There are continuous information security attacks against manufacturers around the world. For the manufacturing industry, it is not only necessary to consider the information security layout of the IT side, but also to strengthen the overall protection capability on the OT side to cope with the increasingly rampant cyber-attacks.
What is OT Information Security?
Operational Technology (OT) is the process of directly monitoring, and/or controlling physical equipment, processes, and events to detect or cause changes in hardware and software. OT is common in Industrial Control Systems (ICS). In critical infrastructure areas, OT can be used to control power plants or public transportation. With the development of this technology and its integration with network technology, the demand for OT security has grown exponentially.
The OT architecture can be mainly divided into three parts. The first layer is the service layer, such as applications and other services. The second layer is the ICS industrial control system. The third layer is the lowest level of equipment, devices, etc. In OT's attack, no matter what level of attack, it may cause the entire line to fail. Nowadays, many hackers’ cyber-attacks have risen to the level of government-level attacks between countries, and the attacks launched by the government are most likely to hit the bottom directly because it is expected that the entire system will crash and cause a larger-scale impact. It may cause people's livelihood problems, and even cause personal safety and other incidents to occur.
Convergence of IT-OT:
For years industrial systems have relied on proprietary protocols and software, managed, and monitored by humans, with no connection to the outside world. Therefore, they are trivial targets for hackers because there is no network interface to attack, and no interface to gain or destroy. The only way to infiltrate these systems is to gain physical intrusion into the endpoint. OT and IT integration are minimal and do not deal with the same types of vulnerabilities.
More and more industrial systems come online to deliver big data and smart analytics, and to adopt new capabilities and efficiencies through technology integration. The convergence of IT-OT provides organizations with a single view of industrial systems, as well as process management solutions. To ensure accurate information is delivered to people, machines, switches, sensors, and equipment at the right time and in the best format. When IT and OT systems work together, new efficiencies can be discovered, systems can be remotely monitored and managed, and organizations can achieve the same security advantages as managing IT systems. This transition from closed to open systems creates many new security risks that need to be addressed.
Why is OT's Information Security Important?
As industrial systems become more interconnected, they also become more vulnerable to attack. The high cost of industrial equipment, and the disruption an attack can cause to communities and economies, is a key factor for organizations seeking to protect their industrial networks. Adding legacy equipment, security regulations that may prohibit any modification to the equipment, and compliance regulations that require sensitive data to be given to third parties will be challenging.
OT information security focuses on protecting industrial networks without disrupting operations or risking breaches. Using fully visible, network control traffic solutions, and establish the correct security policy. Develop an effective OT strategy to protect your business processes, people, and profits, and dramatically reduce security breaches and incidents.
OT information security must be Top-down, not Bottom-up in the past. In addition to patching existing vulnerabilities, architectures such as zero trust and micro-segmentation should be introduced, or technical programs such as machine learning and automation should be used to better understand attack methods or abide by the law to minimize risks. The field of OT and the deployment of information security are relatively fragmented, and more and more new types of technologies will be added to the environment. Both the information security industry and the enterprise must keep pace with the times to prevent congestion threat of cyber-attacks.
Difference Between IT and OT:
The computer and data network are called IT (information technology); the operation and program control of ICS (industrial control system) are generally called OT (operational technology). OT employs a proprietary software and hardware architecture, executed in isolated and independent networks, with goals and requirements that are completely different from IT. But these are starting to change. The increasing popularity of the networked environment has formed the Internet of Things and the Industrial Internet of Things, which has brought the possibility of connecting the two systems. Industrial control systems are moving from stand-alone to interconnected, from closed to open, and from automation to intelligence.
To reduce costs, real-time access, and system automation, ICS manufacturers originally used proprietary software, hardware, and communication protocols are developed. Now start to use the general network system to connect the enterprise and the external network, and use the commercially available off-the-shelf software and hardware to build the ICS system, reduce the cost of product manufacturing and maintenance, and improve productivity.
After the ICS system adopts such an open and universal architecture, although the relationship between OT and IT is shortened. However, it also brings security weaknesses that have not appeared in the past. Like IT systems, they are seriously threatened by malicious software such as viruses.
