OT Cyber Security Standards for Open Industry

The good thing about standards is that there are so many of them, as they say. And indeed, there are a growing number of cyber security standards emerging that impact operational technology (OT). In a current EETimes feature, John Moor, managing director of the IOT Security Foundation, explores the standards that impact OT. Although he does see some welcome convergence, he raises the possibility that their hierarchical, Purdue-model-driven architectures might not be adequate to address the security needs of more open and expansive industrial operations in a COVID economy.

Part of the problem, he says, lies in the fact that OT systems were not widely connected until the turn of the century and many of the individual computing and communications components in use today were not designed for the implications of TCP/IP connection.

“Moreover, many organizations running such systems want to move from a siloed OT model to a more connected IT or even IIoT model as a way to use data more effectively. To do this with legacy equipment, and get data moving from one side of the factory to another, firewall ports and pinholes must be opened, thus increasing the attack surface,” he writes.

Revisiting the Purdue model

Among the standards he looks at are SP 800-82 from the U.S. National Institute of Standards and Technology (NIST) and ISA/IEC 62443, as well as several industry-specific standards and guidelines from governmental organizations and vendors, which he says match the Purdue model.

“By their very nature, OT systems are hierarchical and security standards typically mirror the Purdue Model in which the network is split into functionality layers: from Level 0 (sensors and actuators), up through the OT environment, to the highest level, Level 5, the company’s enterprise IT network. Data flows through these levels to provide data about the plant, and to provide business context for ICS to adjust performance or set delivery schedules,” he writes.

Moor does believe that the Purdue model can be applied to IIoT, but with limitations. “…it can be argued that each IoT device is a ‘Purdue Model in a box,’ with a sensor, a processor and a connection to the enterprise network. However, for remote monitoring equipment, like that used in smart cities, systems do not just connect to the enterprise network, but directly to the cloud, a Level 6, if you will. This couples them more closely to Internet-borne threats.”

He warns, however, that the IIoT world no longer follow a predefined M2M model, where trusted equipment from just one (or very few) vendor makes up the system, where proprietary protocols could be implemented specifically for a vendor.

“The move to IIoT systems changes this. Not only does equipment come from multiple vendors, but sensors are also connected to wide area networks (WANs) such as LoRa or 5G and located remotely. Standards therefore need to be used and adopted throughout the ecosystem,” writes Moor.

It’s a new world

Moor sees “big changes” emerging in the way infrastructure is managed. More and more sensors are located remotely and communicate back over WANs, making it more difficult to isolate capabilities such as control and analysis. And he believes the Covid-19 pandemic driven need to provide home workers with remote access for monitoring systems can only accelerate this trend and makes the need for a new security model even more urgent.

“That requires looking beyond ISA/IEC 62443 and NIST SP 800-82 to more specifically address IIoT and its introduction of cloud and edge computing to the industrial context.

“Historically, OT security relied on implicit trust, based on an assumed trusted network. Systems are no longer based on a single- or almost-single-vendor model. As the number of IIoT devices from multiple vendors increases, implicit trust will not be enough. We need “zero trust” networks, where device relationships and security state are assured and devices are hardened to resist the untrusted environment,” he continues, adding that in this new world, sensor installation becomes plug-and-play, with each device knowing the source to contact to establish trust relationships with other parts of the infrastructure.

“We start with secure and trusted chips, software and the cloud-based management systems and their communications being equally secured and trusted. The result is a robust infrastructure. But it also means standards and certification must be established,” he says.

If it’s not secure, it’s not smart.

“Increased connectivity means increased vulnerability, and firewalls are not the answer. They create a false sense of security and don’t really secure critical systems. In such a world we all have a role to play in making it safe to connect. For those seeking to benefit from having smarter IIoT systems, remember these wise words: “if it ain’t secure, it ain’t smart.””

For more about how Bedrock Automation enforces zero-trust OT cyber security, download our White Paper: Securing ICS and take a look at the on-demand version of our OSA Power Lunch. You’ll see a demonstration of a proven-in-use IIoT architecture that brings advanced OT security, communications, and diagnostics together in unprecedented ways.