The need to connect OT with the outside world has increased along with the digitalisation of society. But the different needs in IT and OT can easily lead to technical conflicts that can be challenging to deal with.
In this blog we have listed 5 steps for how to securely integrate IT/OT. The method is based on the standard IEC 62443 – a must for those who work with security within OT.
How to securely integrate IT/OT
1. Identify the system
There is generally one or more control systems connected to a SCADA system. The SCADA system often contains information that you want to export to the office environment. For example, it can be measurement data or statistics from the various processes. You may also need to maintain the OT/SCADA environment and thus import data from the office environment. When segmenting your system, you try to find the boundary between IT and OT – it is often somewhere between the SCADA system and the office environment.
The main purpose of this step is to define the project scope and to decide what to segment. This is important to define for the general understanding of the project as an organisation can have many facilities that are integrated with the IT environment. In this case, it is extra important to map which should be included and which should not.
2. Initial risk analysis
The next step is to make an initial, simple risk analysis and identify the present worst-case scenario before having introduced any risk reduction measures. Based on this, you can later make a first grouping of systems and flows.
You need input in this phase, such as:
- Overall system architecture
- Risk criteria and a risk matrix with tolerable risk – what risks can we accept and what risks demand action?
- Current risk analyses
- Information about potential threats – what could happen?
Based on this input, a worst-case risk that the various parts of the system are exposed to without security functions or segmentation can be calculated. The question is, what effect would a cyberattack where the systems are put out of play have on the business? How big will the ripple effect be? How large geographical areas would be affected and how many people would be affected? If electricity distribution was to be shut down, many people could be affected. Are there critical activities (e.g. hospitals) that are dependent on electricity supply? By placing the scenarios on a scale of consequence level, it becomes clear which scenario is considered the most serious.
3. Zoning and data flows
When it is time for this phase, it is important to not only look at the results of the risk analysis, but also to include other factors. Something that can be a guiding light when segmenting is to group assets that have the same security level requirements. Base the grouping on the risk analysis, but also involve best practices and reference architectures (e.g. Purdue).
When the systems are placed in zones they are divided into, for example, Office, DMZ, SCADA and Facilities. In this analysis, we do not focus on the segmentation between or within the facilities. That is rather about OT/OT segmentation.
When it comes to segmenting data flows, it can be difficult and complex to figure out exactly which they are. It requires quite detailed technical knowledge when digging into the details of communication protocols. You can do a traffic analysis to find out exactly what protocols you have and what is going on in the network. One way to do this is by recording traffic from your network and then viewing the traffic with one or more analysis tools (take a look at Moloch and Wireshark). After doing a traffic analysis, you can see what kind of data that is flowing between the zones.
4. Detailed risk analysis
According to IEC 62443, a detailed risk analysis should be performed if the initial risk exceeds the acceptable risk. In the detailed risk analysis, one risk analysis is performed per zone and flow. The same risk matrix and method as in the initial risk analysis should be used. In this blog, we will only proceed with the flows and zones that lie between IT and OT. In the detailed risk analysis, you follow a number of steps:
- Identify threats and threat actors towards zones and data flows
- Identify vulnerabilities in the zones and data flows that can be exploited
- Assess the unmitigated risks
- Introduce risk-reducing measures
- Assess reduced risk
- Is the reduced risk acceptable? Of not, introduce more measures.
When the reduced risk is smaller than the acceptable risk, you have reached the goal of your risk-reducing measures and can move on to the next step.
When you have completed the detailed risk analysis, it is time to focus on design. The design will be the result of your analyses – this is what the final segmentation solution will look like.
One solution to ensure that the data flows in a one-way direction out of the zones is to use data diodes. For example, you can create a one-way export channel of measurement data using a data diode.
The standard IEC 62443 defines five security levels that help to derive security-related requirements and define the strength of the segmentation solution. If you want to work with security within OT, this is a great document to have as a guiding light when building your solution!
Do you have questions? Do not hesitate to contact us!