering organisations to respond swiftly and effectively to emerging threats.

Incident Response

Despite best efforts to prevent cyber incidents, organisations must be prepared to respond effectively when they occur. Establishing a well-defined incident response plan tailored for OT systems is a fundamental element of cybersecurity preparedness. This plan should outline roles, responsibilities, and communication channels for incident response team members and specify procedures for incident detection, containment, eradication, and recovery.

Regular testing of the incident response plan through tabletop exercises and simulation drills ensures that all team members are prepared to respond effectively in real-world scenarios. Additionally, robust backup and disaster recovery mechanisms must be in place to support business continuity in the event of cyber incidents or disruptions to OT systems.

How can cyber threats affect your business?

In recent years, the OT cyber landscape has seen a rise in threat groups targeting critical infrastructure worldwide. Among these, APT44, also known as ‘Sandworm’, has emerged as a significant concern, leveraging weak control system security to infiltrate and disrupt OT systems.

A notable incident occurred between the 17 and 18 January 2024 when a group known to be associated with APT44 claimed responsibility for manipulating human-machine interfaces (HMI) controlling OT assets in Polish and U.S. water utilities. These claims were supported by videos posted to the threat actors communication channels, showcasing interactions with the HMI in a disruptive manner.

The group then released a further video on the 2 March 2024, alleging disruption of electricity generation at a French hydroelectric facility by manipulating water levels. Whilst these claims or direct links to APT44 could not be verified, subsequent incidents reported by the U.S. utilities lent credibility to the seriousness of the threat.
Approximately two weeks after the U.S. targeting claim, a local official confirmed a “system malfunction” resulting in a tank overflow at one of the victim facilities. Investigations revealed a series of cyber incidents affecting multiple U.S. water infrastructure systems, reportedly stemming from vulnerabilities in vendor software which facilitated remote access.

Instances like these, showcasing the capability to influence critical real-world processes, highlight the increasing sophistication and danger of threat actors like APT44. The targeting of critical infrastructure presents formidable challenges to cybersecurity, demanding robust defence mechanisms to safeguard vital OT assets.

Conclusion

In conclusion, securing operational technology requires a comprehensive and multifaceted approach that addresses all five critical areas identified. Industry standards such as ISA/IEC 62443, NIST SP800-82, NERC CIP , NIST Cybersecurity Framework, and the upcoming NIS2 Directive, provide valuable guidance for implementing best practices and ensuring compliance with regulatory requirements.

This article was written by Marc Geggan

Get in touch

Our team specialises in OT security and understands the unique challenges facing your critical infrastructure. Contact us today to schedule a consultation and learn more about how we can help fortify your OT environment.