In February, I had the opportunity to give a conference about the key differences between OT and IT Cybersecurity, at IndusSec 2018 Industrial Cybersecurity Congress. It is reasonable that IT security professionals want to introduce in OT cybersecurity, but in my opinion, there are a lot of differences between both. So, in this case, I will translate onto English the main ideas to reach English speakers.
The first one is related to the objectives and priorities. I am sure that when we do not know how to do something, we ask somebody who knows or can give us some valuable information. OT cybersecurity is newer in comparison with IT cybersecurity, so it is reasonable to focus on IT cybersecurity standards and best practices to secure industrial environments. However, it cannot be a right decision. I do not want to say that we cannot apply them. We can, but do not apply them in the same way. Why? Because the objectives and priorities are different. In IT environments, the objective is to protect the “Data” but in OT environment is the “Process”. In order to prioritize, in IT is the “confidentiality” instead of “availability” of an OT environment. So, if both have different objectives and priorities, we must use standards according to each one. IEC 624443 and NIST 800-82r2 instead of ISO 27000.
Secondly, IT technologies use either Ethernet or TCP/IP to communicate to other systems. It is something that nobody discusses. Nevertheless, in OT environments the presence of protocols based on serial communications is very high, such as Profibus or Interbus. Beside this, migrate to Ethernet technology requires changing the cabling, something that cannot be done if the facilities work 24×7, new communication modules, industrial network design, and so on.
Other key factor, is the latency. In IT networks, we can assume up to 150ms for traffic in real time, but in Industrial Ethernet based networks it is not acceptable. For example, for Real Time (RT) Communications this value is under 10ms and for Isochronous Real Time (IRT) is 1ms. According to this, when we deploy firewalls to filter traffic we have to consider them because each one introduces latency more or less depending on the controls applied. This is, L4 filtering, antivirus, application control and IDS/IPS policies, operation mode (flow or proxy), CPU load, memory use, and so on. Consequently, in some environments, we cannot deploy firewalls as the standards recommend. We do not forget that there are protocols which are able to work in Layer 2, so they cannot be reachable from/to other subnets.
Thirdly, there are the patches. In OT, the equipment lifecycle is bigger in comparison to IT, so it is more likely that we will have either legacy or end of support systems without patches available. So, how can we patch these systems? But if we can get them from the vendor, we will have to decide when we will apply them. Not always can be possible because they can be linked to a reboot, stop or maintenance mode. And of course, affecting to the availability, something that we must ensure.
Fourthly, we want to talk about antivirus. In the same way of the previous paragraph we must keep in mind that one thing is the operating system and other is the software installed. If the operating system is too old, probably there will not be capable software for it, such as Microsoft Windows 2000 or XP. But in the best case, when we have compatibility and can use them on our HMI, maybe this solution cannot give us the protection that we are looking for. The antivirus are firm based tools, and if the malware is specific to ICS probably the signature cannot exist. This is, what happened with Irongate, malware discovered by FireEye security company. As they said, this malware was not identified by any of the Antivirus software available on Virustotal website. This invites to keep in mind that even though we have an antivirus on our industrial PC, probably, it cannot be as efficient as we need because they are not prepared for industrial threats.
Finally, I would like to mention a key aspect, and it is not related to technical features. I will refer to human factor. Until now, the auditors, consultants, networks and system administrators, integrators and other IT technicians talked the same language. If one of them talked about virtualization, databases, software and particular in security devices such as firewalls, intrusion detection/prevention systems, everybody understands each other. But since a few years ago this has been changing because there is other environment to protect, OT.
It has other kind of profiles such us maintenance technicians, process engineers and production managers. We should join them to our work groups, committees and meetings to share with us their knowledge, experience, priorities and needs and vice versa. Until now, IT teams did not know about PLCs, HMIs, RTUs, industrial communication latencies… and OT teams did not know about Endpoint software, next generation firewalls, deep packet inspection, communication ports… Everybody knows about what they have to manage or control. This is, IT teams know about, operating systems, software, routing, switching, and OT teams about, automation, pneumatic, hydraulic, sensors, actuators, etc.
So, if we want to ensure the availability on shop floors, plants, or critical infrastructures, we must know all related to facilities, ICS, systems. The industrial cybersecurity is not a task of either IT or OT people. It is a shared responsibility, where it joins the best of two worlds, Information and Operation Technologies.
So we have to change from this point of view:
In my opinion, the obvious conclusion is that we cannot evaluate with same criteria both environments. As I said, if we have different priorities, different objectives, we must apply different approaches to reach our goals. This is, protect the industrial environments. In addition, even though we talk about the same technologies in both scenarios, the characteristics, features or deployment can be very different too. The latencies can be unacceptable, ineffective, require a change of point of view or the risk that we introduce is higher in comparison with that one we want to mitigate.
It will not be easy, because we will have some difficulties and barriers that have to overcome.
See you in the next post, thanks for your time.