How to boost OT-IT security

In IT, applications, databases, networks and systems are used to gather information that helps users make business decisions. OT gathers information for decision-making purposes but also to monitor and change the “state” of an OT device, its outputs or environment.

The convergence of IT and OT is being enabled by the Industrial Internet of Things (IIoT). It enables the supply-chain-wide monitoring of the flow of raw goods, parts and finished products using IoT sensors on a global basis for better management of just-in-time supply chains. And by Internet-enabling factory, construction and mining equipment or even planes, specialist third-party suppliers can monitor performance data to carry out remote diagnostics and predictive maintenance to increase uptime and boost productivity. While introducing efficiencies, OT-IT convergence also introduces risk.

So, what practical steps can you take to identify OT-IT security threats and compliance risks, protect yourself, detect attacks that are already underway, respond to those attacks in an effective way to minimize the damage to your business and anticipate future threats?

1. Identify OT-IT threats

The first step is to prepare your security strategy or carry out tests to check if the measures you’ve already put in place are working. Orange Cyberdefense carries out a wide range of investigations. This includes the use of an OT-IT asset discovery tool to ensure the enterprise has an up-to-date inventory of all Internet-enabled equipment and digital OT infrastructure.

All too often, configuration details of control networks, PLCs (programmable logic controllers) and records of software versions in place are scattered across an organization. The information may be siloed in different information systems or excel spreadsheets on the computers of operational staff in a factory. The acquisition of this data is often a manual process, resulting in incomplete and outdated information. For example, details of workflow automation processes in place may be completely missing.

Automatic discovery of the existence and configuration of your digital OT assets and networks is essential. By consolidating OT configuration details into a central platform, accessible via a web browser, system details can be made instantly available to every team member and not just individual engineers.

It’s also important to scan for existing vulnerabilities, audit all application code in use and identify the existence of “shadow IT and OT” in use and the risk presented by the access of inhouse staff and third-party suppliers to company systems and data. The overall approach of the enterprise to OT-IT security governance should be reviewed and checks carried out to ensure the firm is complying with all relevant regulatory compliance requirements.

Most recently, Orange Cyberdefense supported the European subsidiary of an APAC automotive giant that wanted to increase visibility of the OT-IT threats it faced following several incidents in which sales information on up to 3.1 million customers was accessed by hackers.

Orange audited manufacturing sites across Europe to establish OT-IT security maturity levels, identify gaps and pinpoint the biggest areas for improvement to mitigate risks and ensure regulatory compliance.

“Discovery workshops were held to bring siloed IT and OT teams together and give them greater visibility of the security situation,” recalls Jean Christophe Mathieu, Head of Industrial Security at Orange Cyberdefense. “As a next step, the enterprise is looking at deploying OT probes to enable continuous monitoring of the threats to all systems, including those accessed by third-party suppliers, with back-up CyberSOC support.”

In some instances, for example in a recent engagement with a Nordics engineering firm, Orange Cyberdefense can even probe a CISO-as-a-service offer to provide board-level advice if the company does not have a Chief Information Security Officer (CISO).

2. Protecting enterprises from attack

A large part of the Orange Cyberdefense work involves providing managed security services. The company focuses on protecting the OT company’s networks and enhancing identity and access management.

Firewalls offer concrete protection for networks by blocking cyberattacks. At the same time, multi-factor authentication is used to control all access to OT systems, including third-party suppliers who provide remote diagnostics on equipment or predictive maintenance services.

Jean-Christophe urges enterprises to, “Restrict access based on business need and to perform regular audits of all connections between IT and OT systems. There should be a clear separation between critical and non-critical systems on the OT network with segmentation to limit the impact of a breach.”

Most recently, Orange Cyberdefense worked to protect an IoT-enabled gas distributon network, addressing concerns relating to the IoT devices, system protocols and 3G/LPWA (low power, wide area) connectivity. Meanwhile, it has supported a renewable energy firm in securing its AWS-based (Amazon Web Services) public cloud environments. This included defining a new security architecture and advising on SecDevOps best practices that are vital while developing and integrating new cloud-based applications.

3. Detecting security risks

Orange Cyberdefense has a wealth of expertise in managed threat detection. The company uses a wide range of market-leading tools from established vendors and the world’s most innovative start-ups.

