Until recently, Operational Technology (OT) networks functioned as isolated, air-gapped environments, meaning cybersecurity was not a top priority. The emergence and growth on externally sourced data has in some instances led to industrial environments converging with IT networks. At the very least, because of this increased dependence on new technological trends like the industrial internet of things (IIoT), wireless, and 5G, OT leaders can no longer avoid a balance of attention focused on the topic of cybersecurity.
Outlined below are the implications of IIoT, Wi-Fi, 5G, and other trends for OT cybersecurity, including OT environments that are frequently built on the Purdue Enterprise Reference Architecture (PERA).
OT Deployment Use Cases
The security risks associated with IIoT devices arise from their direct or indirect internet connections. Examining the primary use cases for IIoT and the associated information flows provides additional insights into these risks. An OT deployment may include a mix of the following three main use cases:
- Outbound Only Communication: This includes digital asset smart sensors sending data to a remote, often third-party, monitoring center. Risk is low because information only flows outbound from the sensor, and the sensor does not receive commands or instructions.
- Outbound and Inbound Communication: This includes the outbound flow described above and adds inbound flow for things like queries and commands requesting analytics information. The two-way flow leads to greater risk than is seen with the outbound-only case.
- Remote Access, Maintenance, and Diagnostics: This represents the highest risk because it involves sensors and actuators that can modify the production environment. Not only is there two-way communication, but there is also the ability to respond to commands and take subsequent actions.
Production System Structure
Securing IIoT environments first requires an understanding of organization processes. A production system involves a complex interaction of industrial devices and use cases, as described above, with flows of information moving along conduits between zones and domains.
The Industrial Internet Consortium (IIC), an open membership organization formed to accelerate the development, adoption, and widespread use of the industrial internet, divides IIoT ecosystems into five functional domains: control, operations, information, application, and business. The control domain mainly deals with the industrial or machine aspects, such as control, sense, and actuation technologies. The combined control and operations domains form the business’ OT side, and the remaining domains are on the IT side.
The IIC further suggests a three-tier IIoT system architecture consisting of an edge tier for OT, a platform tier for OT and IT integration, and an enterprise tier for IT. The five functional domains can be mapped to the three-tier technology architecture with an overlay of three networks—the proximity network, the access network, and the service network, enabling communication and connectivity across each domain and technology tier.
Mapping the PERA Model to System Structures
The standard that guides the deployment for security in OT is ISA/IEC 62443 – this includes guidance for utilizing the PERA, which features the following hierarchical set of levels for applications and controls:
- Levels 0, 1, and 2 (the process control zone) define physical processes, sensors, actuators, and related instrumentation, as well as the systems that supervise these implementations.
- Level 3 (the operations and control zone) describes overall manufacturing operations across multiple processes. Together, levels 0 through 3 comprise an OT environment.
- Levels 4 and 5 (the business zone) are comprised of enterprise IT systems and applications.
First conceived in the early 1990s, the original Purdue model did not anticipate IIoT, wireless, or cloud connectivity. But by mapping the IIoT functional domains, technology tiers, and security requirements to the PERA levels, it is possible to visualize how components of this model fit into the necessary security architecture (see below).
OT Security and IIoT Environments
Securing IIoT environments involves applying many of the same cybersecurity strategies used in IT to IIoT architectures and use cases. However, there are clear specificities to OT environments and IIoT that must be taken into consideration. Using the ISA/IEC 62443 standard for security in OT as a base, and additional references to the NIST Cybersecurity Framework (CSF), the following list represents objectives for securing the connected IIoT infrastructure.
1. Asset Management
Applicable to assets in all levels of the PERA model that can be probed and identified over the network, security solutions for this objective include next-generation firewalls (NGFWs), network access control (NAC), and a log management and analysis platform.
2. Application Visibility and Control
This covers device identification and control of protocols and application types, including limiting which devices can use certain protocols or communicate with specific applications. Security tools such as the FortiGuard Application Control feature, which can generate alerts, and FortiAnalyzer, which can generate reports, may be helpful here.
3. Intrusion Detection and Prevention
IIoT devices are prime candidates for an attack, mainly because of their ability to “short circuit” multiple layers of the Purdue model. Although the limited functionality of IIoT devices reduces the probability of vulnerabilities, custom-development of IIoT functionalities can introduce bugs. Preventing intrusion requires the ability to detect and block exploits, reconnaissance, and fuzzing attacks. Virtual patching and breach detection can help here, as well.
4. Network Access Control (NAC)
NAC deployment methods differ depending on the type of network. The simplest form of NAC is achieved by enabling the 802.1X network authentication protocol on supported IIoT assets. Secure wireless access points can keep wireless networks safe, and appropriate network policies can secure third-party remote access. Multi-factor authentication (MFA) can also supplement remote access.
5. Network Segmentation and Microsegmentation
Segmentation and microsegmentation provide the essential methods for breaking industrial networks into physical or virtual secure zones. Typically, segmentation is performed between the local area networks (LANs) or wide-area networks (WANs). Microsegmentation, on the other hand, is performed within the LANs. In industrial networks, network segments may include various industrial LANs or WANs, and network microsegments may include different industrial controllers and hosts, such as RTUs, HMIs, etc.
6. Signaling Protection
As 5G technologies mature, cellular access networks will become more common in industrial networks. If there are large numbers of IIoT endpoints compared with the amount of data transferred, this can pose a risk of signaling storms—either intentional (due to a cyberattack) or unintentional (due to device malfunction). An ecosystem based network operating system like FortiOS can protect these systems against signaling storms.
7. IoT Platform Protection
Since signaling and data usually pass through one or more IoT platform nodes, those nodes need protection. The traditional IoT model positions the platform in the cloud. But for IIoT, the round-trip time between devices and cloud may be too long, and cloud connection reliability may be insufficient. Moreover, sending data into the cloud may present additional security risks. Solutions proposed by the 3rd Generation Partnership Project (3GPP) include multi-access edge (MEC) architecture or a private 5G network.
8. Logging and Monitoring
Centralized logging and monitoring enable observation of the entire IIoT ecosystem from a single point, usually a security or network operations center (SOC or NOC). This should comprise of the ability to determine or configure baselines and provide access to logs and events resulting from deviations from these baselines or detection of malicious activity. Depending on the IIoT organization’s operating structure, logging and monitoring measures can be incorporated within the conduits between PERA levels 2 and 3, between levels 3 and 4, or in Level 5.
Flexible Security Infrastructure
Changes in production environments due to wireless, 5G, and IIoT technologies are ushering in a new era of flexibility, productivity, and control for OT-based organizations. At the same time, these innovations expand the threat landscape. Protecting OT systems requires flexible security infrastructure with elements that can evolve along with today’s changing wired and wireless OT environments.
Learn how Fortinet can help you extend security and maintain compliance in any ICS/SCADA-connected environment.
Learn more about securing 4G, 5G and beyond with Fortinet.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.