Andrew Ginter Content critical infrastructure cybersecurity Don't miss Editor's choice Expert Analysis Featured news Follow on Hot stuff ICS/SCADA News Opinion tips Waterfall Security

Best practice methodology for industrial network security: SEC-OT


Safe Operations Know-how (SEC-OT) is a methodology and assortment of greatest practices impressed by a decade of expertise working with safe industrial websites. The SEC-OT strategy is counter-intuitive to many IT and even industrial management system (ICS) safety practitioners. It seems that safe industrial websites ask totally different questions and get totally different solutions.

For instance, industrial websites usually don’t ask “how can we protect our information?” As an alternative, they ask, “how to we keep the site producing high quality outputs?” and “how do we control the site safely?” To this finish, SEC-OT defines management system safety as:

Management system safety – Defending protected and dependable bodily operations by assuring right and approved management.

SEC-OT doesn’t search primarily to “protect the information” as info safety does. SEC-OT observes that each one cyber assaults are info and concludes that it isn’t info that wants safety, however bodily operations that want safety from info – extra particularly from cyber assaults that could be embedded in info.

SEC-OT rules

The primary precept of SEC-OT subsequently, observes that since all cyber assaults are info, each complete stock of data flows into an industrial website can also be a complete stock of inbound assault vectors. Management these info flows and we management the assaults.

The second key precept observes that since all software program has vulnerabilities, our main defenses ought to be bodily and hardware-enforced controls over info/assault flows getting into ICS networks, somewhat than software-based protections. All software program has defects in any case – found and undiscovered – and a few defects are safety vulnerabilities. Utilizing weak firewalls, cryptosystems and safety software program to guard weak ICS software program is so much like bailing a basement with a bottomless bucket.

First management incoming info/assault flows bodily after which take into consideration software program safety.

Offline / bodily assaults

Offline info/assault flows embrace detachable media, BYOD, laptops, cell telephones, model new computer systems from our distributors and even individuals with passwords and probably malicious intent. To the best extent sensible, SEC-OT advocates bodily safety from offline info flows into ICS networks. For instance: bodily block or disable detachable media ports and do the identical for unused network connections, on computer systems, switches and wall jacks in ICS networks. Deploy secondary software program protections as properly, reminiscent of Lively Listing insurance policies to forbid mounting detachable media and Network Entry Management (NAC) to forbid connections from unauthorized laptops and different computer systems.

As well as, SEC-OT adapts the “near miss” idea from bodily security packages. When the NAC system reviews an try to attach a non-ICS laptop computer to an ICS network, or an ICS laptop computer studies an try to attach it to an IT network, the Safety Operations Middle (SOC) contacts the offending particular person and collectively they fill out a “security near miss” report. These studies are aggregated, analyzed and used to prioritize remedial actions when it comes to coaching and consciousness packages. With a robust “near miss” program in place, website personnel shortly study by no means to aim harmful info transfers.

Sure info flows into ICS networks are unavoidable nevertheless – new software program variations, anti-virus signature updates, new computer systems to exchange growing older ones, and so forth. SEC-OT websites accommodate these wants mostly by means of a mixture of completely patched anti-malware scanning kiosks and heavily-instrumented ICS check beds. The kiosks scan incoming media with sometimes Four-Eight anti-malware engines, typically augmented with cloud-based sandboxing methods. Permitted information are copied to recent ICS media and carried to a file server on the ICS check mattress. Right here the information are deployed and examined for threats to protected, dependable and safe operations, earlier than being deployed on stay management networks.

Insiders on the website are a special offline drawback. Safe industrial websites usually don’t ask “how can I convince my people to stop using USB drives?” That drawback was addressed via a mixture of SEC-OT bodily, software program, near-miss and check mattress procedures above. Safe websites ask, “how can I prevent a trusted insider from mis-controlling the physical process?” There are not any silver bullets right here, however no mysteries both.

Industrial websites have been coping with this drawback since earlier than computerization. SEC-OT attracts on long-standing personnel safety greatest practices together with: common personnel background checks and danger assessments, in addition to deterrence within the type of detailed auditing, video surveillance and different surveillance, as a lot as is sensible and permitted by native privateness legal guidelines.

On-line / distant entry assaults

On-line info/assault flows embrace network connections, firewalls, serial connections, and wi-fi connections. That is the place SEC-OT differs most sharply from less-fit-for-OT practices. SEC-OT requires hardware-based or bodily controls over on-line connections to exterior networks similar to IT networks and the Web and forbids software-only mechanisms to regulate such flows. Encryption, whether or not hardware or software-based, firewalls and two-factor authentication are particularly referred to as out as insufficient to the duty of defending management techniques from exterior, on-line assaults.

