What should we do if vulnerabilities are discovered in the OT environment but are difficult to patch?

-

OT Security Manager Concerns: "I am concerned about what measures can be taken in an OT environment where it is difficult to apply patches even when vulnerabilities are discovered"

 

In OT environments, patching vulnerabilities can be challenging due to:

  • System uptime requirements (e.g., power plants, manufacturing lines).

  • Legacy equipment that may no longer receive vendor updates.

  • Strict regulatory compliance and certification processes for any system modifications.

Since applying patches is often difficult or impossible, organizations must implement compensating security controls to mitigate risks. Here’s a detailed strategy to secure OT systems when patching is not feasible:

1. Continuous Monitoring & Threat Detection

Since vulnerabilities cannot always be patched, early detection of intrusions is critical.

Actionable Measures:

  • Deploy OT-Specific Security Monitoring Solutions (e.g., Nozomi, Dragos, Claroty, or Armis) to detect anomalous behaviors in industrial networks.

  • Use SIEM and Threat Intelligence Feeds to correlate security events in OT & IT.

  • Monitor for Indicators of Compromise (IOCs): Regularly check for abnormal network traffic, rogue devices, and unauthorized remote access.

  • Implement AI/ML-Based Behavior Analytics: Solutions like Darktrace Industrial can learn normal OT behavior and detect deviations.

Example: If a PLC suddenly starts sending unusual Modbus commands, the monitoring system generates an alert for investigation.

2. Secure Remote Access & Vendor Management

Third-party vendors and engineers often need remote access to OT assets, but improper remote access can lead to attacks.

Actionable Measures:

  • Enforce VPN with MFA for remote engineers.

  • Use a 2-tier remote access solution using a jump box/proxy server, etc.

  • Restrict Vendor Access Times: Limit vendor access to specific hours.

  • Log and Monitor Vendor Activities: Record all remote sessions for forensic analysis.

  • Zero Trust Access: Only allow necessary, approved remote connections.

Example: An HVAC vendor’s credentials were stolen, leading to unauthorized access. By enforcing MFA and logging, suspicious activity is detected early.

3. Network Segmentation & Access Control

If you can’t patch a vulnerable OT system, make it harder for attackers to access it.

Actionable Measures:

  • Air-Gap Critical Systems: Completely isolate OT networks from the internet and IT networks.

  • Implement Industrial DMZs (I-DMZ): Use a demilitarized zone (DMZ) between IT and OT to control traffic.

  • Enforce Least Privilege Access: Restrict who can communicate with OT devices.

  • Network Microsegmentation: Limit communication to only necessary devices (e.g., PLCs can talk to SCADA but not to all endpoints).

  • Use VLANs and Firewalls: Restrict traffic based on device role and function.

Example: In a power plant, segment the control network so that only authorized engineering workstations can communicate with turbines, preventing lateral movement from compromised IT assets.

4. Endpoint Protection & Application Whitelisting

Since OT devices often run fixed-function applications, strict control over what executes on them is essential.

Actionable Measures:

  • Application Whitelisting (AWL): Only allow pre-approved applications to run (e.g., Microsoft AppLocker or OT-specific solutions like Dragos).

  • Deploy Host-Based Security Solutions: Use lightweight OT-compatible endpoint protection such as Nozomi Guardian or Claroty xDome.

  • Disable Unused Services & Ports: Turn off unnecessary remote access, FTP, SMB, Telnet, and SNMP to reduce attack surfaces.

  • USB Device Control: Restrict the use of external media to prevent malware infections.

Example: Prevent ransomware infections by blocking unauthorized programs from executing on HMI (Human-Machine Interface) workstations.

5. Strong Identity & Access Management (IAM)

Restrict who can interact with OT systems to reduce attack exposure.

Actionable Measures:

  • Multi-Factor Authentication (MFA): Use MFA for remote and privileged access to OT assets.

  • Role-Based Access Control (RBAC): Ensure users have only the minimum privileges needed for their job.

  • Periodic Credential Audits: Regularly review user access logs and remove unnecessary accounts.

  • Use Jump Servers: Require engineers to authenticate via a secured jump server before accessing OT environments.

Example: Prevent unauthorized remote access by requiring engineers to use jump boxes with MFA instead of directly logging into OT assets.

6. Cyber Hygiene & Hardening Best Practices

Reducing attack surfaces in OT systems makes exploiting unpatched vulnerabilities harder.

