Support

OT Cybersecurity: The Ultimate Guide

September 27, 2024

As digital transformation fuses information technology (IT) with operational technology (OT), it has become critical for cybersecurity teams to implement best practices to protect OT systems from cyberattacks.

Table of Contents

  1. What Is Operational Technology (OT) Cybersecurity?
  2. IT vs. OT Cybersecurity
  3. Traditional OT Network Architecture: The Purdue Model
  4. High-Profile OT Cyberattacks
  5. Defending OT Systems from Nation-State Attacks
  6. Making a Business Case for OT Cybersecurity
  7. Cybersecurity Frameworks for OT/ICS
  8. Best Practice Recommendations for OT/ICS Cybersecurity
  9. OT Cybersecurity Resources

What is Operational Technology (OT) Cybersecurity?

OT cybersecurity refers to the set of procedures and best practices designed to mitigate and prevent the exploitation of cyber-physical systems and industrial control systems (ICS). Industrial control systems are critical OT assets employed across a wide variety of sectors and services to automate production processes. Critical infrastructure has increasingly integrated digital technologies into its operations. While driving efficiency and innovation, digitalization also increases the risk of cyber incidents disrupting power, water, and other vital services. In addition to control systems, the OT environment is comprised of switches, relays, RTUs, workstations and additional hardware and software that monitors and controls physical devices, processes, and events across various industries.

The importance of ICS and OT security is a function of the unique risk associated with the operation of operational technology. Because of their connection to physical and often critical industrial processes, any disruption or malfunction of OT assets can impact safety, availability and reliability. With the high impact potential, cyber adversaries see OT as high value assets. We continue to see an increase in OT cybersecurity attacks, including the cyberattack on Ukraine's power grid in 2015, the Colonial Pipeline attack which halted fuel transportation, and attempts to compromise water safety at the Oldsmar water treatment facility. These events underscore the growing threats to critical infrastructure worldwide. The public requires critical infrastructure, such as water and energy systems, to operate reliability. Any disruption across this wide network has far reaching consequences, making the availability and resilience of operational technology key for public wellbeing.

IT vs. OT Cybersecurity

Information and Operational Technology serve different purposes. IT cybersecurity concerns enterprise-level equipment used to manage data. OT cybersecurity concerns production level equipment used to manage physical products. These differences lead to unique security environments.

IT security  focuses on the CIA triad, which stands for Confidentiality, Integrity, and Availability. OT security has to focus on safety and availability first. While confidentiality of data is important in a corporate setting, OT security deals with the physical world, where any disruption or compromise can lead to immediate physical consequences, potentially affecting human safety and the continuous operation of critical infrastructure.

IT security operators must keep up with quickly evolving equipment, platforms, and applications. The high rate of change means modular networks and routine updates. Furthermore, the value of IT is often linked with data and intellectual property stored within the network. For this reason, IT security’s primary concern is the confidentiality of the data. On the other hand, OT cybersecurity operators maintain systems with legacy equipment because of the high cost of equipment replacement and the slow change of system requirements. This means industrial control systems often contain known vulnerabilities. The value of operational technology, however, is most directly related to the continual and consistent operation of the equipment. Therefore, there are fewer opportunities for system downtime, updates, and equipment replacement. As a result, OT cybersecurity’s primary responsibility is the availability of the industrial control system.

The difference in context also changes the way you need to approach OT security. Due to the critical roles and diversity of device age, make, and type, OT assets are sensitive to traditional IT security practices, which can disrupt operations and put them at risk. ​​While IT and OT security teams share the same end goal of protecting these systems from cyber incident, OT security requires a different approach.

Traditional OT Network Architecture: The Purdue Model

The technological architecture of organizations using operational technology can be organized into five distinct layers. Within industry, this is known as the Purdue Model and provides a method for understanding the distinct functions of technologies at various levels of an organization.


