Defense in Depth: OT and IT Network Security

Author’s Note: Our Defense In Depth series will demonstrate how over the past several years Corso Systems has helped companies implement security. The series includes relatively easy best practices like ensuring your systems are secured with user accounts, network segmentation with Firewalls to reduce the flow of traffic to only what is necessary to move between each part of your operation. We will also discuss more complex technologies such as threat detection, and backups/disaster recovery so you can get back up and running even in the worst case scenarios.

Most manufacturing and critical infrastructure systems (utilities, wastewater treatment, communications, dams, and many more) use ethernet networks to connect the various PLCs, computers and devices they use to operate.

Because these networks connect a lot of important devices, and are generally easy to access over the internet they are a prime attack target for hackers and bad actors.

While there have been nation-state level things like Stuxnet where the goal is to completely disrupt operations while avoiding detection. Making chaos ensue by attacking critical infrastructure is certainly one goal, while the manufacturing side is focused a lot more on ransomware attacks. Our goals are to help you understand how to better protect against these threats by thinking about your own systems as a critical asset, how to apply security and monitoring best practices to make your systems safer, and help you implement everything you need to mitigate as much risk as possible.

This post focuses on Network Security and remote system access.

Network Security

Properly securing your networked assets is one of the most important steps you can take to reduce your exposure to cybersecurity threats. As we discussed in our Defense In Depth: PLC Security post there are far too many PLCs and OT devices connected directly to the internet as visible on Shodan. This non-secure approach leaves you extremely vulnerable to attack, and if your OT network security is weak, it exposes you to the risk of catastrophic attacks.

Network Segmentation and Firewalls

One of the first things to consider when thinking about network security is segmenting your networks. This excellent graphic from the Cybersecurity & Infrastructure Security Agency (CISA) shows the most basic approach to network segementation:

On the left we have an unsegmented network and on the right is a segmented network. There are a lot more options beyond what is shown here as you move down the network security rabbit hole. This approach shows how you can put firewalls between your IT infrastructure for managing typical business functions like email from your overall business systems network, and another firewall between this and your OT network.

Using firewalls in this manner lets you close down any ports you are not using to move data between the various network layers, implement network traffic monitoring tools, and even lock down access to each level of the network to specific users and devices. This means if someone from Corso Systems shows up at your facility to work on a project we could plug our computer into the network and not have access to anything until IT gives our computers and users access. When we are done with the project our access can be easily disabled and you will be fully secure.

You can even manage access on different network hardware, making it so you need to be plugged in with an ethernet cable to access the OT network instead of using WiFi, or vice versa. There are also tools called Data Diodes you can use to further lock down and segment your network when you want to send data only in one direction from the OT layer up to an IT layer.

Locking down ports will also massively reduce your attack exposure because it will be difficult for an attacker to get in using an open but unused port to access devices on the network you want to have locked down.

A properly segmented network can also help protect you from Denial of Service attacks where someone completely overwhelms your network with malicious traffic preventing the devices on your network from communicating with one another entirely.

VPNs and Remote Access

Another benefit to using firewalls is the ability to take advantage of VPN connectivity and enable secure remote access to your networks. Not only does this make remote support easy, something we heavily rely on for our 24/7 support contracts, it gives you another layer of security when you are working with multiple vendors and want to disable their access once a project is completed.

VPN access can also be set up on a per user basis, something we highly recommend. This means instead of setting up a CorsoSystems user you would set up access for each of our employees who need to access your system. You can then more easily track and manage who is accessing your system remotely.

VPNs and remote access to any of your OT infrastructure like PLCs, databases, and SCADA systems can be set up giving people who need remote access the ability to connect only to what they are working on.

There are a lot of considerations to take into account when selecting firewalls and remote access technology. There is an excellent post from one of our partners, Traceroute, LLC that covers a lot of the questions we typically ask when helping customers choose the right options for their business.

Network Monitoring

One of the benefits of OT technology is the overall network traffic is extremely predictable. This makes networking monitoring tools like DragOS extremely useful for anomaly reporting. If you start to see spikes in network traffic outside of the norm you can get alerts, lock things down, and figure out what is going on.

Network monitoring tools will also help you know when new devices are connected to the network so you can track them down if anything is out of the ordinary. Popular ones include tools like ServiceNow and Solarwinds.

There are a number of smart network switches on the market with this technology built-in along with firewall and VPN capabilities so you can really get a lot of bang for your buck when upgrading your network infrastructure.

For PLC specific network and change monitoring you can take advantage of tools like AssetCentre from Rockwell, or VersionDog to automatically monitor your PLCs.

All of the nuances and details of network monitoring could take up an entire series of posts, so we recommend reaching out if you have any questions and we can help get them answered and figure out a solution to meet your needs.

Network Infrastructure

On top of network segmentation and VPNs/remote access considerations it is important to take a look at your overall network infrastructure when taking a more cybersecurity aware approach.

As we discussed in our Defense In Depth: PLC Security post one thing to consider is using managed switches in your OT network. Most panels we see in the field have an unmanaged switch, usually with extra open ports enabling future expansion. The problem with unmanaged switches from a cybersecurity perspective are they don’t have any way to restrict traffic. If a port on an unmanaged switch doesn’t have anything plugged into it anyone can plug in a computer, figure out the IP address of all the devices connected to that switch or network using a tool like Angry IP Scanner and get into any of the devices they can see.

Using managed switches instead allows you to lock down specific ports to not allow any traffic preventing people from getting access if they plug something in.

You can also look into using data diodes to restrict the flow of traffic to one direction where you need to get data out of OT systems and into IT systems.

Asset Management

One of the potentially easy things you can do from a cybersecurity perspective is Asset Management. In short this means documenting all of the various devices and systems that make up your overall network. This includes hardware like PLCs, Computers, Servers, mobile devices, networking hardware and software like databases, digital documents, usernames/passwords, SCADA systems and all of the various integrations tying everything together.

Asset discovery tools like ServiceNow and Solarwinds can be used to automatically detect and classify equipment and services on your network. You will also want to make note of the various hardware and firmware versions so you can keep track of updates that may help improve your cybersecurity risk profile by updating to the latest and greatest versions.

Asset Management then ties back into network monitoring and network segmentation by defining who should have access to what and implementing access management through a security controls process.

Knowing what should be on your network also helps you better understand when new devices are added to the network especially if they shouldn’t be there in the first place. You can also track your overall inventory, for example managing laptops provided to vendors should they go missing after a project is completed.

Wrapping Up

For some more detail on specific items in this post we recommend checking out Traceroute’s ICS Security post for a quick rundown, and a call with the Corso Systems team to dive into specifics.

For manufacturing and critical infrastructure facilities network security is a critical piece of the overall cybersecurity puzzle. Locking down your network into well guarded segments will keep the worst of the attacks at bay by limiting who can access what if they gain entry into your network. It is also vitally important to be aware of what systems are exposed to the outside world via the internet (hopefully zero!) as those can become easy threat vectors into your systems.

Every so often there will be a story in the news about a remote pump station without good network segmentation where someone was able to get into the company’s banking systems and drain their accounts or hit them with a ransomware attack through a computer accessing the pump station without anyone’s knowledge. This should not be something anyone exposes themselves to by not taking a proactive cybersecurity stance.

A well implemented network will also help streamline data flow between all of the various tools you use to run your business and help you understand when you need to make upgrades to enable future expansion.

Please take this post to heart and make sure you have everything you need in case disaster strikes, wherever it may come from.