Physical Security Meets OT

Wednesday, March 30, 2016 @ 09:03 AM gHale


By Nate Kube
Several years ago, the key word used by security pundits was “convergence.” And, although different marketers came up with variations of what the term meant, the primary definition covered the intersection of physical and logical security.

An example was when physical security systems such as access control devices intersected with Information Technology systems such as using the computer system. Convergence occurred when the same ID badge provided access through the front door and onto the company computer system. Both the physical infrastructure and the data infrastructure became more secure through this integration.

RELATED STORIES
Critical Infrastructure Specialists
OT Security: Educate our ‘Publics’
Why Threats Not Always Disclosed
The Accidental Hacker
Control System Standards Working for You

Meanwhile, in an industrial setting beyond the front offices and data centers and, often, miles away, were the industrial control systems (ICS) that helped create the organizations’ revenues.

Used in industries as diverse as oil and gas, power generation and distribution, healthcare (i.e. MRI’s), transportation systems, manufacturing and many others, ICS’s, by connecting sensors, machines and instruments were creating automated solutions that increased productivity. They could control local operations such as opening and closing valves and breakers, collect data from sensor systems to turn up the heat of furnaces and monitor the local environment for alarm conditions. And, although the basis of these systems is a computer, IT could do little to protect them from attack. And this is still very much the case.

This very fact emphasizes the difference between IT (information technology) security and OT (operational technology) security.

IT security lives in the context of an IT stack with tools from many vendors – network, servers, storage, apps and data. It’s in a periodically updated ecosystem where most hosts are talking to lots of other hosts and where there are frequent patch cycles — in weeks or, sometimes, days — in response to expected and known cyber threats. IT security basically protects data (information), not machines.

In OT, high-value, well-defined industrial processes — such as in factories, pipelines and jets, which execute across a mix of proprietary devices from different manufacturers — need protection, not data. Many of the devices and software used in operational environments are 10 to 30 years old. Many were not designed to be connected, have not been patched very often and were not devised to withstand modern attacks. Surprisingly, many operators don’t know what’s actually transpiring on their Industrial Internet and, even if hacked, have no knowledge of the assault.

While the primary goal in IT is to protect data, OT security strives to keep the process running. Whether from outside threats, like hackers or state sponsored actors, or inside threats, like human error, in an environment where companies are operating drills, electric grids, MRI’s or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities and transportation systems in which even a couple minutes of downtime can yield tens of thousands of dollars lost.

To gain access into critical infrastructure OT systems, hackers will leverage different physical assets, including those within the enterprise security system itself to potentially infiltrate an OT system.

Intersection of Physical Security, OT
The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. However, patch management is a particularly painful operation in an OT system; organizations don’t have the infrastructure for qualifying patches to ensure they do not impact any of the software running on their system and, so, have to depend on their vendors to test and ensure new patches will not impact control of their processes. That takes quite a bit of time.

Secondly, many of the security controls that are effective in IT are not effective in OT; they have to end up adapted to the technical requirements of OT systems.

Lastly, to apply the patch to an OT system usually means the operation must be shut down. Closing down the refinery, production floor or electric grid periodically to add yet another patch is not a remedy that works when minutes of downtime can cost immense amounts of money. To eliminate turning off the operation when patching, hot patches must be delivered to a security solution that resides directly in front of the control unit while the system continues to produce. And, since that solution is hardware, we’ve now found the intersection of physical security and OT cyber security.

This verifies why physical security professionals should be concerned about critical infrastructure cyber security.

They are already installing the vehicle access control systems used to deter truck bombers from entering oil fields or permeate dams. Already aware of the ease in hacking contactless cards and reader systems, the leading access control manufacturers are developing anti-hacking options to their systems. Access control vendors already tout how they meet the impending March 31 CIP-006 requirements for 2-factor authentication as described by the North American Electric Reliability Corporation (NERC), an organization of U.S. electric grid operators. This is much more of an OT security initiative versus an IT security standard.

OT Security Crash Course
The Security Industry Association (SIA) is sponsoring the inaugural Connected Security Conference, to be held right on the same exhibit floor as this year’s ISC West which is April 5-8 in Las Vegas. For those of you attending ISC West and who are not familiar with cyber security, OT, the Industrial Internet and the critical infrastructure, this is an excellent opportunity to meet, hear and interact with those already providing OT security.

For those attending ISC West, please stop by the Connected Security pavilion at the top of the escalators before turning right to go into the main floor. Wurldtech is at booth #105 and our team is looking forward to its first ISC West “Connected Security” show experience.

Wurldtech's Nate Kube.

Wurldtech’s Nate Kube.


Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s Chief Technology Officer is responsible for strategic alliances, technology and thought leadership. Kube has created an extensive Intellectual Property portfolio and has filed numerous authored patents in formal test methods and critical systems protection. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.