The Purdue Model

Enterprise Levels (4 - 5)
The Enterprise Network, and Business Planning elements of the network compose levels 5 and 4 respectively. Collectively these are the levels of the corporate office. Routers, servers, personal computers, and printers are all likely to be devices within these layers.

Production Levels (1 - 3)
Levels 3 through 1 constitute the production environment of a given network. Level 3, or Site Control, commonly houses data storage devices (historians) and the central management system (likely an engineering workstation). Here, plant-wide information is simultaneously accessed and warehoused. Level 2, or Area Control, contains more specific control information. This might be the Supervisory Control and Data Acquisition (SCADA) interface for a subcomponent of devices or even the specific Human Machine Interface (HMI) of a single device. Level 1, or Basic Control, refers to the actual distributed control system (DCS) or programable logic control (PLC) that actuates an operational process.

The Purdue Model is helpful in understanding the complexity of modern technological architectures, but is also complicated by the continued rise of the Industrial Internet of Things (IIoT). As information increasingly informs production processes each layer is becoming more intertwined. Therefore, even while the Purdue Model may not reflect the logical typology of network architectures, it does provide a functional map of such systems.

High-Profile OT Cyberattacks

High-profile OT cyberattacks demonstrate that network vulnerabilities exist at each level of network architecture. The Stuxnet worm, uncovered in 2010, was a SCADA exploitation designed to destroy nuclear refiners within Iran. The worm was injected into a closed network via removable media device – likely a USB drive. Once within the enterprise layer the code was able to exploit installation permissions to automatically execute malware. In this case the malware degraded integrity down the network architecture causing specific PLCs to report incorrect information back to area control workstation. This risk could have been mitigated by:

  • Tracking removable media
  • Managing installation permissions
  • Actively monitoring the network for unusual movement

In 2021, a hacker attempted to pollute a Florida public water supply by exploiting the outdated operating system of a particular water plant. The attack began when a personal computer within the network made a visit to an unsecured web address. As a result, the hacker was able to gain network access through the combination of a remote management application and weak password security. After this, the command to pollute the water supply was easily made – though thankfully was observed and reversed by plant personnel. The attack could have been diverted more easily however, had the security operators:

  • Closely managed software updates
  • Heightened password security and authentication processes

Colonial Pipeline was the victim of a target ransomware attack in 2021 that was facilitated by a compromised virtual private network. The hacker group utilized un-retired credentials to access a legacy virtual private network (VPN). The pipeline had been unaware of the continued existence of the VPN and as a result had not factored it into their security considerations. From this vulnerability, however, the hacker group was able to encrypt corporate systems which directly resulted in system downtime. This loss of accessibility could have been avoided if they had:

  • Full asset visibility
  • More closely managed and retired user access
  • Increased password and authentication processes

In September 2024, Arkansas City, Kansas, was forced to switch its water treatment facility to manual operations after a cyberattack was detected. Local authorities, with Homeland Security and FBI support, are investigating, and enhanced security measures have been put in place.

While the water supply remains safe, residents may experience low water pressure through the weekend as issues with some pumps are addressed. The attack occurred just two days after Water ISAC issued a warning about Russian-linked threats to the water sector.

This incident underscores the need for:

  • Comprehensive OT asset monitoring
  • Stronger security protocols for water infrastructure
  • Proactive threat sharing within the industry

Summary of Key OT Cybersecurity Attacks

2010

Stuxnet Worm

Target

SCADA & PLC systems that control & monitor industrial electromechanical processes

How It Works

MS Windows worm typically introduced via USB flash drive, modifies PLC code and gives unexpected commands to the PLC

2013

Havex /Dragonfly

Target

SCADA OPC (Object linking and embedding for Process Control) servers

How It Works

Industrial protocol scanner finds devices on TCP ports used by specific PLC venders, plants a backdoor installer file

2015

BlackEnergy & KillDisk (Ukraine power grid)