To allow protected IT/OT and OT/cloud integration, safe ICS websites use hardware-enforced unidirectional gateways for connections from ICS networks to exterior networks. For readers not accustomed to unidirectional gateway know-how, the U.S. Nationwide Institute of Requirements and Know-how (NIST) defines such gateways as:

Unidirectional gateway – A mixture of hardware and software program. The hardware is bodily capable of ship info in just one path … [and] the software program replicates databases and emulates protocol servers and units. – U.S. NIST 800-82 Rev 2

Safety practitioners not but conversant in unidirectional gateway know-how might discover the know-how and its purposes counter-intuitive. To deal with this hole, the brand new e-book paperwork 18 network reference architectures utilizing unidirectional gateways:

SEC-OT reference architectures

Database Entry System Entry Cloud Connections & IIoT Digital Mail & Net Shopping Distant Diagnostics & Upkeep Steady Distant Management &
Central Engineering Emergency Upkeep Security Methods Partial Replication & Commerce Secrets and techniques Batch Instruction & AV Updates Central & Cloud SOCs Protecting Relays Network Intrusion Detection Steady Excessive-Degree Management Net Servers SCADA WAN Advert-hoc File Switch Replicas DMZ

Database entry

For instance, many ICS networks consolidate knowledge for IT/OT sharing in a historian or SQL database hosted in a DMZ network between the IT and ICS networks. The “database access” reference structure explains how a reproduction database is established on the enterprise IT network and a unidirectional gateway replicates the industrial database to the enterprise network in actual time. Enterprise customers and purposes entry the IT duplicate database usually.


Distant help

One other instance is distant help. Since unidirectional gateways replicate techniques a method from ICS to IT networks, many practitioners assume that distant help is unattainable. In reality, there are a number of reference architectures for safe distant help, the only of which is “Remote Diagnostics and Maintenance” which makes use of Distant Display View (RSV). RSV replicates workstation screens from the ICS network to an exterior network throughout a unidirectional gateway.

This implies distant specialists can see the precise display utilized by the on-site personnel and see the mouse shifting and different actions in actual time. These specialists can then advise website personnel over the telephone, offering real-time recommendation as to the way to examine and remediate complicated issues. RSV delivers an expertise resembling a physically-enforced “read only” distant desktop, permitting distant personnel to see, advise and help, however prevents anybody from controlling the ICS network. Different distant help architectures meet different, particular distant entry wants.

Common central safety monitoring

Along with bodily and hardware-based protections, SEC-OT advocates utilizing all kinds of secondary software program protections, crucial of which is common central safety monitoring. Such monitoring often consists of a central or cloud SIEM, ICS network intrusion detection system (NIDS) sensors and different ICS network-based and host-based sensors. Such safety monitoring is significant to any company safety program, important to incident response and restoration efforts and is the idea of the near-miss program, which in flip is important to offline/bodily info move/assault vector protections.

Whereas safety monitoring is a detective measure fairly than a preventive one, when such monitoring is coupled with expert, practiced and responsive incident response groups, the mixture can typically scale back or forestall the bodily penalties of assaults. Extra basically although, we will optimize solely what we will measure. Measuring and enhancing safety over time is necessary at industrial websites, and safety monitoring is an important device for such enchancment.

Safety monitoring is enabled within the SEC-OT methodology by the “Central and Cloud SOCs” and “Network Intrusion Detection” reference architectures. The previous sends info to central SOCs by means of unidirectional gateways, in order that no compromise of SOC gear or any a part of the non-OT infrastructure can pose a menace to industrial operations. The latter sends network visitors captures from the ICS network to NIDS sensors via unidirectional gateways. This enables us to deploy the sensors on the IT aspect of the gateways the place the sensors are simply managed, whereas the sensors obtain ICS visitors captures with no danger of any assault being despatched again into the monitored ICS network.


International developments work towards the reason for ICS safety:

  • Computer systems proceed to turn out to be smaller, extra highly effective and extra ubiquitous, and the place there are computer systems, there’s weak software program.
  • Networking continues to grow to be quicker, simpler and extra extra ubiquitous, and as info flows improve, assault alternatives improve.
  • Cyber assaults reap the benefits of these alternatives and proceed to extend in quantity, consequence and class.

On the floor, this seems to be dangerous for our heroes. These international tendencies although, are exactly what motivated the pioneers of SEC-OT rules and practices at safe ICS websites. Once more:

1. All info flows are assault vectors, so stock these flows / vectors and management them.

2. All software program is weak, so management assault vectors utilizing bodily and hardware mechanisms quite than software program.

Neither of those rules wants to vary as international tendencies proceed, inexorably.

What does want to vary is the present sole dependence of many industrial websites on software program protections. Because the sophistication of our attackers will increase, so should the sophistication of our defenses. Given these international developments, it’s inevitable that increasingly industrial websites will select a strong safety posture and undertake SEC-OT rules.

Free stuff

For a restricted time, Waterfall Safety Options is accepting requests from Assist Internet readers for complementary copies of Andrew’s new Safe Operations Know-how ebook. Register right here to request your copy, to be shipped after the 2019 launch.