Defense in Depth: OT and IT Network Security

Author’s Note: Our Defense In Depth series will demonstrate how over the past several years Corso Systems has helped companies implement security. The series includes relatively easy best practices like ensuring your systems are secured with user accounts, network segmentation with Firewalls to reduce the flow of traffic to only what is necessary to move between each part of your operation. We will also discuss more complex technologies such as threat detection, and backups/disaster recovery so you can get back up and running even in the worst case scenarios.

Most manufacturing and critical infrastructure systems (utilities, wastewater treatment, communications, dams, and many more) use ethernet networks to connect the various PLCs, computers and devices they use to operate.

Because these networks connect a lot of important devices, and are generally easy to access over the internet they are a prime attack target for hackers and bad actors.

While there have been nation-state level things like Stuxnet where the goal is to completely disrupt operations while avoiding detection. Making chaos ensue by attacking critical infrastructure is certainly one goal, while the manufacturing side is focused a lot more on ransomware attacks. Our goals are to help you understand how to better protect against these threats by thinking about your own systems as a critical asset, how to apply security and monitoring best practices to make your systems safer, and help you implement everything you need to mitigate as much risk as possible.

This post focuses on Network Security and remote system access.

Network Security

Properly securing your networked assets is one of the most important steps you can take to reduce your exposure to cybersecurity threats. As we discussed in our Defense In Depth: PLC Security post there are far too many PLCs and OT devices connected directly to the internet as visible on Shodan. This non-secure approach leaves you extremely vulnerable to attack, and if your OT network security is weak, it exposes you to the risk of catastrophic attacks.

Network Segmentation and Firewalls

One of the first things to consider when thinking about network security is segmenting your networks. This excellent graphic from the Cybersecurity & Infrastructure Security Agency (CISA) shows the most basic approach to network segementation:

In the above diagram there’s an unsegmented network on the left, and a segmented network on the right side. Note that there are many more options beyond these choices down the network security rabbit hole. This diagram illustrates how adding firewalls between your IT infrastructure (for managing typical business functions like email) to keep it separate from your overall business systems network, and another firewall between your business systems and your OT network.

Using firewalls in this manner lets you close any ports not used for moving data between the various network layers, implement network traffic monitoring tools, and even lock down access to each level of the network to specific users and devices. For example if an engineer from Corso Systems shows up at your facility to work on a project, we could plug our computer into the network, but won’t have access to anything until IT gives our computers and users access. After we’ve completed the project, IT can disable our access and you will be fully secure.

You can even manage access on different network hardware, and require users to plug in with an ethernet cable to access the OT network instead of using WiFi, or vice versa. Tools called Data Diodes can further lock down and segment your network when you want to send data only in one direction from the OT layer up to an IT layer.

Locking down ports will also massively reduce your attack exposure, since an attacker would need to find an open but unused port to access devices on the network (but you’ve already locked down any unused ports).

A properly segmented network can also help protect you from Denial of Service attacks when an attacker attempts to completely overwhelm your network with malicious traffic to prevent the devices on your network from communicating with one another entirely.

VPNs and Remote Access

Using firewalls also allows for using VPN connectivity and enable secure remote access to your networks. Not only does this make remote support easy (something we heavily rely on for our 24/7 support contracts), it provides another layer of security when you are working with multiple vendors and want to disable their access once a project is completed.

VPN access can also be set up on a per user basis, something we highly recommend. So, instead of setting up a single CorsoSystems user, you would set up access for each of our engineers that need to access your system. You can then more easily track and manage who is accessing your system remotely.

VPNs and remote access can be configured for any OT infrastructure like PLCs, databases, and SCADA systems can be set up to give team members or contractors who need remote access the ability to only connect to what they are working on.

There are a lot of considerations to take into account when selecting firewalls and remote access technology. One of our partners, Traceroute, LLC has an excellent post that covers a lot of the questions we typically ask when helping customers choose the right options for their business.

Network Monitoring

A benefit of OT technology is that its overall network traffic is extremely predictable. This makes networking monitoring tools like DragOS extremely useful for anomaly reporting. If you start to see spikes in network traffic outside of the norm, it can send you alerts, lock parts of the network down, and help you figure out what is happening.

Network monitoring tools will also help you know when new devices are connected to the network so you can track them down if anything is out of the ordinary. Popular ones include tools like ServiceNow and Solarwinds.

There are also a number of smart network switches on the market with this technology built-in along with firewall and VPN capabilities. So, when upgrading your network infrastructure, so you can really get a lot of bang for your buck!

For PLC specific network and change monitoring you can take advantage of tools like AssetCentre from Rockwell, or VersionDog to automatically monitor your PLCs.

All of the nuances and details of network monitoring could take up an entire series of posts, so we recommend reaching out if you have any questions and we can help get them answered and figure out a solution to meet your needs.

Network Infrastructure

After network segmentation and VPNs/remote access considerations, it’s important to consider your overall network infrastructure when accounting for cybersecurity.

As we discussed in our Defense In Depth: PLC Security post, one thing to consider is using managed switches in your OT network. Most panels we see in the field have an unmanaged switch, usually with extra open ports intended for future expansion. The problem with unmanaged switches from a cybersecurity perspective is that you can’t restrict traffic. If a port on an unmanaged switch doesn’t have anything plugged into it, anyone can plug in a computer, figure out the IP address of all the devices connected to that switch or network using a tool like Angry IP Scanner and get into any of the devices they can see.

By using managed switches, you can lock down specific ports to prevent people from getting access if they plug something in to the switch.

You can also consider data diodes to restrict the flow of traffic to one direction, so you can get data out of OT systems and into IT systems.

Asset Management

One of the potentially easy things you can do from a cybersecurity perspective is Asset Management. In short this means documenting all of the individual devices and systems that make up your overall network. This includes hardware like PLCs, computers, servers, mobile devices, networking hardware and software like databases, digital documents, usernames/passwords, SCADA systems and all of the integrations between them.

Asset discovery tools like ServiceNow and Solarwinds can automatically detect and classify equipment and services on your network. You will also want to make note of the hardware and firmware versions you are running, so you can keep track of updates that may help improve your cybersecurity risk profile by updating to the latest and greatest versions.

Asset Management then ties back into network monitoring and network segmentation by defining who should have access to what and implementing access management through a security controls process.

Knowing what should be on your network also helps you better understand when new devices are added to the network, especially if they shouldn’t be there in the first place. You can also track your overall inventory such as managing laptops provided to vendors in case they go missing after a project is completed.

Wrapping Up

For more details about specific network security topics, we recommend checking out Traceroute’s ICS Security post for a quick rundown, and contact us to schedule a call with the Corso Systems team to dive into specifics.

Network security is a critical piece of the overall cybersecurity puzzle for manufacturing and critical infrastructure facilities. Locking down your network into well guarded segments will keep the worst of the attacks at bay by limiting who can access what if they gain entry into your network. It is also vitally important to know which systems are exposed to the outside world via the internet (hopefully zero!) as those can become easy threat vectors into your systems.

Occasionally there’s a news story about a remote pump station without good network segmentation where someone was able to access it then get into the company’s banking systems and drain their accounts or hit them with a ransomware attack. But, we think these scenarios can be avoided with a proactive cybersecurity stance.

A well implemented network will also help streamline data flow between all the tools you use to run your business and help you understand when you need to make upgrades to enable future expansion.

Please take this post to heart and make sure to have everything you need in case disaster strikes, wherever it may come from.