Featured Image

OT Networks Face Security Threats From All Points on the Compass

Regardless of whether or not there is a single or multiple points of connection between the two network environments, the objective of the security functions applied at these connection points is to control the flow of information across that barrier ...
Jan 06, 2022

A common way many companies think about protecting their manufacturing network is to isolate the OT (manufacturing shop floor) network from the balance of their business network (IT). Regardless of whether or not there is a single or multiple points of connection between the two network environments, the objective of the security functions applied at these connection points is to control the flow of information across that barrier and to block security threats from propagating across that boundary. The flow of information across that boundary is often referred to as “north-south” communications. More commonly, north-south communications defines the transfer of information between “high level” systems and “lower level” systems. An example of this in an OT network would be the communications between a data collection system (higher level system) and individual pieces of equipment on the shop floor (lower level systems). North-south communications can represent the flow of information across the IT/OT boundary or amongst various systems within the OT network.

Implementing security functions in support of north-south communications in the OT environment is more challenging than what is encountered in the IT environment. The OT environment doesn’t have the luxury of most devices sharing common capabilities and communications standards (protocols or languages). While most devices on the shop floor can be connected to an Ethernet network, many of these devices use their own unique languages (protocols) for communicating over the network. Traditional network security tools are effective at addressing the basic Ethernet portion of the communications but generally do not have the ability to analyze the content of the messages being passed between systems. Security threats encapsulated within these messages can pass between systems undetected. Security tools for the OT environment have not yet progressed to the point of being able to address each of the unique protocols found in the manufacturing environment. 

While the security measures deployed on most OT implementations focus primarily on north-south communications, there is another aspect of communication on the shop floor that is equally important – east-west communications. East-west communications is the exchange of information between similar systems – device to device. A common threat scenario encountered in the OT environment occurs when a virus, malware, or other security threat is introduced into a piece of equipment and then spreads to other pieces of equipment. The introduction of this threat is typically unintended but can originate from maintenance equipment, test equipment, or hardware/software upgrades to a piece of equipment. Once introduced, the threat can then propagate to other equipment within the same network segment. 

Implementing security functions to address east-west communications is very difficult in most OT environments. To implement such security measures, security software must be installed at each device. While some shop floor systems incorporate PC functions that can host security software, most do not. Edge computing devices are effective for implementing security functions. However, adding edge computing devices to every piece of equipment can be cost prohibitive. The most common scenario implemented today is to segregate an OT network into logical groupings of equipment. With this scenario, security functions are implemented to protect against propagation of security threats between network segments, but each piece of equipment within the segment is left exposed to those threats that are propagated through east-west communications.

Many companies that have implemented very extensive north-south security measures have suffered significant impacts from security threats that propagated through east-west communications. The impact of these “attacks” can be significant – lost production and potential damage to equipment. 

Cybersecurity threats to manufacturing operations will likely never go away and are, in fact, increasing in number and complexity. Manufacturers and the companies supplying equipment for use on the manufacturing shop floor need to come together to define improved solutions to address security threats to manufacturing operations. These improvements need to address implementing security functions at the device level. This goes well beyond today’s approaches of network isolation and/or network segmentation. This goes to the level of protecting each device at the device level.

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Any advanced cybersecurity plan should address electronic media in both the IT and the OT networks. Devices like CDs, flash drives, and more are problematic since each is an interface to your company’s network, introducing possible security threats.
The MTConnect Institute announces the release of MTConnect Version 2.0. The 2.0 version of the free, open, model-based standard that supports semantics for discrete manufacturing is a significant advancement from previous versions.
Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.
A look at what some of the job shops in the United States are doing.
Check in for the highlights, headlines, and hijinks that matter to manufacturing. These lean news items keep you updated on the latest developments.
Similar News
undefined
Technology
By John Turner | May 02, 2022

Cybersecurity protects your – and your clients' – assets. This series dives into how you can integrate a successful cybersecurity plan. From company culture to training and maintaining your personnel, creating a safe business environment starts here.

5 min
undefined
Technology
By John Turner | May 06, 2022

To build or enhance your company's cybersecurity plan, one of the first steps to consider is mapping out all access points to your company’s systems and network, including the interaction points between various systems within and outside the network.

5 min
undefined
Technology
By John Turner | Jun 03, 2022

Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.

5 min