Securing Operational Technology (OT) networks is definitely “a thing” these days. OT environments include specialized equipment (e.g. PLCs) that monitor and control production facilities such as refineries, manufacturing plants and utilities. The stakes are high with respect to potential business continuity and safety impacts if something is compromised. To be sure, it’s not that CISOs wake up and decide they need more work. Instead what’s happening is that enterprise risk management frameworks identify significant risk associated with OT cybersecurity. The IT Security team is then tasked with assessing and reducing such risk.
In parallel, recent high-visibility ransomware attacks on critical infrastructure have put OT security on everyone’s radar. The Colonial Pipeline attack has been the most visible but there are plenty more that go unreported. The US federal government has certainly taken notice, issuing the “Executive Order on Improving the Nation’s Cybersecurity” in May 2021. Section 7 focuses on Detection:
While the executive order’s direct impact is on federal agencies and their supply chains, it’s reasonable to expect that private sector critical infrastructure providers will follow suit as a best practice.
Lowering OT cyber-risk is not easy. We could write an entire blog just on the challenges, but these are the most important:
- Concern that security controls will somehow cause production system failures, taking down the facility;
- The wide variety of esoteric, proprietary OT devices and protocols;
- Poor or out of date documentation of the OT deployment;
- Onerous and inflexible change control procedures;
- The difficulty or impossibility of deploying typical controls, such as agents or network scanning.
In the face of these headwinds, Deception as a risk reduction strategy makes a lot of sense. It operates passively and independently of the production systems, without agents or in-line appliances. This fact is crucial to alleviating concerns about potential negative impact to the plant. It also provides visibility with respect to what’s on the network and how those device communicate. Furthermore, because Deception can easily be deployed in both IT and OT networks, it can provide protection for the IT/OT network interface, a key attack vector.
Acalvio’s strategy for Deception centers on flexible customization. Because OT environments vary so widely, deploying a turn-key solution and expecting it to be credible is unrealistic. We recommend a mix of low-interaction decoys for scale, and higher-interaction decoys that leverage custom web interfaces and golden images. Furthermore, custom breadcrumbs can be deployed on either the IT or OT side to lure adversaries to the decoys. Breadcrumbs are a much “lower touch insertion” than agents and pose little production risk.
With respect to deployment best practices, Deception decoys should be placed near remote access termination points, in addition to the IT/OT interface (known as Layer 3.5 in the Purdue model). These two network locations are the source of most OT attack penetrations. Devices that support USB drives (e.g. certain types of PLCs) should also be shadowed with decoys.
No matter what method used for OT risk reduction, make sure you partner with the OT Operations staff throughout the process. Take the time to explain the implications of your security controls, and be prepared for push back on change control requirements and timing. And seek to provide value to Operations wherever possible. Information such as device inventories, identification of unsupported or unused legacy gear, and data flow mapping are all useful in improving operations hygiene and availability. With a bit of effort, the term “IT/OT Convergence” can become a reality, instead of an oxymoron.
Finally, as organizations transition from passive to Active Defense security postures, keep in mind that advanced deception solutions fit this paradigm particularly well. Active Defense involves adversary engagement and containment, which are both things that ShadowPlex excels at.