The distinction between OT and IT is increasingly blurred, but the essential differences still exist. Cybersecurity of your infrastructure starts with understanding the difference between OT and IT.
Industrial Control System Information Security Protection Guide:
- Security Software Selection and Management:
- Use antivirus software or application whitelist software that has been fully verified and tested in the offline environment on the industrial host, and only allow the software that has been authorized and evaluated by the industrial enterprise itself to run. Industrial control systems have high requirements for system availability and real-time performance. Industrial hosts such as MES servers, OPC servers, database servers, engineer stations, operator stations, and other application security software should be tested and verified in an offline environment in advance. An offline environment refers to an environment that is physically isolated from the production environment. Verification and testing include the functionality, compatibility, and security of the security software.
- Establish an anti-virus and malicious software intrusion management mechanism, and take security precautions such as virus detection and killing for industrial control systems and temporarily connected equipment. Industrial enterprises need to establish anti-virus and malicious software intrusion management mechanisms for industrial control systems, and take necessary security precautions for industrial control systems and temporarily connected devices. Safety precautions include regularly scanning for viruses and malware, regularly updating virus patterns, and checking and killing temporary access devices.
- Configuration and Patching Management:
- Do a good job in the security configuration of industrial control networks, industrial hosts, and industrial control equipment, establish a configuration list of industrial control systems, and conduct regular configuration audits. Industrial enterprises should do a good job in industrial control network security configurations such as virtual area network isolation and port disabling, industrial host security configurations such as remote-control management and default account management, and password policy compliance and other industrial control equipment security configurations, and establish corresponding security configurations. The configuration list is formulated, the responsible person is regularly managed and maintained, and the configuration is checked and audited regularly.
- Develop change plans for major configuration changes and conduct impact analysis, and conduct strict security testing before configuration changes are implemented. When a major configuration change occurs, an industrial enterprise should formulate a change plan on time, clarifying the change time, change content, change the responsible person, change approval, change verification, and other matters. Among them, major configuration changes refer to major vulnerability patch updates, addition or reduction of security devices, and re-division of security domains. At the same time, the risks that may occur in the change process should be analyzed, an analysis report should be formed, and the security of configuration changes should be verified in an offline environment.
- Pay close attention to major industrial control security vulnerabilities and their patch releases, and take timely patch upgrade measures. Before the patch is installed, the patch needs to undergo strict security assessment and test verification. Industrial enterprises should pay close attention to CNVD, CNNVD, and other vulnerability libraries and patches released by equipment manufacturers. When major vulnerabilities and their patches are released, according to the company's situation and change plan, the patches are strictly assessed and tested in the offline environment, and the patches that have passed the security assessment and test are updated on time.
- Border Security:
- Separate the development, test, and production environments of industrial control systems. The development, testing, and production environments of industrial control systems need to implement different security control measures. Industrial enterprises can use physical isolation, network logic isolation, and other methods to isolate.
- Protect the boundary between the industrial control network and the enterprise network or the Internet through the industrial control network boundary protection equipment, and prohibit the unprotected industrial control network from connecting to the Internet. Industrial control network border security protection equipment includes industrial firewalls, industrial gatekeepers, one-way isolation equipment, and enterprise-customized border security protection gateways. Industrial enterprises should deploy border security protection equipment between different network borders to implement secure access control according to actual conditions. Block illegal network access, and strictly prohibit unprotected industrial control network and Internet connection.
- Carry out logical isolation and security protection between industrial control network security areas through industrial firewalls, gatekeepers, and other protective equipment. Industrial control system cybersecurity zones are divided based on regional importance and business needs. For security protection between areas, industrial firewalls, gatekeepers, and other devices can be used for logical isolation security protection.
- Physical and Environmental Safeguarding:
- Take physical security protection measures such as access control, video surveillance, and special personnel on duty for the areas where important engineering stations, databases, servers, and other core industrial control software and hardware are located. Industrial enterprises should adopt appropriate physical security protection measures in areas where important industrial control system assets are located.
