OT security | part 2

In part 1 we discusses the differences between IT and OT, and already mentioned that classic frameworks provide unsufficient protection in an OT environment. An important principle for OT is breaking apart  your network in different layers. This is called ‘network segmentation’. It helps prevent attacks. We will now zoom in on frameworks like the ‘Purdue Model’ and the ‘Defense in Depth’ concept.

In 1990 the Purdue Enterprise Reference Architecture (PERA) model was first introduced by the Purdue University Consortium. This model defines the different layers within an organizational structure, and even more important, clarifies the approaches to correctly segment and secure those layers.

This way you can minimalize the affected components during an attack. Why? It’s very simple: since the components are spread over multiple layers, an attacker can only reach the components in the affected layer, and not those in different layers. That is of course only the case when each layer is sufficiently protected. The way that is done can differ for each layer.

The most important layer within and OT environment is the Demilitarized Zone (DMZ). That’s the place where OT and IT merge together, and as such the place with the highest risk. This layer makes a very attractive target for potential attacks.

Since the convergence between OT and IT is relatively new, a lot of organizations have not yet implemented this layer, or protected it sufficiently. Overall they only use firewalls and proxy solutions to separate the IT and OT systems.

The Defense in Depth concept leans close to network segmentation since it too focuses on protecting systems in different layers. The goal however is to postpone an attack instead of counterattacking. The theory is that when one security layer fails, there are enough other layers in place with each their own protection measures to ward off an attack. So basically you will stack multiple measures to prevent access to the system.

There are 3 types of layers you could use to secure your systems: the physical, the technological and administrative layers. In an OT environment, they could look like this:

• The physical layer: You don’t want any intruders in your network. But sometimes simply being present at the actual physical location of your network could be enough for an intruder to gain access to your network. That’s why you need to make sure it’s impossible for outsiders to enter your physical locations.
• The technological layer: This is about the typical security measures we all know, like firewalls. For OT networks however is it important to implement specific security software designed for OT to professionally ward off attacks without losing access to the information in your systems yourself.
• The administrative layer: In this layer we focus on the administrative side of security, like specific policies employees must adhere to. Another example is labeling and shielding sensitive or confidential data.

Each layer could be protected in different ways. In fact, we even advise to do that!

Let’s look at an example of an email service, located in the technical layer. Imagine a suspicious email trying to gain access to a specific computer. First, this email needs to break through a firewall checking and evaluating the content. When the firewall does not detect any issues, the email goes to the mailing server, which in turn performs another check on the content and sender. If the malicious email is not yet stopped by then, there’s still anti-virus software installed on the target computer to prevent the attack.

As you can see, those different measures make it almost impossible for an attacker to intrude.