BY JAKE WILLIAMS, RENDITION INFOSEC
is separated from OT: 1) an airgap (no
networked connection between IT and
OT); 2) a firewall, and 3) a cross domain
solution (sometimes called a data diode).
In practice, many organizations refer to
all three of these as airgaps.
In the case of an airgap, there is no physical
connection between IT and OT and no connection from the OT network to the internet.
There are always requirements to move data
in and out of the OT network on at least
an infrequent basis. With an airgap, however, there is usually no central location
where data is moved and hence there is
no opportunity for centralized monitoring.
Absent some technical controls, data often
will be moved haphazardly. In addition,
due to the technical constraints of airgaps
and operational needs, they tend not to stay
airgaps for long. What may be an airgap on
paper is often not an airgap in practice. (Read
more about airgaps beginning on page 18.)
A firewall centralizes a choke point for
data transmission between IT and OT.
Most firewalls cannot, however, dissect
and validate network protocols, especially those in use by ICS equipment.
For instance, if the firewall were configured to allow MODBUS telemetry over
TCP port 502, most firewalls would
allow any traffic over TCP port 502.
Attackers might use this to move illicit
traffic between IT and OT networks.
Despite these limitations, the firewall
does offer a centralized choke point for
traffic, which can be logged and easily
monitored, unlike an airgap solution.
When it comes to ensuring cybersecurity for critical assets, it is hard to find more
critical assets that those that control the
electrical grid. Traditionally, most security
focus is given to the operational technology (OT) networks where grid infrastructure is controlled. This means that
little attention is paid to the information
technology (IT) resources where things
like billing and administration take place.
Even in organizations where investments
in IT security are made, there is often
confusion among management about the
relationship between IT and OT security.
IT and OT networks are traditionally
separated so that compromises impacting IT networks do not directly impact
OT networks. A single phishing email
should not put an attacker in a position
to damage the electrical grid.
Some reading this article will note that
in many cases OT devices are connected
directly to the internet. A quick search of
the online tool Shodan will show numer-
ous programmable logic controllers (PLCs)
and other industrial control system (ICS)
assets meeting this criterion. Because this
is such a deviation from industry best
practices, however, this article is not about
these cases. This article assumes that orga-
nizations have taken basic security pro-
cedures to protect their OT assets and
segregate IT assets from OT assets.
In most cases where OT networks are
compromised, the attackers enter the IT
network first. From there, they must deter-
mine how data moves from the IT network
to the OT network and abuse those same
paths to pivot into the OT network.
When the IT network is properly secured,
the actions the attackers take to map this
dataflow should cause significant noise.
Some organizations say “no data moves
from the IT to the OT network” and “our
OT network is completely disconnected
from the Internet.” But in our experience
auditing networks, this is never true. Some
way to install new software and software
patches on the OT network must exist.
Attackers most interested in obtaining access
to OT assets are advanced persistent threats,
with the time and resources to develop spe-
cialized tools to bridge the IT-OT gap.
SEPARATING OT FROM IT
Cybersecurity Measures Must Protect Both Networks
Strengthening the IT-OT Link