Cybersecurity Architecture Considerations
When designing a security architecture to support OT and IIoT environments, it is important for organizations to take into account various factors such as cybersecurity safety, system availability, distributed systems across geographic locations, environmental factors, and regulatory compliance. In the following subsections, we will delve deeper into each of these considerations.
Cyber-Related Safety Considerations
When designing OT systems, safety goals are usually prioritized based on both business and regulatory requirements. Organizations should assess whether safety systems require additional communication and cybersecurity measures, such as segmenting and isolating safety systems from other OT systems. Security mechanisms selected may also be influenced by safety requirements. For instance, physical separation may be necessary instead of logical separation to meet safety considerations.
Fail-to-a-known-state design, also known as fail-safe design, is commonly used in OT systems. This design ensures that in the event of unexpected situations or component failure, the equipment or process is placed in a safe state that prevents harm to individuals or damage to property and avoids secondary hazards or cascading events. Cyber-related incidents, such as loss of network communications, can trigger fail-safe events. To minimize false positives, thresholds for operating OT components with reduced or disrupted capabilities, such as lost network communications, should be defined.
To ensure operational continuity, availability must be managed at various levels, including data, applications, IT infrastructure, power, and supporting utilities like HVAC, water, steam, and compressed air. Failure of any of these systems can have a cascading effect on OT systems and can disrupt OT operations. The following are different availability considerations to be taken into account.
Data, Applications, and Infrastructure
Redundancy requirements for OT systems should be supported by the architecture design. Availability can be improved by implementing redundancy at the communication, system, or component level, ensuring that a single failure is less likely to result in a capability or information outage. Cybersecurity architecture must also account for redundant communication and provide the same level of security as primary communication.
Moreover, a data backup and restoration process is necessary to enable quick recovery of systems in the event of data loss due to cyber-attacks or other reasons. Examples of essential data and files include operational data, program files, configuration files, system images, firewall rules, and access control lists (ACLs). A “backup-in-depth” approach, consisting of multiple layers of backups (e.g., local, facility, disaster) that are time-sequenced, can ensure that recent local backups are available for immediate use, while secure backups can recover from significant security incidents such as ransomware attacks. Periodic testing of data backup and restore capabilities ensures that they will be accessible when required.
Primary and Alternate Power Sources
When designing OT systems, architectural considerations must account for the impact of power outages. If OT systems require a graceful degradation or orderly shutdown, an alternative backup power source may be necessary. Furthermore, if the organization’s business continuity plan mandates that the OT systems must continue to function in the event of a prolonged primary power loss, a self-contained, long-term alternate power supply for the OT systems that do not depend on external power generation can be implemented.
Monitoring and control systems for power are vulnerable to cyber-attacks, and appropriate cybersecurity practices must be implemented to protect these systems from such attacks.
Monitoring and control systems in industrial facilities manage uninterruptible power supplies (UPSs), HVAC, fire alarm systems, boilers, cooling water plants, steam, compressed air, and other critical systems. These monitoring and control systems are also susceptible to cyber-attacks, which can have an impact on OT systems. Therefore, appropriate cybersecurity practices should be implemented to safeguard these systems from cyber-attacks.
Geographically Distributed Systems
Many critical infrastructure industries have geographically dispersed sites, and organizations must evaluate if differences in physical security at remote locations pose risks to OT operational capabilities or safety. The necessary cybersecurity and communication infrastructure should be provided at the remote sites to protect them from cyber threats and to facilitate the communication of cybersecurity monitoring information.
Communication between sites should be end-to-end encrypted and authenticated, regardless of whether the connection is through a point-to-point link, satellite, or the Internet. Organizations must also ensure that adequate bandwidth is available for collecting cyber monitoring data in addition to operational data from remote locations.
If an organization has multiple geographically dispersed sites, it should consider whether security operations will be managed from a central security operations center (SOC) or regionally distributed SOCs. Personnel availability can impact these decisions.
Field I/O (Purdue Level 0) Security Considerations
The Field I/O level (Purdue Level 0) of OT systems comprises many devices and communication protocols, such as sensors and actuators, that lack authentication capability. As a result, data could be modified, spoofed, or replayed without detection. Organizations should evaluate the risks and determine whether to implement security controls, such as digital twins or a separate Field I/O monitoring network, to identify incorrect data in critical processes.
Additional Security Considerations for IIoT
The integration of IIoT devices into OT environments can increase connectivity and information exchange with enterprise and cloud-based systems, which may require additional security considerations. The introduction of IIoT devices may require modifying boundaries or exposing additional interfaces and services. The security capabilities of IIoT devices should be considered when developing the security architecture. Policy management, enforcement, and governance may also need to be adjusted to support IIoT integration. Additionally, IT and OT security teams may need to collaborate more closely to manage security operations, such as sharing real-time situational awareness.
Application and Infrastructure
To ensure the security of IIoT data flow, organizations should assess the use cases that involve sharing data externally and determine if additional access control mechanisms are required. It’s important to recognize that attack vectors for IIoT may differ from those managed in OT environments. For instance, the increased communication requirements or the utilization of additional services like cloud systems may introduce new vulnerabilities. Therefore, organizations should carefully evaluate the security capabilities of IIoT devices and determine whether they align with their security architecture. They should also consider the impact on policy management, governance, and enforcement to support the integration of IIoT devices.
Cybersecurity Capability Considerations
Rewritten: The resources available in IIoT devices, including processing, memory, and storage, can vary significantly. Some devices may have limited resources, while others may have unused capabilities. These variations can impact cybersecurity, and organizations should consider how to integrate these devices into their security architecture to meet their cybersecurity objectives. Additionally, organizations should evaluate if the operational and safety impacts of IIoT devices differ from other OT devices. For instance, some IIoT devices may support only read-only data monitoring with minimal impact on operational controls or safety, allowing organizations to implement security operations differently compared to those established for other OT devices.