The future of OT security in an IT-OT converged world
Securing ICS in the cloud requires 'fundamentally different' approach
Paid Feature If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who's going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend 'ICSaaS'. "ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
The move to cloud-controlled ICS took this long to begin in part because of the cultural differences in the ICS world. One mistake configuring the operational technology (OT) underpinning ICS can have profound effects, Masson says. Opening this infrastructure up to access from the internet was a bold enough step on its own, and took a big cultural shift. Putting the means of control in the cloud takes a further shift in mentality.
"Although there are positives, it will still impact reliability," says Masson. "There are ramifications for ICS performance, security, and therefore safety." Many of these environments can't tolerate any downtime at all.
The benefits of ICS in the cloud
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they're attracted by the potential benefits, Masson asserts. The pandemic has been a strong driver, allowing operators to remotely control industrial systems when they haven't been able to come on-site.
Organizations could enable remote access without cloud-based systems by punching holes in on- premises firewalls, but doing so made cloud-based access more plausible, opening up the conversation.
If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces, Masson says. These make the management infrastructure cheaper and easier to operate. He points out the arguments now familiar to IT decision makers, including the opportunity to reduce operators' own hardware investments and potentially cut their data center real estate. Companies are now seriously considering taking advantage of these operational benefits for the first time.
In this scenario, the hardware components that make up ICS stay where they are. We're not talking about virtualizing programmable logic controllers here. It's the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly. Instead of handling planning and scheduling using on-premises data, they'll do it using cloud platforms that then tunnel communications to those legacy systems in the field - which still expect to be spoken to via specialized protocols like Modbus.
The security challenges of ICSaaS
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT, explains Masson. OT is now part of what looks increasingly like a common IT network.
"Now, anybody can access this network from anywhere, so you've got to make sure you have good controls around who's got permission," he says. "This raises questions about data security, compliance, and regulation."
Security teams grappling with this face challenges including more complexity in their infrastructures as they bring different devices and protocols into the fray, with traffic running through different gateways. The number of OT devices can be staggering, far outnumbering the number of servers or endpoints that an IT security team has dealt with before.
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control, warns Masson. He calls the people looking after this management data in an ICS setting “data historians”.
"That data is now over the horizon and you need to know what people are doing with it in the cloud," he warns, pointing to a litany of problems with misconfigured databases and storage resources. The prospect of exposing ICS management data to the general public due to a dashboard misstep would turn most data historians grey.
There are organizational worries to consider beyond the technological ones, Masson adds. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both? Do they speak the same language? Will the organization have to contend with political strife and territorial battles?
When all these challenges combine, it's easy for security problems to slip through the gaps. It takes a cohesive approach with multiple checks and balances to ensure protection that extends from the physical equipment in the field through to the infrastructure that controls it in the cloud. It takes a sharp focus on access controls and permissions at all points in the ecosystem.
Building a new security approach
This new, more complex environment demands a new approach to security, according to Masson.
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important, he says. Its focus on identity-based access, backed by account controls like multi-factor authentication, is valuable. "But that won't tell you when you've misconfigured something providing you with access to your ICS from the cloud," he points out.
He warns that IT teams can't rely on the same protective measures they used in the past. "They'll have one product for this and another for that, all using hard-coded predefined rules and signatures that aren't really designed to adapt with sudden transformation.” The rules-based firewalls that might have offered some protection in the past will no longer cut it in a converged IT/OT cloud-based environment.
Darktrace’s AI technology flips this narrative, evaluating threats to complex systems not using a rigid set of rules, but instead leveraging unsupervised machine learning to constantly understand an organization’s 'pattern of life'.
Instead of running every traffic pattern against a complex and often outdated series of signatures to detect malicious behaviour, Darktrace's tools look for activities that deviate from this ‘pattern of life’. If it detects communications between ICS systems that don't usually communicate, for example, or unusual access to ICS control systems in the cloud, its AI will investigate the activity in real time.
If granted permission, Darktrace's Antigena product will also take its own steps to contain the threat. It uses an AI-powered Autonomous Response mechanism that takes measured steps to neutralize malicious behaviour, all while allowing normal business operations to continue to run smoothly.
This approach has the advantage of not relying on deep packet inspection for its results. That's a big plus in an environment where tunnelled communications between cloud-based management systems and ICS components are often so obscure that they're effectively encrypted.
"There are tons of these protocols, some invented by people who are now dead," Masson says. "So we stay protocol agnostic."
While the company is learning some of the protocols for clients that demand it, the AI technology doesn't need to understand what's happening in a packet. Instead, Darktrace looks at what the packet is doing within the broader infrastructure, using its self-learning AI to assess deviations from the norm.
A number of cloud-first critical infrastructure organizations use Darktrace to defend their cloud environments – one being Mainstream Renewable Power, a major player in wind and solar energy.
5G and edge computing will change the game
ICSaaS is only one part of a broader shift towards OT/IT convergence, says Masson. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
"Right now people focus on protecting the data that's in the cloud, but with 5G and edge computing that data won't always stay there; it will be on the edge where the computation is actually taking place.” Masson argues that self-learning AI, built to maintain a picture of normality in volatile environments, will be well-placed to cope with the speed and complexity of edge-based scenarios.
ICS will be deeply ingrained in this new computing model, which will see local 5G-based networks supporting edge facilities and sensors with software-defined network functions including network slicing. With the world on the cusp of this change, new approaches to protecting it all from attack will be crucial.
Masson is certain that AI will be squarely in the middle of the picture, protecting the network from logic controllers in the field through to virtual servers in hyperscale cloud architectures - and everything in between.
This article is sponsored by Darktrace.