For example, Orange Cyberdefense and Gatewatcher has been accredited by the French National Cybersecurity Agency (ANSSI – the Agence nationale de la sécurité des systèmes d'information) as effective for use by Operators of Vital Importance (OIV), Operators of Essential Services (OSE) in compliance with the November 2018 European Network and Information System Security (NIS) directive. NIS includes legal measures to boost cybersecurity measures adopted by operators of critical infrastructure in the energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure sectors.

Gatewatcher is able to identify sophisticated hybrid malware that doesn’t seem malicious at first glance. This includes shellcode-embedded malware. In hacking, a shellcode is a small piece of code used as the attack payload. It typically executes a command and enables an attacker to control a compromised machine.

For example, “one-liner” attacks exploit the automated commands that network administrators use in the Microsoft Windows operating system to simplify the management of multiple computers with a single line of code. By diverting Powershell, the default language used in Windows systems, hackers can install malware that takes remote control of systems and can extract confidential data from the network. The defense tools deployed today, such as anti-virus firewalls, proxy servers and Intrusion Protection Systems (IPS) can’t see these threats, assuming the requests are legitimate.

Using dynamic, machine-learning algorithms, the Gatewatcher probes differentiate between malicious and normal network flows in OT and IT environments. Orange looks for weak signals that may suggest unusual threat event or malware signature. The solution is even able to auto adapt to polymorphic threats – a particularly destructive type of malware that can change or "morph" in a variety of ways, such as filename changes, compression and encryption with variable keys, making it difficult to detect with traditional anti-malware programs.

A sandbox then provides a safe isolated environment that replicates an end-user operating environment where you can execute and observe the malicious code, enabling enterprises to take steps to block it across their networks.

4. Responding to attacks

If the OT-IT probe detects an anomaly, it assesses the probability that an infection has taken place and alerts the enterprise’s inhouse security team or managed threat detection and response SOC (Security Operations Center) or CyberSOC. The CSIRT (Computer Security Incident Response Team) team includes Orange Cyberdefense experts who work on the customer site, remotely as well as at Orange CyberSOCs around the world and are able to orchestrate the work of multiple parties, including in-house security professionals and third party suppliers and security/IT partners. They contain the incident, perform root-cause analyses to identify what lead to the breach, detail a timeline and report on hardening measures to secure the perimeter.

Orange Cyberdefense provides managed threat detection and response services to a leading oil and gas company via its global CyberSOCs. “Enterprises need visibility on threats through effective intelligence, and this is where a company like Orange Cyberdefense can really come into its own to complement the work of the enterprise’s in-house security professionals,” said Jean-Christophe Mathieu. “It’s important to minimize the number of “false positives” – network, IT log and endpoint alerts that are falsely believed to be part of a cyberattack – through effective intelligence and investigation of the malware or other threat.”

5. Anticipating new threats

Preventing hackers from entering your networks by identifying new attack vectors is the next area of opportunity for enterprises. It enables enterprises to stay a few steps ahead of the criminals. Orange Cyberdefense has unique threat intelligence capabilities, based on the exceptionally high volume of traffic the Orange Group and Orange Business handle and analyze on a global basis. On top of this, the company layers on third-party Industrial Control System (ICS) vulnerability and threat intelligence feeds and applies a patented real-time correlation engine with automated decision support.

Over 30 billion security events and 20,000 individual items of malware are analyzed per day and fed into the company’s Indicators of Compromise (IoC) databases. The signal intelligence lab researches the behavior of viruses and has a track record of identifying new viruses 50 days in advance of other commercial service providers and tools.

The strengths of this service were recently recognized by the New Zealand government. The CertNZ service relies on Orange Cyberdefense to aggregate its own real-time threat intelligence and other complementary feeds to analyze the emerging threat landscape at scale and enable enterprises in the country to better anticipate new cyber risks.

Being proactive is critical

Industry 4.0 can radically transform the entire product lifecycle – from conception to production and post-sales customer services. Indeed, many products and goods manufactured today are being digitized and can be consumed as a service. A global, virtualized view of the factory and its processes, for example, helps decentralized decision making and higher levels of automation. But the benefits of digitization come with increased risks.

To emphasize security risks in IoT, its acronym has been presented as the “Interconnection of Threats.” The rise of connected OT devices increases exposure points within value chains and business ecosystems, threatening the security of data that impacts business-critical functions.

This makes it vital to adopt the five pillars of OT-IT cyberdefense and take a protective, detective and defensive approach to business- and supply-chain-wide security.

Click here for part one in this series, which looks at the business drivers behind the OT-IT convergence trend and the need for a new approach to security.