Written by Avraham Darmon, CTO & co-founder EasySec Solutions
In 2020, 17.7 billion industrial devices were connected to the Net. These devices are critical for factories and critical infrastructures in their digital transformation to industry 4.0, in order to increase their productivity, their product quality, and customer services. In smart factories, production line robots are connected to the network through their PLC and are often accessible by external entities through the Internet for predictive maintenance and remote support. In critical infrastructures, smart-grids are based on several million smart meters and power plants use hundreds of connected devices.
The same goes for water distribution infrastructures and treatment plants. Seaports have also accelerated their digital transformation due to strong competition between them and their imperative need to reduce their costs and increase their productivity. Several systems are already based on connected devices such as Harbor cranes, truck terminal seaport gates, goods tracking, and surveillance systems. This overconnectivity in critical infrastructures induces terrific cybersecurity challenges that can result in several hundred million dollars of damages on goods and human safety major risks.
Rich and diverse security solutions exist for IT networks such as antiviruses, anti-spams, OS firewalls (iptables in Linux and Windows Defender in Windows) are rich and diverse in the IT network and allow them to connect safely and securely to the internet while protecting the company assets. However, the IT and OT requirements are totally different. IT security is based on the three CIA principles: Confidentiality, Integrity, and Availability. In OT, the main requirements are SRP: Safety, Reliability, and Productivity. In critical infrastructures or industrial plants, a service interruption is just unacceptable. The robustness and the transparency of the security solution for OT devices are critical. Furthermore, most industrial IoT devices are closed systems without the ability of antivirus or antimalware installation or software upgrade. Consequently, the legacy devices which represent a large part of the industrial IoT and OT networks must be protected by external security components.
Over the last few years, international organizations such as NIST, IMO (International Maritime Organization), and ENISA (European Union Agency for Cyber Security) published guidelines to help seaports CISO to handle the cybersecurity risks. Currently, they have to be implemented.
The major risks of cyberattacks come from employees' laptops on which they receive their emails, watch films or browse the Net and, therefore, are exposed to the most classic hackers’ methods to send malware and penetrate the system in lateral attacks. In addition, these employees' daily tasks require Internet connectivity. For this reason, the basic cyber expert recommendation is to isolate the OT from the rest of the company network. The ultimate solution for very critical infrastructure is to work with a closed OT network disconnected from the internet. Although this recommendation may indeed reduce the attack surface, organizations don’t fully implement them: Even in critical infrastructures with isolated OT networks, you always need a few bridges to the IT network; according to the PURDUE model security, which is the reference architecture segregating the different business networks. In addition to the fact that the IT-OT isolation is not fully implemented, organizations often retain direct access from the Internet to some of their devices. In 2019, 40% of industrial sites had at least one direct Internet connection, and 84% with at least one remotely accessible device. Why? Because the full isolation of the OT network prevents these companies from benefiting from remote maintenance on these devices, predictive maintenance, or Cloud services usage.
During the COVID-19 confinement, most of the companies decided to open some remote access to OT devices in order to maintain their productivity. For instance, in 2020, the Iranian attempt to poison Israeli water by increasing the chlorine dosage inside started because some devices in the purification plant were exposed to remote access.
However, a Closed OT network reduces the attack surface. OT internal entities can initiate a cyberattack such as Stuxnet in Iran’s nuclear infrastructure in 2004. Today, the risks of insider attacks represent 60% of cyberattacks in organizations. An insider attack is not only initiated by some malicious employees. It may be the result of some harmless device in the OT network infected by malware. Since the OT traffic transits on the network in clear, the malware can scan it, identify the other devices in the network, and propagate to them in a lateral attack. After completing this crucial step, the malware can carry out cyberattacks like ransomware, spying, sabotage, etc. Therefore, in addition to the network isolation, other tools have to be used inside the OT network to prevent this kind of attack.
To do that, the current trend is to use several tools of IDS (Intrusion Detection System) and ADS (Anomaly Detection System) that monitor the network and raise alerts in case of security issues. However, these tools complement a preventive security solution, and cannot replace it. Would someone agree to replace their apartment's front door lock with a surveillance camera that would alert him when someone enters his home? The answer is clearly "no". Why? Because the front door lock proactively prevents intrusion, while the camera raises alerts only after the intruder is in. A security camera at an apartment entrance is a great additional security tool to provide information on intrusion attempts but cannot replace in any way the door’s lock. In the same way and for the same reasons, a network administrator would not be ready to replace the firewall at the entrance to the company network with an IDS that is only a complementary tool to the firewall preventive access control, but it cannot replace it.
For this reason and according to the zero-trust principle, the cybersecurity threats in OT cannot be handled based on a security perimeter because no confidence can be accorded to other network entities. Thus, to ensure preventive access control, the security enforcement point has to move from the network entrance to the device level. To prevent command and data sabotage during its exchanges, the device has to be the encryption point. Furthermore, moving the security enforcement point to the device level enables early detection and neutralization of cyberattacks. Finally, the implementation of these principles in a robust product solves the cohabitation challenge between cyber-protection and productivity. These security fundamental principles enable a secure transition to true Industry 4.0, protecting internal access and Internet connectivity in the same way.