Especially the access to machines and plants via the public Internet brings with it an increased risk potential. A simple user name/password protection of the systems is not sufficient. Access should not only be protected by a firewall, but also by a secure connection. The common VPN technologies – such as OpenVPN – are suitable for this. If the systems are located in a foreign environment, it can make sense to connect these systems via separate communication connections, such as dedicated DSL connections or mobile communications, in order to avoid a connection to a foreign OT / IT infrastructure.
Permanent monitoring of the entire communication from OT systems up to the application data is a sensible extension of the protective measures. In contrast to classical IT communication, the communication of OT systems is generally very predictable. For example, the same sensor values are regularly queried or control commands are transmitted. A system that monitors this communication thus recognizes who is talking about what and how in this network. Classically, everything is initially evaluated as an anomaly. After some time of observation, exactly the expected or desired communication relationships and contents can then be marked as OK. In future, these will no longer be considered an anomaly. If something changes, for example if a service technician accesses a machine, this would be considered an anomaly and generate an alarm.
How can such an anomaly detection system / deep packet inspection system detect a cyber attack like WannaCry? The WannaCry virus spreads through a vulnerability in Microsoft Windows operating systems. The virus encrypts certain data on the infected system and then requests a ransom payment to decrypt the data again. Before this happens, the virus specifically searches for other systems in the network that also have this vulnerability in order to spread. The sequence is decisive here: in order for the virus to spread as well as possible, it waits to encrypt the infected system in order to remain undetected for as long as possible. This means that there is a time window in which an infected system can still be rescued if the attack is detected in time. An anomaly detection would therefore not prevent the infection of the first system at all, but would detect the new communication and sound the alarm accordingly.
Several anomalies would be detected at the same time: On the one hand, the search for new, vulnerable systems would result in heaps of new communication relationships, all of which would mean a corresponding alarm. Furthermore, the SMB protocol would also be used, since the corresponding security gap is based exactly on this. Thus, in addition to the sudden occurrence of many new communication relationships, a protocol would also be used which has not occurred at all, or only very rarely. The communication relationships can also be used to determine which system has been infected by the virus. In the best case – assuming a quick reaction – an infestation of further systems as well as an encryption of the infested system can be prevented.
Although the benefits of networked OT systems and their linkage to IT systems outweigh the benefits, the IT/OT security of the overall communications infrastructure should be reassessed in its overall context. A carefully coordinated IT security concept (also for OT systems) can minimize the risk within an economically reasonable framework.
Dennis Paul, Division Manager IoT Projects