Following publication of the previous article: Differences between IT and OT, this article discusses the use of typical security tools in IT (Information Technologies) environments and their adaptation to industrial control environments. Given the vast amount of traffic that is exchanged nowadays, security without the help of tools to protect systems would be impossible. This was already learned in corporate environments some years ago, thus why they started using these tools to secure their organization’s data and to prevent attacks. On the other hand, industrial environments did not take security into account until now, thus the reason why tools for use in these environments are quite scarce.
Industrial systems have always functioned differently than corporate environments, using little communication, often times proprietary, and in very localised areas with a high level of physical security. Growing access to these environments is causing them to more closely resemble corporate environments in terms of communication, thus logically creating the necessity for tools that can secure traffic as well as infrastructures. Nevertheless, despite this convergence in communications, utilising the same tools is not a possibility unless modifications or changes are made to specific configurations.
Security tools are designed to function with typical business-system protocols, disregarding the protocols used in industrial environments. Nowadays, fortunately, certain tools which are able to analyse these protocols exist, such as firewalls and Intrusion Detection/Prevention Systems (IPS/IDS). There is also antivirus protection which is capable of recognizing SCADA software signatures, as well as SIEMs which are developed with the capacities to work with embedded control systems, etc.
Two different branches of firewalls have evolved. On one hand we have network firewalls whose evolution has been based on the capacity to comprehend some of the most well-known control system protocols such as Modbus/TCP and OPC. However, this has also encouraged the evolution of industrial protocols towards a TCP/IP model, disregarding serial communication. On the other hand are industrial firewalls that are designed to work alongside control system components such as RTUs or PLCs which are intended to provide support to harsh factory conditions, as well as high-speed processing given the fact that they only monitor a few different control protocols.
To give an example of the first type of firewall device we can highlight the use of IPTABLES equipped with a module for Modbus traffic analysis. As an example of the second type of firewall, we can mention any industrial firewall based on Tofino.
Intrusion Detection/Prevention Systems (IDS/IPS) have evolved towards control protocol interpretation and comprehension. Hence, it is possible to find several IDS/IPS devices on the market that are able to analyse traffic coming from control networks. Supported protocols vary depending on the manufacturer, but all tend to include the most common protocols such as Modbus, OPC, DNP3, etc.
The first signature implementation for industrial protocols was created with the project “QuickDraw” by Digital Bond, which put signatures of three industrial protocols into place for the Snort IDS. These signatures have been improved over time and have been incorporated into several IT firewalls and are now utilised in OT (Operation Technologies), for instance the 3D Sensor by Sourcefire, FortiGate by Fortinet, etc.
Antivirus technology is another one that is starting to be geared towards industrial systems. Antiviruses are systems that are routinely installed on end devices and that consume a great amount of resources, especially when performing scans. For this reason, antiviruses cannot be launched at field level given the fact that the RTUs and PLCs that work in this environment do not have strong computing capabilities. However, antiviruses can be used at plant level in conjunction with SCADA applications.
SIEMs (Security Information and Event Management), are also among the tools that are starting to have a focus on industrial systems. Data collection and analysis are quite developed in terms of corporate environments, and now the same methods are intended for application in industrial control systems. Integrating an event monitor into certain industrial system components is complex given it can affect the system’s own task performance.
It is easier to integrate these tools into plant systems, and companies such as Schneider Electric have certified the “Automation Systems Manager” software to be used on machines which have their SCADA OASyS DNA installed.
Vulnerability scanners are tools which are occasionally used on systems. Since they are not constantly functioning like the previously described tools, one may think that this tool is easier to use with industrial systems. However, analysing a control network for vulnerabilities can have major implications throughout the process due to possibly latencies, system failures, etc. For these reasons, direct use of a vulnerability scanner on an industrial system is not initially feasible.
To solve this problem, alternatives such as the project “Bandolier” have been created, wherein specific audit files for control systems and devices have been generated in order to be used with Nessus tool. There is another vulnerability scan tool called “Achilles Test Platform” which verifies communications security and is able to analyse several industrial protocols.
Vulnerability criticality table based on probability and impact
Data leak prevention
Other solutions such as patch and update management programs or DLPs (Data loss/leak prevention) have not yet ventured into industrial systems with tools adapted to these environments. However, some manufacturers are already including the possibility of their use with industrial systems in their product descriptions.
As we have just seen, several IT tools already exist and are ready to be used within OT environments. However, a system analysis to verify suitability of the tool as well as exhaustive tests to rule out inconsistencies during the process must be carried out prior to launching such tools within industrial systems.