- Remove or close unnecessary USB, CD-ROM, wireless and other interfaces on the industrial host. If it is necessary to use it, strict access control shall be implemented using host peripheral security management technology. The use of industrial host peripherals such as USB, CD-ROM, and wireless provides a way for malicious codes such as viruses, Trojans, and worms to invade. Removing or closing unnecessary peripheral interfaces on the industrial host can reduce the risk of infection. When it is necessary to use it, security management techniques such as unified management of host peripherals and industrial hosts with peripheral interfaces can be used in isolation.
- Use identity authentication management in the process of industrial host login, application service resource access, and industrial cloud platform access. Use multi-factor authentication for access to critical devices, systems, and platforms. In the process of logging in to the industrial host, accessing application service resources and industrial cloud platforms, etc., users should use passwords, USB keys, smart cards, biometric fingerprints, iris, and other identity authentication management methods. If necessary, multiple authentication methods can be used at the same time.
- Reasonably classify and set account permissions, and assign account permissions based on the principle of least privilege. Industrial enterprises should allocate system account permissions based on the principle of least privilege by work requirements to ensure that losses caused by accidents, erroneous tampering, and other reasons are minimized. Industrial enterprises need to regularly audit whether the assigned account authority exceeds the work needs.
- Strengthen the login account and password of industrial control equipment, SCADA software, industrial communication equipment, etc., avoid using the default password, and update the password regularly. Industrial enterprises can refer to the setting rules recommended by suppliers, and set login accounts and passwords of different strengths for industrial control equipment, SCADA software, industrial communication equipment, etc. According to the importance of assets, update them regularly to avoid using default passwords or weak passwords.
- Strengthen the protection of identity authentication certificate information, and prohibit sharing in different systems and network environments. Industrial enterprises can use USB-key and other secure media to store identity authentication certificate information and establish relevant systems to strictly control the process of a certificate application, issuance, use, and revocation to ensure. The same identity authentication certificate information is prohibited from being used in different systems and network environments, to reduce the impact on the system and network after the certificate is exposed.
- Remote Access Security:
- In principle, it is strictly forbidden for industrial control systems to open high-risk general network services such as HTTP, FTP, and Telnet for the Internet. Industrial control systems open HTTP, FTP, Telnet, and other network services for the Internet, which can easily lead to industrial control systems being invaded, attacked, and exploited. Industrial enterprises should, in principle, prohibit industrial control systems from opening high-risk general network services.
- If remote access is needed, use data one-way access control and other strategies to strengthen security, control the access time limit, and use the tagging locking strategy. If industrial enterprises need remote access, they can use one-way isolation devices, VPNs, etc. at the network boundary to realize one-way data access and control the access time limit. The tag-locking strategy is adopted to prohibit the accessing party from performing illegal operations during remote access.
- If remote maintenance is needed, use remote access methods such as a virtual private network (VPN). If industrial enterprises need remote maintenance, they should ensure the security of the remote access channel using authentication and encryption. For example, by using a virtual private network (VPN) and other methods, the access account should be assigned a special number and audited regularly. Access account operation records.
- Keep the relevant access logs of the industrial control system, and conduct security audits on the operation process. Industrial enterprises should keep access logs of industrial control system equipment, applications, etc., back them up regularly, and track and locate unauthorized access behaviors through log information such as auditor accounts, access time, and operation content.
- Safety Monitoring and Emergency Plan Drills:
- Deploy network security monitoring equipment in the industrial control network to detect, report, and deal with network attacks or abnormal behaviors on time. Industrial enterprises should deploy network security monitoring equipment that can identify, alarm, and record network attacks and abnormal behaviors in the industrial control network. And timely detect, report, and deal with viruses, port scanning, brute force cracking, abnormal traffic, abnormal instructions, industrial Control network attacks, or abnormal behaviors such as forgery of system protocol packets.
- Deploy protective equipment with industrial protocol deep packet inspection function at the front end of important industrial control equipment to limit illegal operations. Deploy protective equipment that can deeply analyze and filter mainstream industrial control system protocols at the front end of the production core control unit of industrial enterprises, and block data packets that do not meet the standard structure of the protocol and data content that does not meet business requirements.