Actionable Measures:

  • Disable Unused Features & Services on industrial devices.

  • Change Default Passwords on all OT devices and implement password rotation policies.

  • Encrypt Sensitive Communications between OT and IT networks.

  • Ensure Backup & Recovery Plans: Regular offline backups for quick recovery from attacks.

Example: A water treatment facility disables unused Telnet services on industrial controllers to prevent unauthorized remote access.

7. Employee Training & Incident Response Readiness

Many OT attacks start due to human error, making awareness and incident response crucial.

Actionable Measures:

  • Regular OT Security Awareness Training for engineers & operators.

  • Run Tabletop Cyber Exercises simulating OT-specific attacks (e.g., ransomware on SCADA).

  • Create an OT-Specific Incident Response Plan with predefined steps for cyber events.

  • Deploy OT-Security Playbooks to respond effectively to different attack types.

Example: Employees at a gas pipeline company undergo ransomware simulation training to improve response time in case of a real attack.

Recap: Defense-in-Depth is the Best Strategy

When patching OT vulnerabilities is not possible, organizations must rely on layered security controls to limit exposure, detect threats early, and mitigate potential damage.

Key Takeaways:

  • Continuously monitor for anomalies
  • Secure remote access & implement vendor controls
  • Segment networks & enforce strict access controls
  • Restrict application execution & enforce strong authentication
  • Train personnel & have an OT incident response plan


#CPS #OT #XIoT #IoT #IIoT #IoMT #CPSSecurity #OTSecurity #IoTSecurity #CPS보안 #OT보안 #IoT보안


Comments

Post a Comment

Popular posts from this blog

Don't confuse DCS, PLC and SCADA in front of OT specialists

-
Image
DCS, PLC and SCADA are not the same. If you keep talking only about PLC security in front of the Oil&Gas industry executives where DCS is the main focus, they will not recognize you as a proper expert. We need to understand the characteristics of OT systems such as DCS, PLC, and SCADA accurately, also respect each OT culture uniquely and finally approach the sites in the right way. Don't be confused, here’s a clear and accurate explanation of DCS, PLC, and SCADA . 1. Distributed Control System (DCS) Concept A DCS (Distributed Control System) is an automated control system used for large-scale industrial processes that require continuous operation and high reliability. It consists of multiple controllers distributed throughout the system, which communicate with each other to manage complex processes. Key Features Used in large-scale, continuous processes (e.g., oil refineries, power plants). Decentralized control architecture with multiple controllers working together. Pr...
Read more

Top 20 Threat Scenarios & Playbooks for OT Security

-
Image
A comprehensive list of 20 threat scenarios in OT security along with detailed descriptions and detection rules that can help identify and respond to these threats. This playbook-style table covers different types of attacks—from unauthorized access to insider abuse—with corresponding rules and indicators to alert security teams. # Threat Scenario Detailed Description Detection Rules & Indicators 1 Unauthorized Remote Access Attempt An attacker uses stolen or weak credentials to access OT networks remotely. - Log Analysis: Monitor VPN/RDP logs for unusual login times, geolocation mismatches, and failed/successful login bursts. - User Behavior Analytics (UBA): Alert on deviations from normal remote access patterns. - Anomaly Detection: Trigger an alert when a remote session is initiated from an unusual IP or geographic region. 2 Malware/Ransomware Infiltration in OT Network Malicious code is introduced into the OT network via compromised endpoints or phishing, potentially encr...
Read more

Let's create our own ICS Labs in the VMs!

-
Image
Let's create our own ICS Labs in the VMs: A Step-by-Step Guide Building an Industrial Control System (ICS) lab in a virtualized environment allows security researchers, engineers, and penetration testers to safely simulate industrial networks, study threats, and test security defenses. Below is a detailed step-by-step guide to creating an ICS lab , including HMI, EWS, PLC, and other critical components. 1. Lab Architecture Overview Key Components in an ICS Lab: HMI: Graphical interface for controlling industrial processes. Engineering Workstation (EWS): Used to configure PLCs and SCADA systems. PLC: Controls physical processes (e.g., motors, valves). SCADA System: Supervisory control and monitoring of ICS networks. Historian: Logs and stores process data for analysis. Networking Components: Virtualized switches, routers, and firewalls to segment ICS networks. Attacker Machine: Kali Linux or Metasploit for penetration testing. 2. Choosing the Virtualization ...
Read more