Security

Purdue Model: Intelligently Segregating Your OT Networks

The modern OT threat landscape is growing due to the significant rise of interconnected network devices. OT is particularly vulnerable given the need for high availability and integrity, at the expense of confidentiality (which is at odds with the priorities in an IT environment). Following the Purdue model helps mitigate the risk of compromise by not allowing different types of devices to operate on the same subnet (eg: manufacturing devices and databases). Consequently, it is referenced in key compliance standards such as IEC62443 and OG86 as a practice to be implemented.

Cyber Attacks on OT on the rise, and why we should be concerned

Last week, cyber security experts Fortinet published a report on security trends within Operational Technology, again putting the spotlight on these highly vulnerable and increasingly attacked systems, many of which are responsible for providing critical services to society worldwide.

There was an indication that bespoke OT cyber attacks are on the increase, targeting specific vulnerabilities within SCADA and ICS systems. Whilst this is certainly a serious concern, almost more shocking is that the majority of attacks on OT systems are via IT-based legacy attacks which would no longer be effective on modern IT systems. These OT systems are comprised of aging hardware, running unpatched software, and leaving them highly vulnerable to even basic IT-based cyber attacks. This leads to an ability for bad-actors to be able to effectively disable an OT environment with no specialist or prior knowledge of the specific systems involved - leaving no specific ICS/SCADA devices secure, regardless of vendor, software or hardware involved.

There also seems to be continued ongoing neglect of basic cyber-hygiene within ICS and SCADA environments, with almost a third of OT devices directly connected to the internet, and another third accessible from the internet via the IT enterprise. Whilst there is an acknowledgement that there are many benefits from connecting the OT environment to the IT network to increase efficiencies and visibility, leading to optimisations and significant cost savings, these are in direct opposition to the increased security risk. These findings seem to point towards a scenario where potential cost savings are considered above the cyber-risk by the decision makers within these organisations, leading to the highly vulnerable situation that Fortinet are now reporting on.

To add to this, it is reported that more than 8 in 10 respondents to a survey stated that they are unable to identify all the devices connected to their OT and IT networks. How can OT operators begin to mitigate the cyber risk within their environments when they don’t even have the visibility into the devices they need to protect? This is something we are keenly aware of at Awen Collective, and we’re here to help. Our asset and risk discovery software, Dot, exists to provide a deep level of understanding of an OT environment, highlighting key concerns and helping cyber security, OT engineering and corporate compliance teams to manage their responsibilities with the best information available to them.

What the report doesn’t focus upon is the environments where these systems are operating, and the potential affects on the operators and their clients. Whilst many these systems exist within manufacturing facilities, and naturally there are huge costs associated with attacks within the manufacturing sector, there is more at play here than just monetary loss by large-scale manufacturers. ICS and SCADA systems are a key part of how providers of critical national infrastructure deliver their services to society. This includes the provision of electricity, water, sewerage, transportation and healthcare. If any of these services were interrupted or disabled due to a cyber attack, there’s a strong likelihood of widespread disruption, potentially leading to societal destabilisation and loss of life.

There has been an effort by EU legislators to address this concern, introducing the NIS Directive and ensuring that all EU states bring into law that critical national infrastructure operators are considering their cyber security across their entire IT and OT estates, and embedding good cyber security practice at all levels of their organisations. Based on this report, there should be some significant hurdles for CNI operators to overcome to get themselves entirely compliant with the directive. With fines of £17 million or 4% of annual turnover due to be levied against operators not found to be compliant, it should be a strong wake-up call for business decision-makers across CNI organisations. To help, Awen Collective offers Profile – a compliance checking tool for the NIS Directive, allowing a CNI organisation to easily and quickly determine their current compliance level, identify weaknesses to overcome and get advice on next steps.

We’re thankful to Fortinet for their report, and we’re looking forward to continuing to help ICS and SCADA operators solve the cyber security issues they have. If you’re looking for cyber security solutions for your OT environment, reach out to us at hello@awencollective.com.