- Formulate an emergency response plan for industrial control security incidents. When an abnormality or failure of the industrial control system is caused by a security threat, emergency protective measures should be taken immediately to prevent the situation from expanding, and reported to the provincial industrial and information technology department, and pay attention to protect the scene for investigation and evidence collection. Industrial enterprises need to independently or entrust third-party industrial control security service units to formulate emergency response plans for industrial control security incidents. The plan should include emergency plan strategies and procedures, emergency plan training, emergency plan testing, and drills, emergency handling procedures, incident monitoring measures, emergency incident reporting procedures, emergency support resources, and emergency response plans.
- Regularly drill the emergency response plan of the industrial control system, and revise the emergency response plan if necessary. Industrial enterprises should regularly organize personnel related to the operation, maintenance, and management of industrial control systems to carry out emergency response plan drills. The drills include desktop drills, individual drills, and comprehensive drills. When necessary, the enterprise shall revise the plan according to the actual situation.
- Asset Security:
- Build a list of industrial control system assets, clarify the person responsible for the assets, and the rules for the use and disposal of assets. Industrial enterprises should build a list of industrial control system assets, including information assets, software assets, and hardware assets. Identify the person responsible for assets, establish rules for the use and disposal of assets, conduct regular security inspections on assets, audit asset use records, and check asset operation status to discover risks on time.
- Redundant configuration of key host equipment, network equipment, control components, etc. Industrial enterprises should configure redundant power supplies, redundant equipment, and redundant networks for key host equipment, network equipment, and control components according to business needs.
- Data Security:
- Protect important industrial data in the process of static storage and dynamic transmission, and classify and manage data information according to the risk assessment results. Industrial enterprises should encrypt and store important industrial data in static storage, set up access control functions, and encrypt and transmit important industrial data in dynamic transmission. Use VPN and other methods for isolation protection, and establish and improve the classification of data information according to the results of risk assessment.
- Regularly back up critical business data. Industrial enterprises should regularly back up key business data, such as process parameters, configuration files, equipment operation data, production data, and control instructions.
- Protect the test data. Industrial enterprises should protect test data, including safety assessment data, on-site configuration development data, system joint debugging data, on-site change test data, emergency drill data, etc., such as signing confidentiality agreements, recycling test data, etc.
- Supply Chain Management:
- When choosing a service provider for industrial control system planning, design, construction, operation, maintenance, or evaluation, priority should be given to enterprises and institutions with experience in industrial control security protection. And the information security responsibilities and obligations that service providers should undertake by contracts and other means. When selecting industrial control system planning, design, construction, operation, and maintenance or evaluation service providers, industrial enterprises should give priority to service providers with experience in industrial control security protection, and check the industrial control security contracts, cases, acceptance reports, and other certification materials provided by them. The information security responsibilities and obligations that the service provider should undertake during the service process should be stipulated in the contract in the form of express terms.
- The service provider is required to do a good job of confidentiality in the form of a confidentiality agreement to prevent the leakage of sensitive information. Industrial enterprises should sign a confidentiality agreement with service providers, and the agreement should stipulate the content of confidentiality, the time limit for confidentiality, and the liability for breach of contract. Prevent the leakage of sensitive information such as process parameters, configuration files, equipment operation data, production data, and control instructions.
- Fulfilling Responsibilities:
- By establishing an industrial control safety management mechanism, establishing an information security coordination group, etc., clarify the responsible person for industrial control safety management, implement the industrial control safety responsibility system, and deploy industrial control safety protection measures. Industrial enterprises should establish and improve the industrial control safety management mechanism, and clarify the main responsibility of industrial control safety. And establish an industrial control system information security coordination group led by the person in charge of the enterprise and composed of relevant departments. Such as informatization, production management, equipment management, etc., responsible for the industrial control system. The construction and management of the security protection system for the whole life cycle, the formulation of the industrial control system security management system, and the deployment of industrial control security protection measures.