Target

SCADA systems that remotely switch substations off

How It Works

Spear-phishing to plant malware, to disable/destroy UPS, modems, RTUs, etc. and destroy files on servers and workstations

2016

Shamoon 2 (Disttrack)

Target

Disruption and damage – targeted GCC energy companies

How It Works

Remote access with stolen credentials, plant malware & covertly spread across computers with a scheduled service (process) – then wipe the data

2017

ClearEnergy

Target

Certain PLC models found in SCADA and ICS systems

How It Works

Exploit firmware vulnerability flaws - erases the ladder logic diagram

2017

WannyCry Ransomware

Target

Broadcast globally to everyone via the internet

How It Works

Exploits unsupported (unpatched) MS Windows OS, implants a file running as a service, encrypts users files

2017

Industroyer (CrashOverride)

Target

Electric power distribution grid substation switches and circuit breakers

How It Works

Connects to a remote server, maps the network, issues commands to specific devices

2020

SolarWinds

Target

Large “supply chain” attack affecting 18,000 businesses.

How It Works

Malicious code installed on Orion software update.

2021

City of Oldmar, FL

Target

Oldsmar Water Treatment Facility

How It Works

Remote access software allowed hacker to manipulate formula for adding lye to the water supply.

2021

Colonial Pipeline

Target

Colonial pipeline

How It Works

Ransomware attack from an unidentified legacy VPN that resulted in operational downtime.

Understanding the OT Environment is Key

Critical infrastructure operators continue to struggle with blind spots in their OT environments. Trustworthy OT asset data is the bedrock of OT security. You have to know what you have in order to secure. This goes beyond basic inventory - simply knowing what devices are on your network is a good start, but it's not enough to manage risk. You need deeper awareness of details such as software versions, vulnerabilities, patches, firewall rules and PLC key switch positions.

Furthermore, it's important to monitor these details as cyberattacks become more stealthy and sophisticated. For example, threat actors like Volt Typhoon employ "living off the land" (LOTL) attacks, which use legitimate tools already present within the system. These attacks often evade traditional malware detection methods, making it critical to monitor your environment for unusual and unauthorized behaviors. By keeping an eye on granular changes such as modifications to configurations, the creation of new accounts, certain event IDs, or atypical logging activity, operators can detect early warning signs of these stealthy attacks and act before significant damage occurs.

Part of the lack of visibility into OT environments stems from hesitation around active monitoring methods. Some of this is justified when looking at past examples of IT-led exercises implemented active methods that have disrupted OT processes. However, OT asset management has matured greatly over the past two decades, and an integrated data collection, when implemented correctly, is a safe and effective way to manage OT asset assets.

A comprehensive integrated data collection approach should centralize:

  • Manual Data Ingestion Existing data you've gathered or will continue to collect manually, including spreadsheets in formats like CSV or JSON
  • Passive Monitoring : Beginning with passive monitoring of OT network traffic offers a conservative foundation. Systems can discern device specifics like firmware transfers from source (like a terminal control server)to destination (e.g., RTU/PLC) by understanding industrial protocols and extracting configuration state data.
  • Active Monitoring: For more in-depth data, there are proven methods for using Active methods in OT for gaining details such software versions, configurations, vulnerabilities, firewall rules, and PLC key switch settings.
  • Agent-Based: Where agents are acceptable, they can boost efficiency with agents for continuous data collection.
  • Agentless Monitoring: Agentless solutions can be deployed even where networked environment is not possible and agents are not allowed.
  • Native Polling: By actively and safely polling devices based on recognized OT protocols, a richer dataset from industrial devices is realized. For instance, systems can communicate with assets such as PLCs, RTUs and relays, extracting comprehensive data through their native protocols.
  • Direct Database Integration: Many entities already possess vital OT asset details in existing databases. Incorporating this data into a central OT asset hub is essential for a panoramic view. Platforms that can directly interact with diverse database types, such as SQL, allow for this integration.

