Defense-in-depth leads cyber strategy for OT security

Cyber-attacks on the automation infrastructure of facilities in the United States are real. Securing automation infrastructure can be a difficult task and is more difficult on aging infrastructures with no cybersecurity features and those that are running obsolete operating systems. Some manufacturers believe IT departments can protect their infrastructure, but what happens when that fails or a saboteur is able to bypass the surrounding network and connect directly to the automation system? At that point the automation system must protect itself against unauthorized access, against malware, against theft of critical software algorithms and against unauthorized modification. It must be able to detect that it’s been manipulated, detect intrusion and report cyber-activity. Automation products have implemented cyber-protection, that when properly configured, can provide protection for aging infrastructures.

Luis Narvaez is the product marketing manager for industrial security at Siemens Digital Industries USA. With more than 10 years of experience in industry, manufacturing and engineering, his passion and knowledge of cybersecurity for OT systems makes him one of the most credible cybersecurity experts in industry. He graduated with a bachelor’s degree in electrical engineering from the University of Central Florida and has worked in several roles including controls engineer, systems engineer and automation consultant.

Q: What is the defense-in-depth concept?

Luis Narvaez

product marketing manager, industrial security,
Siemens Digital Industries USA

A: Defense-in-depth is the term we use to describe holistic cybersecurity protection. To put this plainly, think of defense-in-depth like an onion with many layers of protection. The more layers of protection there are to peel back, the more difficult it becomes for a malicious attacker to get to the center —your critical process. The hope is that eventually they end up crying and giving up, or they are stopped altogether.

Q: What are the similarities and differences between IT and OT security?

A: The fundamental difference between IT and OT security boils down to the protection goals of each. For OT systems in a manufacturing environment, the number-one priority for the system is plant availability; cyber attacks should not affect the plant operations. The second priority for OT security is integrity; the data being produced or provided by the plant should not be affected, altered or manipulated due to a cyber or malware attack. Last, but not least, confidentiality is the third priority for OT cybersecurity—that is protection of confidential data and information and intellectual property.

For IT cybersecurity, the first and third priorities are reversed: 1. confidentiality, 2. integrity, 3. availability. Balancing the goals of both becomes tricky.

Q: Who’s responsibility is it to secure the OT? IT? Operations/maintenance? Product manufacturer? Integrator? All of the above?

A: For successful holistic protection, all teams need to be involved since protection is only as strong as your weakest link. Basically, what this means is that everyone from the operator and upper management to the suppliers need to accept that this is critical in order to maintain overall stability in our lives and society.

For instance, product suppliers, such as Siemens, have an obligation to their customers to disclose any known vulnerabilities and any possible mitigations to these vulnerabilities. Not only does this responsibility require disclosing and patching vulnerabilities, but ensuring that the product development lifecycle is secured is also critical to ensure that the products themselves are not maliciously handled or manipulated during the development or production process. For this, Siemens is the first company to receive TÜV SÜD certification based on IEC 62443-4-1 for the interdisciplinary process of developing Siemens automation and drive products, including industrial software securely. With additional product-specific TÜV SÜD certifications Siemens proves that the product development process is fully compliant to IEC 62443-4-1 and that substantial technical product requirements are implemented in compliance with IEC 62443-4-2. For more information, visit: https://new.siemens.com/global/en/products/automation/topic-areas/industrial-security/certification-standards.html

Q: What are some simple steps that manufacturers can take to harden their OT?

A: When people ask me this, one of the simplest things I suggest is to do an audit of your plant to get an idea of the components installed and the versions they are running on. Find out if there are suitable backups for the critical components in case you need to recover from a cyber attack. Then the next step is to find any known or published vulnerabilities and ultimately harden all of this. Another activity which may require some investment is to create a team focused on securing the OT system. Depending on your organization size and capabilities, these activities could be done in-house or through an external contractor; the key is to get started. The risk of waiting and doing nothing is too high.

Q: Where can people learn about vulnerabilities of products installed on the factory floor?

A: Siemens regularly publishes and updates advisories on product vulnerabilities via the ProductCERT page. Advisories are open to the public and therefore no additional login information is required to access the information. In addition to finding these on-demand, users can receive updates automatically in their email inboxes or RSS feed by subscribing to Siemens ProductCERT notifications.

For more information, visit www.siemens.com/ProductCERT