How Illumio Helps Protect OT Networks From Ransomware and Other Security Attacks

Operational technology (OT) networks connect special-purpose devices — including sensors, motors, distributed control systems (DCSs), programmable logic controllers (PLCs), remote terminal units (RTUs), supervisory control and data acquisition (SCADA) systems, historian applications and databases, engineering kiosks, and other types of servers — to drive operations in factories, power plants, utility grids, mining facilities, medical facilities, food manufacturers, and other sites that require reliable, real-time automation.

These devices provide mission-critical services. That makes them valuable targets for cybercriminals and other attackers.

Threats, of course, can come from anywhere: phishing attacks, brute force attacks, malicious insiders — the list goes on. They can also come from OT devices that have been attacked by malware designed specifically to attack specific models of OT devices.

Sometimes OT devices run on networks that are “air gapped” from IT networks; that is, they operate without any physical connection to IT networks in order to prevent security attacks on IT networks from reaching OT operations. But even within a single facility, some OT devices and networks might be air-gapped and others might not be. And even plant managers don't necessarily have the visibility to tell which networks are air-gapped and which are not.

Increasingly, businesses are finding reasons not to air gap devices at all. A food manufacturer, for example, might want to let web applications and consumer choice directly drive the manufacturing of specific ingredients on a factory floor. Because of business use cases like this, air-gapping is becoming less effective every day as a defense against cyberattacks.

When there is no physical air gap, then OT environments have connectivity to networks where IT devices are running. This connectivity introduces risks. Suddenly, internet-borne attacks can reach OT devices.

One of the methodologies for categorizing workloads in an OT environment is based on the Purdue Reference Model, a trusted model for separating and distributing workloads across OT and IT networks. The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) recommends that companies with OT environments segment their networks based on the logical categorization in the different levels of the Purdue Model.

But this type of segmentation is no easy task. OT networks are flat networks: all devices are running in the same control plane and address space. Segmenting them would require shutting down services and devices in a revenue-generating environment to reconfigure the network to implement segmentation. This is costly and time-consuming work. In many companies, the idea of shutting down business-critical OT devices is rejected outright or endlessly deferred while IT teams wait for an opportunity to shut down OT services without disrupting revenue-generating activities.

To provide some measure of separation between IT and OT devices, some facilities configure dedicated VLANs (virtual LANs) for their OT devices. But there are shortcomings to this approach, too. First, it’s difficult to manage VLANs at scale. Second, putting devices on VLANs doesn’t curtail attackers from moving from device to device on the same VLAN, taking advantage of ports and protocols unchanged by the VLAN configuration. The bottom line: If an attacker gains access to a device, VLAN controls aren’t necessarily going to prevent them from reaching other targets.

If business and IT leaders want to prevent attackers from moving freely among OT and IT devices, they need three important things:

• Visibility: Leaders need visibility into the activities and configuration details of IT and OT devices, so they can discover which communication paths are open, creating possible avenues for lateral movement by attackers.
  
• Policy definition: Leaders need a micro-segmentation policy engine for defining configuration policies for segmenting networks and separating all the devices that should be separated, whether IT or OT. These segmentation policies operate at a higher level than firewall rules. They enable leaders to define best practices without getting bogged down in the specific firewall rules of the particular product enforcing a policy.
  
• Policy enforcement: Leaders also need to enforce these policies without having to shut down business-critical IT and OT networks to reconfigure and then restart IT and OT devices. In addition, they need a way of enforcing these policies without having to replace OT devices that are otherwise operating as expected. Nor should they have to install special-purpose software applications that might degrade the performance of IT or OT devices.

To protect both OT and IT devices from malware and other types of cyberattacks, business and IT leaders need improved visibility into networks and a fast, easy way of micro-segmenting networks to prevent attacks on any type of device from spreading across the network.

This need for this visibility and control is becoming more urgent as more and more businesses are finding good business reasons to bring the worlds of IT and OT together, rendering old devices like air-gapping obsolete.

When IT networks and OT networks Converge

Why connect these different sorts of networks and devices? In fast-moving markets that require agile responses to customers and partners, it makes sense to connect business systems with the OT networks powering daily operations.

If sales, marketing, and fulfillment processes are managed by IT networks, then those processes can benefit from up-to-date information from manufacturing and logistics systems controlled by OT networks. And if business processes drive demand, orders can be sent directly to OT networks for completion, as in the food manufacturing example I cited above.

