Part 2: Decoding the Complexity of PLCs

In part one of this series we explained how Programmable Logic Controllers (PLCs) have become key targets for cyber security attacks due to their legacy design, lack of built-in security features, and susceptibility to malware, and how newer PLCs are starting to incorporate more robust security features to help protect against these threats.

Before we can understand how PLCs can be targeted in attacks, we need to understand what they are, how they work and what can be targeted.

Part 2: Decoding the Complexity of PLCs

In part one of this series we explained how Programmable Logic Controllers (PLCs) have become key targets for cyber security attacks due to their legacy design, lack of built-in security features, and susceptibility to malware, and how newer PLCs are starting to incorporate more robust security features to help protect against these threats.

Before we can understand how PLCs can be targeted in attacks, we need to understand what they are, how they work and what can be targeted.

Part 1: The Invisible Enemy

Programmable Logic Controllers (PLCs) are an essential part of industrial manufacturing plants. They are widely used in industrial control systems (ICS)  to automate processes in critical infrastructure sectors such as energy, water, and transportation. In addition to their day-to-day operational activity, these connected devices generate and exchange vast amounts of security-critical information. For this reason, they have become key targets for a growing number of cyber security attacks.

The New integration screen just got published. The screen’s rework includes much simpler and intuitive navigation between all integrations options. Check it out now!

In mid-summer of 2022, Albania accused the Iranian government of targeting them with a series of major cyberattacks. The attacks, which targeted government servers and online portals, raised alarms about the increasing expertise and audacity of Iranian-sponsored advanced persistent threat (APT) actors. Although many specifics about the attacks are still unknown, the FBI and other international observers believe that the Iranian government first breached the networks of the Albanian government by using phishing emails and malware as early as 14 months before launching the full attack. After gaining access, the attackers were able to penetrate deeper into the systems to obtain sensitive information and cause disruption to government operations.

If one of your organization’s goals for 2023 is to implement a robust OT/ICS cyber security solution (and here’s why it absolutely should be, even if budgets are a little tight!) you may need a little help wading through the plethora of options, making a plan, and selling it to your CISO and board. There are many solutions being marketed out there, and many organizations willing to offer advice.  SCADAfence recently published a vendor-agnostic guide to choosing an OT Cyber Security solution that details why OT cyber security differs from IT cyber security and what you need to know to choose the solution that’s best for your organization. In this post, we’ll delve deeper and explore why a complete integration is so important. The U.S. National Institute of Standards and Technology (NIST) also released a draft version of a detailed technical guide to implementing OT security, with the final edition expected later this year. We suggest you download and read that as well. One important thing to remember is that even if you don’t have a complete OT security solution at the moment, you still are probably not starting from scratch. Enter the so-called expert from IT.

Integration Between OT and IT Is Essential

As we discovered recently on reddit, every control system engineer has a horror story to share about an IT guy who showed up on the floor of the manufacturing facility with a poorly thought out plan to install or upgrade or a cyber security solution. They proceed to scan every device on the OT network with a tool not-quite designed for the job and leave a disaster in their wake. Machines shut down. Production lines halted. Productivity out the window. Fingers pointed directly at the OT engineers. We understand why most OT engineers would prefer to keep IT experts out of the factory, and back in the office, where they belong. But the fact is, OT networks require cyber security protection too. (And because a cyber attack in the OT world risks harming physical safety, not just data, the need is actually higher.) However, as the integration of IT and OT systems becomes increasingly connected in functionality, it’s important to ensure that their cyber security solutions are well-integrated as well. IT systems are usually more mature, based on common operating systems such as Windows OS or Linux, and have more options available. OT systems on the other hand, are often more fragile and built on custom software, but are more critical to an organization’s mission. Therefore, as much as the OT teams might prefer to keep the IT teams out of their workspace, it is important for them to work together. Make sure roles and responsibilities are well-defined and it’s clear who holds final accountability for making sure your facility is secure.

Identify Your Specific Use Case

Before selecting an OT cyber security vendor, it’s essential to prepare and validate a clear list of IT integration use cases, and ensure that your chosen vendor is able to meet those needs A sound and complete integration between OT and IT security solutions should accomplish several things. First, it should allow for the flow of information between the two systems. This means that the OT team can receive alerts and notifications from the IT system, and vice versa. Second, a seamless integration should allow for forensic analysis to be conducted across both systems if needed. Third, remote users that are authenticated by the IT systems, may need access to OT systems as well. Therefore, a proper solution will allow a way for users logging on remotely to get the access they need at the correct level of authorization. This means that the solution should integrate seamlessly with other tools that are already in place. For example, SCADAfence integrates with a number of different security vendors, such as Rapid7, Keysight, and Secureworks. An open API that allows for maximum flexibility is ideal, as it allows you to tailor the integration to your specific use case rather than being limited to pre-set integrations that may not meet your needs.

Increased Visibility And Other OT Needs

In addition to the OT/IT integration, there are many other things to look for in an OT solution. Including, yes, the ability to passively scan the network to create a detailed inventory of every device without causing damage and shutting down the network. Other must-haves include quick installation time, low false positive rates, and tailored risk alerts. These are all covered in detail in the guide as well.  So, when the CISO, IT person or other member of senior management tells you they want to bring in a cyber security expert, instead of tossing them out on their head and bolting the door, invite them in, be prepared, and talk about how best to work together. To get more advice and information about choosing an OT cyber security solution, download our complementary guide.

It’s become somewhat of a ritual at the beginning of every year, (almost) every company comes up with a review of the past year, and an attempt to forecast what the next 12 months will bring. This year is more challenging than ever. Not only are geopolitical tensions and conflicts at an all-time high but there’s a lot of uncertainty due to the bear markets and the almost inevitable recession that is lurking.

2022 was a year of incredible growth and evolution for OT cyber security. If there is one word that sums up the past year in my mind, it is “change.”