Things are getting better in the classic IT environments as awareness about information security is concerned! At all levels in organizations, hard work is being done to increase the level of knowledge in the field of information security and to take measures that reduce cyber risks considerably.

However, there are sectors in which, in addition to the traditional IT environments, Operational Technology (OT) environments are also arranged, in which different types of operational components communicate with each other. Examples of industries and sectors where you encounter these types of environments are: oil and gas extraction, mining, water management, infrastructure hospitals, pharmaceutical industry, water treatment companies, energy sector, automotive sector and agricultural sector.

The impact of hacks on OT environments can be disastrous; companies can even be disrupted by it. What will happen if hackers manage to sabotage the power supply, drinking water supply or hospitals for a long time? OT environments require a different approach to IT environments in some areas. In this blog Navaio wants to highlight some of these issues.

Isolation

Tampering of OT environments is a measure that security services and competitors use to disrupt the vital infrastructure and business processes, and thus achieve monetary or political gain and in extreme cases even paralyze entire societies …

A very effective method to reduce the risks surrounding cyber attacks In OT environments, is to isolate these environments from the regular office network and the internet. Often this is not realistic or desirable for practical reasons. There is often a need to operate, monitor and maintain remote OT environments. Nevertheless, in the event of a (cyber) attack, it is advisable to disconnect the OT network from the internet and to continue working in isolation until the (cyber) threats have been eliminated.

The internet connection must be channeled. Through one heavily guarded entrance and during the creation of the design of the OT environment it must be interruptible with the touch of a button, in such a way that the production process can be continued. Facilities must be provided to enable the environment to be controlled, monitored and managed in isolation, in case of an emergency.

Micro-segmentation

Once a hacker has penetrated the OT environment, it is very easy for him if this environment is not divided into sub-segments. The hacker can then get anywhere without being obstructed by firewalls and/or routing rules, regardless of which protocol or via which port is being communicated.

Divide the OT network into micro-segments so that, even when a hacker knows how to penetrate the OT environment, he cannot do anything without being obstructed in all systems.

Ensure that each micro segment is insulated in such a way that only strictly necessary network communication to and from these segments can take place. A very effective measure to limit the damage that hackers can cause on the OT environment!

Detection

OT networks consist of a wide range of different types of components: ICS, PLCs, DCS consisting of SCADA equipment, meters and sensors, electronic pumps, valves, switches, etc. Some components have a long life span, in practice we even meet components that are older than 30 years. However, many components in OT environments do not speak TCP / IP but communicate via other protocols. Think, for example, of DNP3, HART, Modbus and Profibus.

Navaio has various solutions for linking the various types of OT systems to traditional SIEM (Security Incident & Event Management) detection environments. This allows SOC analysts to pick up signals from the OT devices. The SIEM software can automatically enrich the security information obtained from the TCP/IP network in order to detect abnormal behavior in the OT environment.

By correlating the OT information with security reports generated from traditional communicating systems, potential abuse (or attempts to do so) can be prevented and/or combated earlier and more effectively.

Deviant behavior

By the strongly delineated behavior in OT environments and the associated predictable data flows on the OT networks, these environments lend themselves well to monitoring deviant behavior and traffic flows. A well-designed SIEM can offer a lot of added value. These solutions can learn the ‘normal’ behaviour of your OT environment and networks and then report on deviations.

In addition, various OT-specific user cases can be implemented to automatically detect and report deviant behaviour. What can Navaio mean in this?

Navaio can help your company to protect your OT environment to a large extent. We provide advice in the field of OT security and also offer a high-quality SOC as a Service solution, with which we can monitor your OT environments and unburden you in the field of security monitoring1.

In addition, Navaio helps you define what the signals and patterns are with which unwanted behaviour can be detected in your OT environment. For this, Navaio talks to your process experts and translates business risks into concrete notifications, alerting SOC analysts when suspicious behaviors are detected in your OT environments.

1 In addition to OT environments, Navaio also monitors traditional information technology environments (IT).