Many kinds of operational technology (OT) devices can be found in industrial control environments. These devices are manufactured by vendors such as Rockwell Automation, Siemens, Schneider Electric, and others, and they are supposed to be shielded from the Internet by a strong firewall. Often times, the OT devices are maintained by third-party vendors, who sometimes also manage the network and external access. This typically happens without sufficient visibility by the security team.
What could possibly go wrong? Here is a story….
A large manufacturer we were working with had an OT control network that was being maintained by multiple third-party vendors. The security team thought that only jump boxes in the control network were exposed to the Internet, since the third-party vendors needed to have remote access so they could maintain the control equipment.
One day, the security team decided to deploy the Armis platform to the OT control network to “see what Armis could see.” Immediately, Armis identified that a wide range of ICS control equipment was directly exposed to the Internet:
- SCADA servers and clients
- Engineering workstations
- Human Machine Interfaces (HMI)
- Programmable Logic Controllers (PLCs)
- Historian Servers
- MES server, which was running Windows XP
The Armis platform includes many standard policies built into the product. No configuration is needed. One of these policies triggered and identified the danger associated with these Internet exposures.
When our customer saw our alert, they were concerned. This was new information for them, and they understood that this was a serious risk to the control equipment. Since they could not immediately change their network architecture, they were happy that Armis was deployed and was able to monitor the behavior of their OT devices to detect if one of them became compromised or interacted with suspicious domains.
Lack of Visibility
Why wasn’t the security team previously aware of these exposures? Well, the only security control that was deployed to the OT network was a firewall. The firewall had indicated that there was traffic flowing between the control network and the Internet, but it didn’t provide visibility to the type of devices that were generating this traffic. With all due respect to the best firewall companies out there, firewalls are just kinda blind like that.
Our recommendations for all industrial control environments are the following:
- Monitor the behavior of all control equipment in your environment, correlate with device types, and look for behaviors that are unexpected for each type of device based on their role.
- Segregate the control networks and follow standards such as IEC 62443 to ensure that devices are not communicating to unauthorized destinations.
- Devise a plan to address situations where control equipment has shown signs of anomalous network behavior.
For more information about how Armis can monitor and protect OT environments, read our 2-page solution brief.