IT security for production facilities

The increasing linking of OT and IT through digitisation is a major driver of innovation in the industry. At the same time, this also increases the risk, as these machines and systems are potentially open to the same dangers as other networked IT systems. Deep packet inspection minimizes the risk and detects anomalies.

Until recently, the networking of machines and systems was often still separate from classical (office) IT. At the same time, this had the advantage that these (OT) systems were not exposed to classical dangers such as viruses or hacker attacks. The physical separation from the evil outside world was therefore usually sufficient protection. However, new concepts and requirements, such as comfortable remote maintenance solutions or new business models such as predictive maintenance, required ever stronger links with the classic IT world. The threat situation for OT systems has therefore changed abruptly: Systems that were previously disconnected from the Internet are now not only exposed to the same threats as IT systems, but are also often – due to outdated and often no longer updatable software and firmware – an even easier target for cyber attacks.

Protective systems increasingly important

In order to protect such communication infrastructures with possible security gaps, the requirements for the corresponding protection systems are all the greater. A sabotaged system in an industrial plant can cause considerable financial damage, for example due to the failure of a production plant. The cost of damage, and thus also the value of adequate protection, can therefore be calculated relatively well. There is just as little protection for OT systems as there is for IT systems. For the best possible protection, there are various possibilities which can also be combined.

Separation of systems

Despite a link, the data traffic between IT and OT systems can – within limits – be controlled. For example, through a firewall that not only separates the internal IT systems from the Internet, but also from your own OT systems. Here it is not only possible to fine-tune which IT systems may communicate with which OT systems, but also which protocols may be used. For example, if an IT system is to communicate with an OT system exclusively via an HTTP connection, it makes sense to limit communication to exactly this protocol. This would make attacks based on the SMB protocol impossible or at least considerably more difficult. It can also be useful to restrict the communication direction if an OT system only sends data to an IT system.

Distributed Infrastructure

Especially the access to machines and plants via the public Internet brings with it an increased risk potential. A simple user name/password protection of the systems is not sufficient. Access should not only be protected by a firewall, but also by a secure connection. The common VPN technologies – such as OpenVPN – are suitable for this. If the systems are located in a foreign environment, it can make sense to connect these systems via separate communication connections, such as dedicated DSL connections or mobile communications, in order to avoid a connection to a foreign OT / IT infrastructure.

Anomaly detection

Permanent monitoring of the entire communication from OT systems up to the application data is a sensible extension of the protective measures. In contrast to classical IT communication, the communication of OT systems is generally very predictable. For example, the same sensor values are regularly queried or control commands are transmitted. A system that monitors this communication thus recognizes who is talking about what and how in this network. Classically, everything is initially evaluated as an anomaly. After some time of observation, exactly the expected or desired communication relationships and contents can then be marked as OK. In future, these will no longer be considered an anomaly. If something changes, for example if a service technician accesses a machine, this would be considered an anomaly and generate an alarm.

How can such an anomaly detection system / deep packet inspection system detect a cyber attack like WannaCry? The WannaCry virus spreads through a vulnerability in Microsoft Windows operating systems. The virus encrypts certain data on the infected system and then requests a ransom payment to decrypt the data again. Before this happens, the virus specifically searches for other systems in the network that also have this vulnerability in order to spread. The sequence is decisive here: in order for the virus to spread as well as possible, it waits to encrypt the infected system in order to remain undetected for as long as possible. This means that there is a time window in which an infected system can still be rescued if the attack is detected in time. An anomaly detection would therefore not prevent the infection of the first system at all, but would detect the new communication and sound the alarm accordingly.

Several anomalies would be detected at the same time: On the one hand, the search for new, vulnerable systems would result in heaps of new communication relationships, all of which would mean a corresponding alarm. Furthermore, the SMB protocol would also be used, since the corresponding security gap is based exactly on this. Thus, in addition to the sudden occurrence of many new communication relationships, a protocol would also be used which has not occurred at all, or only very rarely. The communication relationships can also be used to determine which system has been infected by the virus. In the best case – assuming a quick reaction – an infestation of further systems as well as an encryption of the infested system can be prevented.

Conclusion

Although the benefits of networked OT systems and their linkage to IT systems outweigh the benefits, the IT/OT security of the overall communications infrastructure should be reassessed in its overall context. A carefully coordinated IT security concept (also for OT systems) can minimize the risk within an economically reasonable framework.

Dennis Paul, Division Manager IoT Projects

Also relevant in this context:

Do you have any questions, suggestions or ideas? Discuss with us or simply contact us.

We look forward to a lively exchange with you.