It used to be said that - when there is a conflict between security and ‘getting the job done’ - getting the job done always wins. But the world has changed. Security is now a top consideration when setting up new systems and processes. Operational technology (OT) and digital transformation are no exception.
Securing plant floor equipment, sensors, and data collection devices adds complexity into getting all the different pieces communicating properly. There are legitimate concerns about cabling for data, getting legacy devices secured, communications being unexpectedly blocked when security devices are added, and potentially opening air-gapped devices to the entire internet.
In an industrial setting, security and visibility can coexist. This blog will show you how to achieve that objective..
Simple AND Secure is Rare
One way or another, security has been a roadblock to getting the things done you want to get done. Passwords are more annoying than no passwords. Longer, more complicated passwords are more annoying than simple passwords. And waiting for the text message to confirm putting in your long, complex passwords is most annoying of all. Sadly, that’s the world we live in.
There is a trade-off between security and usability. That creates friction between getting the job done, and doing things in a way that lets bad actors be successful at what they want to do to you.
So how do we reduce the friction to make security seamless and transparent to the end-user?
Resolving Tradeoffs between Ease-of-Access and Security
First, let’s revisit the challenges that have held back OT initiatives in the past…
- Connecting legacy devices to the network without a simple, effective way to secure them
- Getting equipment physically connected to the network because of cost and difficulty
- Keeping some of the most important devices “air gapped” due to security concerns
- IT talent with deep experience with OT is in short supply and high demand
- Building a simple, consistent method for connecting devices when the network and security infrastructures in many locations, across diverse operations, with different network technologies and policies.
Addressing these past limitations is less of a concern due to advances in technology.
Legacy Devices
Legacy controllers lack wi-fi, so they must be connected via ethernet. But the combination of cost and poor security has limited putting those devices onto the network, so that the benefits of digital transformation could be achieved.
Before 2022, most OT network security projects were attempted by repurposing IT network security technologies - NAC, VPNs, internal firewalls, etc. IT security assumes that each device on the network can secure itself. Windows, Mac, etc. have their own security software that can be expanded and upgraded as bad actors’ methods have advanced - not so for most OT equipment. Other factors such as how devices are added to the network or how support is provided required long, complex processes to be set up when changes were needed. That can work in IT, but operators can’t be waiting on hold with the support desk while equipment is offline.
OT network security solutions have advanced significantly in the last two years. To learn more about how to upgrade to today’s best practices in securing your OT network, click here. Blog #3 also covers how to harden your OT.
Data Cabling Cost & Difficulty
Many machines have been capable of being connected via wi-fi, but issues similar to those that limit legacy devices raise the risk of those devices on wi-fi that are not properly secured. And the cost and disruption to properly drop cabling for direct connections is cost prohibitive.
The resolution for this is the same as for legacy devices.
Air-Gapped Equipment
“Air gaps” have been thought of as a highly secure method of protecting devices. However, in practice, maintaining an air gap is prone to human error and other complicating factors, such as unknown and unmonitored points of entry. Problems exist with air gaping:
- An operator of an air gapped device might install a “backdoor” to make operating or monitoring the device more convenient. Or, in the rush of excitement of getting a machine back to full operation, the bypass of the air gap might be left in place and forgotten.
- Air gapped equipment is less likely to be patched and have its configuration monitored. Adversaries have exploited manual updating by poisoning USB memory devices among other techniques.
A consensus is building that active device monitoring can lower the risk profile of a device better than relying on a device remaining in its intended air gapped state.
Growing IT/OT Expertise
It’s no secret that there has been a shortage of people who have deep knowledge and skills in manufacturing operations, information technology and cybersecurity.
As more and more experience is being gained across the industry, those people are taking over the leadership of the OT security projects.
