The worlds of Information Technology (IT) and Operation Technology (OT) have been separate for many years. IT networks are used exclusively for the interconnection of computers, data centers and public networks, while OT networks typically interconnect industrial production machinery.
By Giovanni Prinetti
This “air-gapped” separation has largely kept OT networks isolated and away from the problems caused by the cyberattacks that plague IT networks, but at the cost of preventing synergies between the two worlds.
In recent years, however, there has been a movement towards converging IT and OT networks onto a single physical infrastructure based on the IP protocol. This trend has enabled production systems to collaborate with other business functions (sales marketing, purchases, etc.). Although this leads to lower costs and opportunities for increased business agility, convergence has exposed OT networks to cyber-attacks with increased business economic risks.
An attack that affects an office area can cause significant damage, but backups and disaster recovery systems can be effective mitigations. However, attacks affecting production lines or critical infrastructure cause immediate damage, can expand quickly, and may not be easily recovered.
The sources of cyber-attacks
The first aspect to consider when building a defensive system is the source of the attacks. We know that most cyber-attacks originate from the internet. Since every business network connects to the public network, this opens the door to countless attack attempts.
Conventional IT-based defense systems protect the boundary between private and public networks. Therefore, the usual approach is to insert a firewall, preferably with UTM (Unified Threat Management) capabilities, to prevent threats from crossing the boundary and infecting the inside of the network.
However, other network boundaries can also be attack surfaces. These boundaries are often less well-protected and can expose the network to unnecessary risks. For example, wireless networks can be vulnerable, and if a malicious actor has physical access to a network, every port of each network switch represents a potential attack point.
In an OT network, any connected device, like an IoT sensor or IP camera, can become a Trojan horse capable of attacking the network from the inside. For example, replacing a remote sensor or camera with a computer by spoofing the sensor’s MAC address is an obvious way to try to access the production network.
The main issue with cyber-attacks from inside the network is that they move laterally (from device to device), only encountering the firewall when communicating with their command-and-control server over the internet. This makes internal attacks much more dangerous since there is a risk it will spread over the local network for hours or even days without the firewall being able to detect or intercept it.
Architectures that minimize risk
Security architectures exist that surpass the abilities of a single internet boundary firewall to increase network protection, even from internal attacks. Two possible architectures can improve protection, but they are usually impractical for cost or performance reasons:
1. Use a single, very powerful firewall through which all network traffic is redirected.
2. Split the network into subnets and place a dedicated firewall to protect each subnet.
Response time is critical
Until now, we have discussed the ways to prevent an attack, but we must also consider the best response in case an attack successfully infects a connected device.
Depending on the security architecture implemented, it may take some time before the firewall detects the attack. This is because firewalls stop attacks from crossing a boundary but can do nothing to prevent a threat from spreading laterally.
In the typical scenario, once an attack is detected, the firewall informs the IT manager, and then the IT team needs to act quickly to avoid further damage, but that’s not always what happens.
The actions required to identify the source, remedy the problem, and restore the devices to a safe state are in the hands of the IT group and are therefore related to the response times of human reaction. In addition. Whenever humans must respond under pressure to a rapidly evolving situation, there is potential for human error. Often these mistakes can cause delays and further damage or leave undetected vulnerabilities that expose the company to more risk in the future.
However, the response time can vary on a multitude of factors: the complexity of the network, the experience of the IT group, the presence or availability of staff in the office at the time of detection, the ability to detect the attack, and the time needed to thwart the attack and prevent further damage. Cyber-attacks are often launched in the evening or on the weekend when the IT team is not present or is slower to respond.
The damage suffered by the company is directly proportional to the time taken to restore the network to a safe state. Therefore, the more time passes, the wider the impacts are felt and the greater the economic damage to the company.
It can take days or even weeks to identify the source of an attack and remedy the situation, which can be the most detrimental effect of any cyber-attack. Aside from the economic impact, the damage to reputation, business relationships and, in the case of critical infrastructure, the risk to human life can be severe.
Automation for an immediate response
The solution is to reduce the time from attack detection to safe operation as much as possible. That means relying on automated responses that enable the network to defend itself and avoid the delays typical of human intervention. In other words, we create a “self-defending network”.
For a self-defending network to be able to react autonomously, all the elements involved must work together. Therefore, the main requirements for such a system are:
• An efficient detection system based on a multidisciplinary approach in which firewalls with integrated AI-based tools can detect all threats, including unrecognized “zero-day” attacks.
• An intelligent adapter that is capable of interpreting alerts from the detection system and deciding how to react. AMF-Sec from Allied Telesis integrates with most firewalls and can block the wired or wireless port to which the device is connected, redirect traffic to a safe VLAN, or alert the administrator.
• A programmable network that receives instructions from the adapter and implements them immediately. The instructions can use standard protocols such as OpenFlow, which require custom development, or an off-the-shelf network automation solution, such as the Autonomous Management Framework (AMF) that works seamlessly with AMF-Sec.
The diagram below shows how these components combine to detect and isolate compromised devices immediately, minimizing the impact on the rest of the network and the business.
This solution is effective because the network switches send a copy of their traffic to the firewall to inspect, solving several problems with other designs:
1. Since the firewall inspects all the traffic from the switches, it can detect threats moving laterally from device to device.
2. The firewall introduces no latency since it inspects a copy of the traffic, so network performance is unaffected.
3. Even when network subnets are used for security, a single firewall can be used for a more practical and cost-effective solution.
Be Prepared and Respond Quickly
When it comes to cybersecurity, prevention is necessary, but it is always possible that an attack can bypass our defenses. So be prepared to react promptly to any situation with automated systems that do not introduce delays. And avoid manual intervention as much as possible since delays and mistakes can lead to more damage and cost.
An intelligent automated system that coordinates reactions and interventions is the only solution to create a self-defending network that can protect itself immediately and independently of human intervention.
