Over the past decade, automation systems have been undergoing profound transformations: the advent of “smart” technologies and the need for increasingly connected and interconnected systems has meant that, even in the industrial world, people are beginning to talk about cyber security.
Technical evolutions often move in tandem with “cultural” revolutions that force us to question practices and ways of thinking that have been in use for decades.
With the advent of cyber security, the world of automation, which has always been very traditionalist and true to the motto “if it works, don’t fix it,” has had to revolutionize its views and learn to move into new territories.
Those who use and manage systems every day, the end-users, when faced with these new issues, too often find themselves unprepared.
Therefore, effective solutions need to be found that do not disrupt what you have and what you do.
A need to be quick, do well and spend little. How?
It all starts with a correct view of one’s situation and being well-organized. Cyber security is not made up of technical measures alone; installing an antivirus or segmenting a network with a firewall are just the final acts in a much more complex process.
IEC 62443 proposes a cyclical approach for defining and implementing a cyber security management system which starts in the risk analysis process.
In particular, in order to get a clear picture of where risks and critical issues lie within an organization, a high-level risk analysis, as prescribed by IEC 62443 standards, should be provided.
The question that arises is: in this context, what constitutes risk? In the perspective of cyber security, we can define it as the possibility of a threat causing negative consequences by exploiting vulnerabilities in a system.
In “mathematical” terms:
Risk = Threat x Vulnerability x Consequences
The first step in this process is the development of a “business rationale,” which consists of expressing in objective terms the possible consequences that a cyber attack may have for a business, regarding, for example, impacts on business continuity, safety, environment, or product quality.
The consequences for business continuity can be expressed in the terms of:
- Thousands of euros lost due to plant downtime;
- Safety impacts depending on the extent of injuries to people or the number of potential fatalities;
- Time required (days, months, years), when it comes to the environment, for damage recovery;
- Estimated time in which production could be compromised before detection of noncompliance.
Representing the impacts in these terms is critically important, especially if top management is to be involved in the processes of defining and implementing a cyber security plan, because it allows them to catch a glance of the maximum extent of the consequences of a cyber attack.
Further recommended reading:
Once the consequences are defined, how do we proceed?
It is necessary to analyze the context and define which “assets” are the most critical and most impactful; a ‘manufacturing company for example, might consider the different production lines in its plant as critical assets.
Criticality scores can be assigned to each of the lines based on the criteria defined in the business rationale, depending on the incident scenarios resulting from cyber compromises. The overall criticality, during the high-level risk analysis, will be the one defined by the “worst case.”
Once the critical issues are known, credible threats to which the context under consideration is subject should then be analyzed.
To identify them, one can rely on historical data, on reports issued by international authorities dealing with Cyber Security, such as ENISA (European Union Agency for Cybersecurity), or on experience and knowledge of the specifics related to the systems under consideration.
While in the case of critical infrastructures such as water and power distribution systems threats may come from terrorism or rival nations, especially in times of high geopolitical tensions, with regard to industries where there is strong competition or where brand reputation is crucial, threats from unfair competitors cannot be ruled out.
No one left out: many cyber security threats are shared by everyone
Unfortunately, criminal hacker organizations acting for profit have shown their full destructive potential in recent years. Ransomware is now a real threat to any organization and, in particular, to those with obsolete and out-of-date systems, as is often the case in the industrial world. Unintentional threats are inevitable. They often take place by employees compromising systems by acting in good faith and with little awareness. Threats, in analysis, can also be ranked with a score.
The combination of consequences and threats allows us to already define an initial risk profile for individual assets and assign them a “Security Level,” as per the IEC 62443 standard.
Security Levels are a classification based on four levels, which the standard gives us to schematically define the level of countermeasures to be applied to a system and their functional requirements.
The last step in the analysis is to make a general assessment of the countermeasures already in place and the macroscopic state of vulnerabilities both related to the systems and the organization. In this last phase, aspects such as the obsolescence of operating systems and patching and backup policies, network segmentation, use of Wi-Fi, and purely organizational aspects such as the effectiveness of staff training activities and the presence of effective recovery and incident response plans will be evaluated and ranked with appropriate coefficients.