Recommendations: Assign two individuals - one business and one technical to lead your OT security initiatives. Encourage cross-functional collaboration between IT & manufacturing operations to evolve the tools and project methodologies. (See the section below, Where to Start and How to Accelerate Progress for Visibility AND Security)
Simple, Consistent Setups Across Multiple Plants
Most factory networks “grew up” organically, piece by piece, not with a consistent design and architecture. And most organizations have worked hard to build consistency across their entire enterprise. Even in the most advanced organizations, it is common to find different network manufacturers, security technologies, and methods of securing and connecting to the wider network or the internet. When central data acquisition systems are tasked with connecting to equipment that lacks consistency, each connection requires a unique setup process that can take hours to properly execute due to the complexity and nuances of the configuration Comparable challenges arise when setting up remote connections or uploading new files to machines. The lack of consistency creates complexity - a significant obstacle to effective and sustainable cybersecurity.
State-of-the-art network security solutions provide the ability to create “overlay networks”. An overlay network uses the internet and your private network to create virtual networks that are separate from their underlying physical network.
When the overlay network is done correctly, devices on the network are set up with consistent names and addresses. And access is performed exactly the same way regardless of where a device is located in the network. The reason is that once setup for one type of device, the setup will be exactly the same for every other similar device type. Some manufacturers have found that this capability paid for the security project by that feature alone. Essentially, the cost for all the security features was free.
Where to Start and How to Accelerate Progress for Visibility AND Security
There are key steps to begin planning and deploying an upgrade to OT security. Successful initiatives follow a path similar to this:
- Step 1: Bring together a steering group of stakeholders (Heads of Manufacturing Operations, Networking, Support, Supply Chain; CIO; CISO; etc.) to address:
- Goals, priorities and limits to the scope
- Project planning & milestones
- Roles and setting a culture of stakeholder collaboration
- Project & technology selection process
- Step 2: Select a business lead and technology lead who have an excellent working relationship and collaborative styles.
- Step 3: Assess all your assets that will be a part of the OT initiative, including devices, applications, data, collectors, network & security components, internal and external support personnel, third parties, and documentation sources & processes.
- Step 4: Design the network and cyber security infrastructures. This will be covered in the very next blog in this series.
These Activities will Lead You to Success
- Emphasize collaboration. Make the best use of specific expertise in IT and manufacturing operations.
- Gain executive buy-in for the initiative, ideally led by an executive sponsor.
- Learn from organizations that have been down this path successfully when to leverage IT, and where OT operations and practices need to be optimized beyond IT's extremely beneficial core competencies. The cross-functional experience that will naturally evolve will benefit both IT & OT in unexpected ways.
- The design process should be built to emphasize front-line operation personnel performing day-to-day cyber security administration.
- Even if remote and third party access are not a part of the initial OT security roll out, pay attention to access from the “outside-in”. This is not an area that you will want to have to revisit by redesigning your security architecture. (Ideally, your cybersecurity, technology stack should have this built-in "from the ground up", not a third-party add-on, separate module, or non-native approach to incorporating external access into the OT network. (This is covered in depth in Blog #4.)
What’s Next?
Follow this blog series for a roadmap for creating a secure and manageable OT network. In our next piece, we address how to “harden the network” - putting the controls and protections in place to make the network much more resistant to malicious intent, where your objective is to make it so difficult to get a foothold, that they abandon their attempt.
To learn more about how you can prevent malicious actors from gaining access and doing harm to your operations start here, follow Byos on LinkedIn to receive updates as the series continues, or talk to us.
This is the second of a six-part series laying the groundwork for a successful, secure “Industry 4.0 Digital Transformation” initiative. This second blog provides the issues and tradeoffs between ease of access and visibility, and provides the security that matches the risk your organization can accept. Expect practical, real world insight from successful initiatives that you can use in your initiative.
#1 Industry 4.0 Digital Transformation
#2 How Visibility & Security Can Coexist in Manufacturing (this blog)
#4 Controlling Third Party & Remote Access into OT
#5 Conclusion and Resources for Your Success
Our objective is to provide you with information that you can use to communicate inside your organization where Industry 4.0 stands today, how to set the foundation for a successful program, and how to get started.