Industrial Cybersecurity
Barriers of OT/ICS Adopting Cloud
02.22.2022
Fully remote work has become the norm during the pandemic. Working from home created a heightened need for cloud solutions in OT/ICS environments. However, this transition to the cloud comes with quite a few barriers regarding cybersecurity.
To better understand how these barriers can be tackled, Belden has interviewed a group of security experts about some of the key obstacles facing OT/ICS. Their responses are provided below.
Tobias Heer | Senior Architect in R&D at Belden
Undeniably, cloud services will play an increasingly important role in future industrial networks. However, securely integrating a cloud service or even multiple cloud services in an OT environment can create various challenges for the network architecture and the security concept. What’s especially tricky is that cloud connectivity often comes bundled with IoT devices and systems allowing it to sneak into production networks.
The deeper the level in which the cloud services are integrated (picture the Purdue Model levels 0 to 2, meaning the production cells), the more well established and effective security mechanisms need to be adapted. The zones and conduit concept, which segments an industrial network into being fine grained and largely isolated, must be especially adapted to pave the path for field-level devices in order to talk to a local or global cloud. Hence, firewall policies as well as monitoring policies need to be re-examined or newly established.
Added connectivity to IT networks or even the Internet also mandates up-to-date patch and vulnerability management to compensate for the possibility of attackers and malware to propagate into the lower layers of an industrial network. The same is true for intrusion detection systems and SIEM systems. Companies that have already established a proper security posture have an advantage here.
Finally, a well-defined and well-documented process needs to be established to integrate cloud services and IoT devices that require cloud services. Keeping secure and up-to date information is almost impossible if rogue or badly managed cloud connections emerge in various places across a plant. Without a good overview of permitted and actually used cloud services and industrial IoT devices which use these, ensuring proper monitoring, vulnerability and patch management as well as incident response is bound to fail. The cloud will be the future for many innovative functions in modern IoT networks. However, it comes at a price of reduced control and segmentation that must be compensated with other security measures.
Ben Jackman | Strategic Account Manager at Tripwire
The main barrier I would initially point to is the Purdue Model. In fact, some customers are still adamant that their ICS is “air-gapped,” which we know is a myth in 99.9% of all cases. The Purdue Model puts the ICS/OT environment several layers of firewalls and networks away from the public internet (i.e. cloud services).
The second barrier is the perception of the cloud being insecure or opening your OT/ICS to more security vulnerabilities and increasing your attack surface. Technology such as SDN is enabling more of a converged architecture as an option instead of the Purdue Model.
Argiro Birba | Senior Manager, Cybersecurity Assurance at ADACOM Cybersecurity
The introduction of cloud solutions for OT/ICS environments is considered a revolutionary movement towards their fully remote management. Especially during the pandemic, managing industrial systems on site was proven to be a challenge and a large number of organizations took the step and adopted the said solutions, so that they would be able to manage their systems from the safety of their home. The transition to the cloud may seem as if we are about to open a Pandora box that will provide additional attack surface for malicious users to identify and exploit.
A research that was published last July from Team82 of Claroty analyzes how unauthorized cloud-based access to management systems can fully compromise the OT/ICS infrastructure. It is quite interesting to note that initial access can now be gained via Social Engineering techniques, an attack category that is introduced after the deployment of cloud-based services in otherwise OT/ICS air-gapped environments.
Furthermore, a number of CVEs were given to vulnerabilities that were discovered in the cloud-based remote management platforms - the most critical being that of a Remote Command Execution. Many more cases of critical vulnerabilities were published and will be published in the future raising questions about the risk on data security and compliance with regulations.
As this phenomenon of interacting and exploiting new vulnerabilities in OT/ICS environments that are managed through cloud-based services will not end any time soon, proper actions must be taken, from both vendors and customers. Vendors are advised to create a patch management program, so that patches/fixes are quickly delivered to the customers, while customers should revise their security policies and start taking the security of OT/ICS environments into serious consideration (as serious as functionality and availability are taken).
Patrick C. Miller | CEO and Owner at Ampere Industrial Security
Given that the cyber-physical interface points (endpoint sensing, operational and possibly first line telemetry gear) will need to be on-premise, the immediate cloud options are really for the management systems and aggregated operating environments. Other possibilities include large or long-term data storage and analytics as everyone digitizes more of their environment.
Greater digitization will drive operational benefits and generate additional income from the analytical data products created from their raw data. These platforms can be very expensive to license and maintain. For some of the smaller operations, it may be more cost-effective to buy into a shared or virtualized management platform as a service. For the larger operations, it may be more cost-effective to pay for the possible endless capacity of resources available in the cloud.
The challenges in choosing cloud solutions are conceptually the same as the on-premise solutions – security and reliability. The difference is that you are no longer in direct control of these risk factors. Assurances can be made through contracts, certifications, standards, audits etc., but they are still essentially out of your direct control.