This last phase allows the overall risk profile of the plant to be defined and initially identify the systems and areas that need to be focused on with a view to maximizing the protection of a system.
Further recommended reading:
Let’s look at a concrete example of a case that actually happened
The figure depicts the network of a manufacturing plant before the implementation of cyber security countermeasures.
Server Historian and EWS engineering stations of the plant’s various production lines, here referred to as the “Cell Area,” are confirmed on a “flat,” non-segmented network connected to the plant IT network, from which personnel from engineering offices make remote connections to the plants.
Some remote connections are made through the plant VPN, mainly for monitoring and maintenance purposes.
The critical issues that emerged during analysis on this network are poor segmentation, lack of segregation between the IT and OT parts, and the absence of a DMZ dedicated exclusively to OT services.
Based on these considerations, a proposal for revised network architecture to ensure better segmentation and better-defined segregation between areas, inspired by the Purdue reference model, was developed. In detail, it can be seen that the “cell areas” have each been confirmed to a dedicated VLAN (OT Network) and that a firewall has been provided for each cell to enable its segregation. The cell firewall then defines a local DMZ on which services that need to be accessed from networks at higher layers are confirmed.
To separate the ‘OT from the IT sphere, a main firewall was then provided on which a DMZ dedicated to the OT was also created, containing the services common to all lines, such as the centralized historian, the production data database, a suitably protected file server, and the server dedicated to updates of the Windows operating systems present on some of the machines in the OT perimeters.
What solutions could be used to put this architectural proposal into practice?
The idea of TXOne
There are many direct competitors or nation-states that would have an interest in slowing down or altering the quality of domestic products or damaging their critical infrastructure.
It is therefore essential to view Industrial Cybersecurity not as a mandatory cost but as an enabler of the Digital Transformation. Losing production days is a huge risk to the company, and this risk must be reduced or eliminated with preventive actions.
How can one defend against a ransomware attack?
Top management should demand that to be organized so that production or service delivery never stops, but this is not always the case: people think that cyber attacks regard “others” when reality indicates just the opposite, all companies can be attacked at any time, so a Prevention-based approach is now mandatory.
TXOne Networks’ goal is to defend critical infrastructure, industrial production by avoiding plant downtime and, worldwide, industry vertical segments from complex and volatile threats in Industrial Control Systems (ICS) Cybersecurity.
Founded in 2019 as a joint venture between Trend Micro, the World Leader in Cybersecurity, and Moxa, the World Leader in Industrial Connectivity, TXOne Networks has evolved into a stand-alone brand with a focus on ICS/IIoT adaptive cybersecurity solutions for the OT (Operational Technology) sector.
As a global pioneer of the “OT Zero Trust Cybersecurity” approach to preserve the integrity of critical assets and operational technology (OT), TXOne Networks provides the most advanced solutions to meet the needs of organizations in preparing for, preventing, and responding to cybersecurity threats and risks of operational disruption. In 2022, TXOne Networks was recognized by CRN as an Emerging Vendor in the security category.
The company works for a wide range of customers: large corporations and international conglomerates, and upstream, midstream and downstream supply chains in various industries.
TXOne OT Zero Trust
As the boundaries between Information Technology and Operation Technology (OT) are becoming less and less defined, it is difficult for companies to find OT Security and OT Native solutions that will ensure the IT security of industrial plants while keeping them running smoothly.
TXOne Networks focuses precisely on the defense of critical infrastructure and ensures the reliability and safety of ICS and OT environments through the uniqueness of its “OT Zero Trust” approach.
The four Pillars of TXOne OT Zero Trust are:
- Inspection: Scan all devices you want to connect to the network to block insider threats and to prevent supply chain attacks
- Isolation: Trust List of endpoints and networks by specifying what is allowed and blocking everything else.