Defending OT from Nation-State Cyberattacks

As high-profile cyberattacks increase in number and sophistication, private companies today must be prepared to defend against increasingly capable adversaries and even nation-state attacks. This daunting task can be best approached by systematically understanding network architecture and the lessons of past attacks. The non-profit MITRE Corporation has published the MITRE ATT&CK for ICS framework for this precise purpose.

The MITRE ATT&CK for ICS framework acts as a common industry lexicon by describing eleven categories that are important for understanding how adversaries enter, explore, and exploit your network. Adversaries enter and stay within networks through initial access, evasion, persistence, and by inhibiting responses. Adversaries gather information about the compromised network through discovery, collection, and lateral movement within the ICS environment. After gaining access and information, adversaries are able to execute code, manipulate command and control functions and impair process control in order to negatively impact the overall industrial control system.

MITRE ATT&CK for ICS TTPs

Making a Business Case for OT Cybersecurity

Understanding the evolving security landscape is now a requirement of sound business practice. Without robust industrial security measures, companies take on significant risk to their safety, profitability, and reputation. Profitability can be decreased from unexpected production downtime, legal costs, and increased insurance costs, among other concerns. Our OT Risk Calculator can provide a customized estimate of each factor to show what a cyberattack could really cost your company.

Furthermore, a cyber incident can quickly shake confidence, resulting in brand and reputational damage which translates into a reduced customer base. As a result, it is increasingly important that security professionals learn how to effectively ask for the proper OT cybersecurity budgeting. Explaining these risks to management and requesting an expanded OT security program will ultimately result in gains across the entire business.

Cybersecurity Frameworks for OT/ICS

When determining where to further invest in security, there are many standards out there that can help. One of these is the NIST Cybersecurity Framework (CSF), which can provide a simple method for identifying what opportunities exist to optimize your security processes. The NIST CSF is a voluntary set of guidelines that were created to aid the development of business security strategies. The framework is organized around a security cycle: identify, protect, detect, respond, recover. Each stage requires an understanding of the distinct elements of the OT network and the proper people, processes and technologies for effective implementation.


The NIST Cybersecurity Framework

Another popular standard used to design an OT/ICS security program is the ISA/IEC 62443 standard. The ISA/IEC 62443 series of standards offers a flexible framework of security controls that define ICS security techniques, processes, and procedures to aid organizations in mitigation and risk reduction for security vulnerabilities in ICS. Organizations can adopt and enforce security controls that work reliably across devices, networks, and infrastructure based on this single congruous framework.

Best Practice Recommendations for OT/ICS

Within OT environments, specific best practices can be employed to maximize security effectiveness. The first requirement is robust asset management. With a full understanding of the network, it is possible to establish centralized management with effective monitoring techniques. Centralized monitoring will subsequently enable security operators to implement automated vulnerability and anomaly detection abilities. Each of these steps and best practices fundamentally serve to assure that the right data is in the hands of your OT defenders. Understanding your system and knowing how to ask OT security vendors the right questions is the first step in reaching this goal.

OT Cybersecurity Resources

Understanding OT cybersecurity can be complicated. The increasing frequency and sophistication of ICS cyberattacks, the rise of the IIoT, and many other factors add to the complexity. Yet, the importance of critical infrastructure is too great to ignore its security. Furthermore, it is now impossible to safely operate an industrial control system as a business without a rigorous OT cybersecurity approach. Industrial Defender offers resources to aid in the search for solutions to each of these issues.

Our OT Security 101 Webinar provides guidance to better understand the security principles of OT cybersecurity. Industrial Defender’s OT Cybersecurity Solutons Buyer’s Guide provides information that can help narrow the search for an ICS security solution. The Defender Sphere is designed to help clarify the various vendors, services, and equipment involved in the operational technology landscape.

By taking advantage of these and additional resources, security professionals can understand industrial control systems and achieve robust OT cybersecurity to support key business interests and safety requirements.