Furthermore, many of the ICS and OT environments are critical infrastructures. Many of those critical infrastructures are regulated in various ways, possibly at the national, regional, or local level – all around the globe. Many of these regulations are just now catching up with (or haven’t yet caught up to) cloud options for these technologies which may significantly restrict the possibility of using cloud solutions. Some ICS/OT functions in the cloud are an inevitability, but the sensitivity of the systems and data, in addition to the availability (latency included) concerns, wrapped in a complex regulatory maze may mean the progress is slow.
Jason Louviere | Senior Technical Product Manager at Tripwire
The main barrier to adopting the cloud for OT/ICS environments is fear and uncertainty. The fear comes from having some type of consistent connection to the outside world for their industrial environments, even if ports in the firewall are open to outgoing only. I believe this fear can be resolved by introducing tools like Prosoft from Belden, where an encrypted tunnel can be established between the Industrial networks and applications like Tripwire Anywhere.
Regarding uncertainty, this one is harder to overcome and is security related, but not in the way we think. Most medium to large scale industrial facilities, whether agriculture, chemical or manufacturing, typically run 24 hours a day. However, access to these networks and systems are highly restricted. The thought of another company’s personnel or system having constant access and communication to these industrial processes, especially remotely, brings in the possibility of the process being inadvertently affected and even shutdown by variables they do not control. They can be shut down either by saturating their network bandwidth with scans and data transfer or accidentally shutting down a system process, possibly costing hundreds of thousands or millions of dollars to restart and account for lost product.
Companies like Belden and Tripwire have the technology to make data transactions secure and can limit the amount of bandwidth and resource impact used in these technical transactions. It’s conveying this ability to the customer and provides proof that our product does not pose a risk of affecting their industrial systems while we help protect them. I feel this will be the hardest obstacle to overcome, particular to customers on the small to medium size.
Markus Bloem | Industrial Sales Engineer at Tripwire
First and foremost, cloud computing has become more attractive to the industrial world. A lot of companies who switch into the cloud have to decide between one-cloud strategy or multi-cloud strategy. One cloud means only one vendor and multi-cloud means multiple vendors. Therefore, there is no binding to a single provider – Vendor-Lock-in.
The arguments for companies to use the cloud are to save money, outsource, and have more flexibility in their work. Security is also a driver and hurdle for cloud adoption. Security aspects of the cloud include data and privacy, compliance and data loss, or an attack via cloud vulnerabilities. Most companies fear attacks and widespread forms of economic and industrial espionage.
Companies often lack resources and know-how regarding data protection and compliance guidelines, so they don´t want to take risks here. Also, the increasing focus on international standards such as ISO 27001 / IEC 62443 is progressing meaning the companies must follow a lot of regulations and evaluate their environment.
Tim Erlin | VP of Strategy at Tripwire
There are many types of industrial organizations, and we do a disservice to the industry when we lump them together into one group and try to generalize. If you think about a few examples, such as an electric utility, a manufacturing plant, and a water treatment facility, the differences become apparent rather quickly. There are clear operational differences, but let’s try to focus on the question of cloud adoption. Of course, each of these types of organizations have both OT and IT environments, and in most cases, their IT environments are not restricted from cloud adoption.
For electric utilities, the biggest and most impactful restriction comes from the NERC Critical Infrastructure Protection (CIP) standard. Very simply, NERC CIP makes it essentially impossible to adopt cloud services in their OT environments. If you live in the world of NERC CIP, there’s a chance that you responded to that last statement with incredulity. Yes, there are cases where it’s not literally impossible to adopt clouds services, but the combination of the burden of audit, the lack of existing examples of cloud usage in utility environments, and the lack of cloud services designed for electric utilities, combine to make it essentially impossible.
For a manufacturing plant, there are far fewer barriers. Because manufacturing is more often driven by profit and efficiency, cloud-based services have a strong basis from which to argue for adoption. If adopting a cloud service can increase output, minimize downtime, or otherwise positively impact production, then it has a good chance of being adopted. That’s not to say that there aren’t organizational obstacles to overcome, but more that it’s likely they’ll be overcome more easily.
Finally, we all got a closer look at the technology employed at water treatment facilities when there was a scare in Oldsmare, FL as an attacker almost changed the water treatment settings remotely. In these cases, you have facilities that aren’t truly ready for cloud adoption, and frankly, the industry hasn’t really provided compelling products. Water and wastewater treatment isn’t often first on the list of target customers for technology companies, yet they are certainly part of our critical infrastructure.
These are just three examples from industrial organizations, but there are many more sub-segments that have their own challenges and obstacles to overcome. Cloud adoption is largely inevitable, but it will proceed at varying paces for different industrial organizations.
If you’re interested in learning more about the potential benefits when adopting cloud in the OT/ICS space, click here.