IT Network applications and tool vendors are designed for a specific network environment of routers, switches, and servers. The situation in the operational technology (OT) realm is quite different. There are multiple reasons for the differences.
One of the reasons is that OT systems tend to use a larger range of communications protocols. OT vendors ha
ve not followed IT vendors in sticking to just a handful of pre-defined platforms. Instead, individual vendors often develop their own software and communications protocols, many of which are proprietary, vendor-specific, and few that are actually compatible with each other.
This is true even when different vendors are working to meet the same standard. If OT users buy programmable logic controllers (PLC) from multiple vendors, they are likely to find that each vendor has taken a different (and proprietary) approach to upholding IEC-61131 standards. As a result, if those vendors don’t provide adequate documentation of their approaches, users will have a difficult time monitoring critical activities.
In practical terms, this means that OT systems engineers often have to learn to use, monitor and troubleshoot as many types of software and communications protocols as they have vendors. This is already a tall order, but the complications don’t end there. The software and communications protocols in question aren’t just incompatible with each other but also, in many cases, incompatible with the modern security solutions that become necessary when OT systems are connected to the internet.
This incompatibility is often a function of age. OT systems are designed to have a much longer lifespan than IT systems. OT systems are usually designed to remain in operation for decades, at full capacity, with little downtime, and with reliability and safety in mind.
As a result, OT systems are much more likely to include components that are 20-30 years old, or even older. Some systems may be so old that they pre-date any and all concerns about cyberattacks, and other systems may simply have inadequate security measures (such as air gaps that have been effectively bridged by the deployment of connected monitoring devices). Alternatively, they may still be using older software that is less secure and/or no longer supported. Many OT workstations still rely on legacy operating systems, such as Windows NT or Windows XP, for which support is no longer available.
As a result, they can be very difficult to integrate with modern security solutions.
When companies work to integrate their legacy networks with modern security platforms, unmanaged switches with no SPAN (switch port analyzer or port mirroring) option or managed switches that lack the resources to support SPAN capabilities hinder even basic network visibility that security tools need to protect the network.
ICS operating systems (OS) and applications may not even tolerate IT security practices, and ICS systems that usually run at slow speeds on legacy networks can easily be overwhelmed by the volume of traffic generated during active testing. Underscoring the unfortunate fact that when you push legacy equipment to transfer data outside of these proprietary systems, you open the industrial network to security vulnerabilities.
Unfortunately, the challenges of incompatibility and age aren’t easy to overcome. OT users have an incentive to keep their existing assets in place even if they aren’t a good fit for modern security solutions because their guiding principle is to avoid downtime.
Industrial control systems (ICS) can’t be taken offline whenever their operators hear about a new patch or update. If these systems are being used to run power plants, sewage systems, hospitals, or other components of critical infrastructure systems, downtime can pose unacceptable risks to public health and safety (and perhaps even national security). And if these systems are being used to run manufacturing facilities, downtime can disrupt business continuity and lead to significant financial losses.
As a result, industrial automation engineers and other employees that work with OT systems have every reason to argue for keeping existing ICS in place and leaving them alone as much as possible, even if they are known to be vulnerable. At the same time, IT and cybersecurity specialists have every reason to argue for applying the updates and patches that are needed to eliminate or mitigate risks.
Together, these challenges – incompatibility, age, and the need to avoid downtime – can make OT systems extremely difficult to secure.
OT security should also be combined with fundamental best practices in visibility architecture. That is, OT users should eliminate blind spots and vulnerabilities in their systems so that their security tools can optimize threat detection and response, as well as perform proper asset discovery.
Overcoming this difficulty is far easier with network visibility – that is, enabling a security solution that provides its operator with a complete visual representation of every component and threat within the entire system, because ‘You can’t secure what you can’t see.’
Many industrial companies turn to specialized network TAPs to bridge the legacy gap by connecting old media types like 100Base-FX or 100BASE-LX to Copper Gigabit, as well as speed conversion that easily connects varied 10M, 100M or 1G speed segments automatically.
Many legacy OT environments face unmanaged switches, with no SPAN (Port Mirroring) option or managed switches that lack the resources to support SPAN capabilities. For these, network TAPs provide traffic access and packet visibility for the security platform.
For OT networks where SPAN is available, network TAPs are still the best practice for visibility architecture, as they passively copy traffic for security tools without dropping or duplicating packets. As SPAN can also introduce vulnerabilities through bidirectional traffic, data diode TAPs provide unidirectional traffic ensuring threats do not reach the physical layer of the network. Many times, AggregatorTAPs are added to secure and aggregate multiple SPAN links into the security platform.
The solution to the problem is the use of special
industrial TAP devices and
Data Diode TAPs.
Source
How to Solve Legacy OT Security Challenges
Other articles in the four-part Garland Portfolio series:
XtraTAP: Modular Packet Brokers from Garland
Industrial Network TAPs from Garland
Data Diode TAPs from Garland