Operational Technology (OT) is a critical component of several industries as it powers the systems that control the distribution of power, water and other utilities, drives the machinery that powers manufacturing, and controls everything from traffic lights to tanker ships. With the OT space under constant threat from cyber attacks, it’s more important than ever to ensure proper security is in place. Operational Technology differentiates itself from Information Technology (IT) in many ways, but these differences are often overlooked by the larger technology ecosystem, including the need for strong authentication for OT systems.
Historically, network segmentation was used to protect these tools – but with the proliferation of digital twin and Internet of Things (IoT) sensors leading to more interconnectedness, this is now less useful as a tool. These connected requirements are being pushed due to the lack of enough specialized operators, driving the need for remote access and control. These drivers have resulted in situations where segmentation is no longer sufficient.
To address these challenges, OT operators and system designers need to re-evaluate their Identity and Access Management (IAM) processes to align with Zero Trust methodology – basing protection on identity and not only relying on segmentation. The following are important steps and strategies for ensuring your organization is secure with the increasing cyber threats landscape.
Understand the heightened security risks in OT environments
For the past 3 years critical infrastructure and manufacturing industries have been the top targets of cyber threats including ransomware, phishing, double extortion schemes and theft of intellectual property. In the OT space, these attacks have major impacts to a companies’ bottom line, and outages result in lost productivity and possibly may lead to widespread social impact. Because of this sensitivity to downtime and outages, infrastructure and manufacturing organizations need to take proactive measures to insulate against risks.
Another major risk to OT systems is how they often have long lifespans. Investments into manufacturing, power generation, and other large machinery means that when they are deployed, they are expected to be in place for long periods of time – with OT systems often being designed to have a 20+ year lifespan. This means that older systems may not support native authentication beyond username and passwords.
The critical role of modern, phishing-resistant authentication
According to the latest Verizon Data Breach Investigations Report (DBIR), nearly 68% of attacks are the result of compromised credentials. The attackers are no longer breaking in, they are simply logging in. Multi-factor authentication (MFA) is often posited as a solution to these types of account theft, however not all MFA is equal. Legacy MFA, such as SMS or one-time passcodes (OTP) are susceptible to reuse and interception, as well as social engineering.
Stronger authentication, based on private key cryptography, is required to address the risks of MFA theft and abuse. Modern authentication also fits the OT model well since it can be configured to work on-premise and does not require cell phones, devices that are often restricted within the operating environments that make use of OT systems. However, not all MFA is created equal- phishing-resistant MFA is preferred. As outlined by NIST, there are two authentication methods recognized as being phishing-resistant: channel binding such as using a PKI-based Smart Card and verifier name binding such as using a Fast Identity Online (FIDO)-based credential and authenticator.
Taking this a step further, given the range of diverse systems and applications that exist within OT environments, it is critical for an authentication solution to meet the needs of the users operating in those environments where they are likely mobile and rotating on shared workstations. Therefore, investing in phishing-resistant methods and processes to build phishing-resistant users, where the strongest form of authentication moves with users no matter how they work across devices, platforms and systems protecting the entire authentication lifecycle.
Risk mitigation strategies
Deploying modern authentication technologies, including certificate based Smart Cards and FIDO2 hardware security keys (which contain device-bound passkeys), are the best steps an organization can take to reduce a huge portion of risks associated with externally accessible systems. In addition to ensuring that only authorized users can access systems, investments in IAM programs that include strong authentication can help speed user interactions with systems, reduce helpdesk password issues, and better associate sessions to specific users.
In situations where legacy architecture prevents direct integration with modern authentication systems, jump-boxes are one of the best alternatives. Placing purpose built systems that support those authentication methods in front of logic controllers and legacy systems and close monitoring are good solutions for these issues. One way networking traffic and isolations are powerful tools, but they cannot meet the needs of today’s environments and usage requirements.
Plan for the future and keep the user front and center
Planning and preparing are required as a part of any successful IAM, both inside and outside of the OT space. Always follow best practices as you prepare for your deployment, starting with documenting all of your systems, and working with system owners and operators to identify the highly critical systems.
Keep in mind user experience as users will need to be able to continue to practice strong behaviors and avoid opening your org up to attack because users simply found ways around onerous authentication processes. Programs often fall down because while they are technically competent, the user experience results in humans doing what they do best: find optimizations (or in this case shortcuts). A good cybersecurity program is dependent on user adoption and accessibility.
Organizations who leverage many OT systems are balancing several pain points that drive decision making. Risk avoidance and mitigation are the forces that push these practitioners, often meaning that new tools and technologies are slow to gain adoption. But in order to combat today’s adversaries, a modern approach is needed. Starting with a program focused on modern, phishing-resistant authentication provides the best form of protection from a majority of attacks like phishing, and sets players up for early successes that can result in more capabilities for future efforts and goals.
To learn more about how phishing-resistant authentication secures global critical infrastructure, including manufacturers, read our recent white paper.