- Segmentation: Micro-segmentation to improve protection from the network by turning vulnerable zones into safe zones, preventing attackers from moving laterally and spreading malware.
- Reinforcement: Protecting legacy endpoints that cannot be “patched” without disrupting their operation.
Wanting to simplify, we can say that our OT Zero Trust approach is based on the concept of “Access allowed only to authorized persons” (Least privilege manner), i.e.:
- Verification of information released by equipment suppliers
- Default-deny approach: i.e., denying traffic which is not expressly permitted
- Micro-segmentation of the network and Virtual Patching
- Network Whitelisting
In OT Security, it is critical to have a strategic vision that accompanies and justifies the technological choices and cybersecurity implementations made, with the goal of preventing Cyber Events from happening or adjusting the Industrial Cybersecurity infrastructure to mitigate any attacks that were not able to be avoided altogether.
In summary, we think it is necessary to define a:
Network Security Strategy: based on network segmentation and virtual patching, for mitigating cyber attack risk, containing malware, and protecting vulnerable assets by detecting and blocking lateral movement
Endpoint XDR, Security Strategy: based on trust list and the hardening of critical assets to defend against unknown attacks and to keep mission-critical assets operational
OT Auditing Strategy: based on supply chain inspection, for inbound/outbound auditing and inspection activities
TXOne solutions to support OT zero trust approach
In the various conversations we have had with our customers on a daily basis, it appears that industrial endpoints are often not protected by antivirus and antimalware, that the industrial network is “flat,” i.e., not segmented, allowing attackers to be able to enter from any network vulnerability and have visibility over the entire infrastructure. Plus, it is not possible to inspect endpoints which are unable to receive any agent that provides adequate protection. OT protection is often left to Firewalls alone, which originate in the IT world and are often used in Operation as well.
A recent Survey Trendmicro conducted in the U.S., Europe, and Japan found that less than 50 percent of Plant Managers had installed antivirus on ICS endpoints, 61 percent of respondents had experienced a Cyber Event, and 75 percent of Cyber incidents halted production.
TXOne Networks Cares About Keeping Plants Running
TXOne offers Native OT solutions, which are therefore not derived from the IT world, for the protection of Industrial Endpoints with Stellar solutions for Endpoints with OS from Windows XP and Windows 7 and up. These are next-generation, industrial-grade antivirus/antimalware that enable secure authentication of ICSS based on Root of trust and advanced threat analysis to protect OT resources without interruption of operation activities.
With regard to Network Infrastructure Defense, we make use of the TXOne EDGE series solutions, which allow the ICS network topology to be segmented into different zones, so that both north-south and east-west traffic can be protected while reducing the risk of attack. The main solutions available are EDGE IPS, EDGE Pro, EDGE Pro 216 and EDGE Fire.
Regarding Endpoint Audit Inspection, the reference solution is called Portable Security, which in a USB stick contains Antivirus/AntiMalware to inspect endpoints that cannot receive agent installation. In the PRO version it also allows “secure” transfer of files up to 64Giga. Portable Security extends OT Visibility and ensures integrity of data in transit by minimizing impact on production.
Deployment model TXOne Networks’ solutions are designed to be deployed in levels 1 (basic control), 2 (supervisory control), and 3 (production operations and site control) of the Purdue Model.
The foundation of any Smart Factory is based on collecting, sharing and analyzing data, which is often complicated by the presence of resources from various manufacturers working in a wide range of conditions and situations. With the OT Zero Trust approach, assets can be inspected upon arrival and the network can be segmented with all-terrain solutions to protect the flow of data at the shop floor level (data in use, data in transmission, and data at rest).
TXOne’s OT Native technology helps technical staff in centrally managing OT Cybersecurity Defense of a vast number of legacy and modern assets, which run side by side, without disrupting operations.
This contribution has been made in collaboration with TXOne Networks.
Do you need immediate assistance with Industrial Cyber Security?
Do you want to help our page grow? Follow us on Linkedin
Go back to the blog