With more than 15 years of experience in cyber security, Manuel Rodriguez is currently the Security Engineering Manager for the North of Latin America at Check Point Software Technologies, where he leads a team of high-level professionals whose objective is to help organizations and businesses meet their cyber security needs. Manuel joined Check Point in 2015 and initially worked as a Security Engineer, covering Central America, where he participated in the development of important projects for multiple clients in the region. He had previously served in leadership roles for various cyber security solution providers in Colombia.
In this outstanding interview, get strategic, proven, expert insights into securing the operational technology ecosystem. This is your guide to understanding and protecting these vulnerable infrastructure components.
What is included in the phrase “operational technology”?
Operational technology covers all of the hardware and software used to monitor and control physical equipment, processes, and assets. Almost any industrial process will include operational technology (OT) to monitor and run its equipment according to specified conditions. Operational technology is normally related to utilities such as water, electricity, oil and gas, but we can find OT in environments as diverse as manufacturing factories, building management systems or the transportation system.
Why are operational technology systems so vulnerable to attack?
Most OT networks consist of legacy equipment without basic security features, such as user authentication or encryption, and are systems that have vulnerabilities. Patching or upgrading OT systems requires planning and executing complex activities that can somehow halt or affect production; this is the reason that OT networks normally run unpatched systems and even use default security configurations.
Another important challenge is that operational technology security involves knowing and understanding different kind of components of hardware, software, and communication protocols for proper security implementation, and that there can be a gap in knowledge for security professionals who might be principally focused in IT environments. OT security expertise is more difficult to find for organizations.
Why should the public care about how taxpayer-funded OT technology systems are secured?
It is important to understand that OT technology is controlling the processes that make it possible for us to get important services, such as water, electricity and gas to our homes. An attack in this kind of environment can have very serious consequences and even threaten public health and safety or affect the environment. For example, an attacker could try to stop the supply of these services to our homes or could try to poison the water we receive, as we saw in February this year when an attacker tried to poison the water of the City of Oldsmar, in Florida, by modifying the dosing rate of sodium hydroxide. There have also been examples of attackers trying to sabotage operations and trying to trigger explosions.
Where is the gap between how organizations are currently keeping OT systems secure and how they should keep OT systems secure?
Not all organizations are the same. Each organization might be in a different maturity stage in regards to operational technology security. From a governance point of view, there should be a figure like a CISO or CSO that is accountable for IT security and OT security. We still find organizations where CISOs are just accountable for IT security while OT security falls under the operations team.
From a tactical and operational point of view, my main advice for securing these environments will be focused on three central items; risk analysis, segmentation, and threat prevention.
In operational technology, we find different kind of elements than in IT. Operational technology networks include equipment like SCADA systems, PLCs, HMIs, RTUs, those that use industrial communication protocols, such as Modbus and DNP3, among others.
To secure this environment, it is important for organizations to understand what kind of assets they have, where they are located, what kind of vulnerabilities they have, and how they communicate with each other. In full view of this information, organizations can be aware of their actual risk, and can create a baseline to monitor for abnormal behavior. Also, this allows organizations to understand where they need other kinds of controls to prevent attacks on known vulnerabilities.
Segmentation is important in providing proper boundaries and control, and in monitoring communication between devices. The Purdue model is a good reference point for generating this segmentation.
Is important that security controls implemented in OT networks appropriately understand the protocols, commands, and attacks for this kind of environment.
What kinds of OT security issues should CEOs, COOs and other executives in non-technology roles be aware of?
C- levels should be aware that the threat of a cyber attack is an important additional component to consider when evaluating the risk associated with disruption to operations, and should understand the consequences this can bring to the organization, to their employees, and to the public in general.
What recommendations can you share for organizations that wish to upgrade their OT security?
Start by understanding the OT environment and making a proper risk analysis to know where to implement controls.
What types of hacks are most common within OT systems, if any?
Some years ago, attacks on OT were highly targeted and sophisticated, as the environment was segregated from external networks. After OT and IT networks started interconnecting more, attackers had a wider attack surface and were able to use regular IT attacks, like ransomware and remote access trojans. Other kind of attacks seen are vulnerability exploits and stolen credentials-based attacks.
Anything else that you wish to add?
I would like to give two general pieces of advice. The first step in protecting the OT environment is to secure the IT network, as it might be the firsts and easiest entry point for attackers. Second, it is important for organizations to include security in the design of new OT networks. Including security after the fact will result in greater complexity and it might be even more expensive.
For additional information about securing industrial network systems, read Industrial Network Security: The Road to Success. Lastly, for more cyber security and business insights, analysis and resources, sign up for the Cyber Talk newsletter.