Security for the Modern OT Environment

July 16, 2020 Andrew Silberman

Operational Technology (OT) – the hardware and software that’s used to monitor, detect and control changes to devices, processors and events of industrial equipment are popular targets for cyber attackers…and for good reason. Unauthorized access to critical Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems can wreak havoc on power stations, transportation networks and smart city infrastructure.

Because a breach of the OT environment could result in electric grids shutting down, alarm systems being disabled and ecological disasters from oil refineries, OT access is often air-gapped and has no connection to outside networks.

However, critical OT systems and applications still need to be accessed by operators, engineers and contractors from outside of the network.  And, with many employees working remotely these days, secure access from various locations and authorized users is required. Many organizations rely on vendors and third parties to update their systems. Typically, they handle this by using a VPN or opening up the firewall.

While many OT network architectures include some level of security processes and protocols,  traditional IT security products and solutions oftentimes can’t be used in an OT environment because they aren’t meant to be used in the specially-designed OT environments, making it easier for dedicated attackers to get through to their targets with things like worm malware or by exploiting employee or vendor access and masquerading as a trusted insider.

For security purposes within OT, the seven-layer model from Purdue Enterprise Reference Architecture (PERA) is often used to segment networks with three different zones, starting at the top with Enterprise, then Industrial Demilitarized Zone and, finally, the Manufacturing or Industrial Zone.

Finding solutions that provide the necessary security for OT environments while not hindering the productivity of remote users has long been believed to be a near-impossible task. In addition to simply providing secure remote access, different security protocols are needed for different types of sensitive assets – making the security landscape even more complex.

This often resulted in a choice between providing too much access in the name of operational use or providing too little access in the name of security. Either way, a team of security people are needed to manage the process. The end result is some combination of high costs or lost time for IT administrators and security teams alike.

Organizations with OT environments are in dire need of a solution that not only provides increased security for the most sensitive assets and environments, those on Level 0 and Level 1 of the PERA model, but which can also keep remote users happy and productive.

Effective security for OT environments starts with identifying any privileged accounts and credentials that are used to connect to SCADA systems, ICS, smart sensors and more, and properly securing access to these systems. All privileged accounts and credentials should then be secured and managed within an encrypted repository and rotated frequently.

Next, identify the users that require access and help ensure that tools are in place to keep these users productive, but also secure. This is where CyberArk can help.

CyberArk Alero provides security controls that give remote users access only to what they need, when they need it. The solution directly integrates with the CyberArk Privileged Access Security Solution to provide automatic session isolation that’s needed for Level 0 assets to ensure that potentially compromised endpoints never touch OT environment systems. For additional security, all sessions are automatically recorded and monitored and, in the event of anomalous or potentially malicious activities, can be remediated in real-time.

CyberArk Alero provides organizations with OT environments with an easy way to secure and enable remote access to critical applications and systems managed by CyberArk.

With CyberArk session management capabilities, as long as the session management server is pointed to the device and connected via a supported protocol (RDP, SSH, application, etc.), all sessions are automatically isolated, recorded and monitored. If the device isn’t able to connect to CyberArk’s session management capabilities, there are a variety of plugins or gateways that exist on CyberArk Marketplace or custom ones can be generated.

For more information on CyberArk’s approach to securing OT environments, visit us here.

Previous Article
A Look Back at the Impact Live 2020: Our Largest Impact Yet
A Look Back at the Impact Live 2020: Our Largest Impact Yet

As our CyberArk team wraps up a banner week of Impact Live – the world’s largest gathering of privileged ac...

Next Article
Masking Malicious Memory Artifacts – Part II: Insights from Moneta
Masking Malicious Memory Artifacts – Part II: Insights from Moneta

Introduction With fileless malware becoming a ubiquitous feature of most modern Red Teams, knowledge in the...

Check out our upcoming webinars!

See Webinars