In addition, there are benefits in efficiency and cost-savings by taking advantage of cloud applications and cloud storage, which are accessed only over IT networks. In addition, as remote workforces become more common, some companies want to ensure that remote employees can use IT networks and cloud applications to monitor, control, and secure OT devices.

As the NSA (National Security Agency) and CISA noted in a security alert issued in 2020, “Internet-accessible OT assets are becoming more prevalent across the 16 U.S. CI sectors as companies increase remote operations and monitoring, accommodate a decentralized workforce, and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance.”

New risks from IT/OT convergence

Connecting these networks is helpful for business but risky for security. The NSA and CISA have observed cybercriminals tactics such as:

• Spear-phishing to gain access to IT networks in order to then reach OT networks.
• Deploying commodity ransomware to encrypt data on both networks.
• Using known ports and protocols to download modified control logic to OT devices.

Unfortunately, it’s easy for attackers to discover useful information about OT networks and devices. And they can use common exploit frameworks such as Core Impact to probe networks and devices, running penetrations against known vulnerabilities.

In some cases, such as the 2016 attack on the Ukraine power grid, attackers will even use malware designed explicitly for controlling SCADA systems. Security researchers noted that the customized malware in that attack seemed intended for re-use with other targets.

How Illumio helps protect both IT and OT networks

Illumio provides the visibility that security teams have been missing in IT and OT networks and helps protect networks from ransomware and other security attacks. Without requiring special appliances or time-consuming reconfiguration projects, Illumio quickly discovers and reports active traffic patterns and reveals connectivity that could easily have been overlooked before. This visibility transforms OT environments from “black boxes” to networks that can be understood, monitored, and secured.

To help secure these networks, Illumio applies micro-segmentation, using the firewalls already built into devices to enforce traffic policies that minimize the chances of lateral movement across networks. Lateral movement is the migration of malware or unauthorized users across a network to discover high-value assets or to install malware such as ransomware in preparation for a disruptive attack. By closing unnecessary ports and addresses on IT and OT devices, security teams can prevent lateral movement from occurring. Even if a single device or small group of devices is compromised, attackers will be stuck, unable to move farther across the network.

If security teams were to try manually configuring these firewalls by hand, they would likely find it time-consuming work. In addition, they would likely have to shut down business-critical OT networks, and shutting down those networks might even create more work if IP addresses and network routing configurations have to be changed as part of the process of shutting down and restarting networks.

Illumio streamlines and automates this work by providing tools that security teams and IT leaders can use for defining policies for the network communications of both OT and IT devices. Once policies are defined, they can be quickly distributed to devices and enforced. Within a day, even a large, complex enterprise network can become much easier to monitor and much more secure. And this work can be done without having to shut down networks or reconfigure network firewalls or routing tables.

In terms of the Purdue Model, Illumio provides micro-segmentation and security for Levels 3, 4, DMZ and above for OT environment. Illumio prevents lateral movement within each of these levels. It also prevents attackers from moving these levels down to the OT environment.

Illumio helps companies running OT environments in the following ways:

Instant visibility into IT and OT networks

Illumio makes it easy to discover how devices are communicating among themselves. Which users are accessing which applications and services? Which ports are open? What protocols are in use? Collecting these details is the first step in understanding risks from potential lateral movement and in crafting policies to curtail that movement from occurring.

Microsegmentation for IT and OT networks

Illumio provides risk-based visibility into networks, so that companies can define, author, distribute, and enforce policies that allow only legitimate traffic required for business can traverse the network. By making it easy for security teams to use host-based firewalls to block the ports and protocols that ransomware depends on, Illumio helps prevent ransomware from spreading. In addition, Illumio can contain ransomware infections by quickly segmenting infected devices from the rest of the network. Automated containment enables companies to prevent ransomware from spreading even when the affected devices are at remote locations.

Microsegmentation for OT networks

Illumio provides this same risk-based visibility and segmentation for OT networks. For example, the OT team can use Illumio to partition OT VLANs as recommended by the Purdue Model, establishing a logical DMZ between IT and OT network layers and permitting certain OT devices to communicate only with certain other trusted OT devices. This provides more granular segmentation that is available with VLANs alone. It also allows micro-segmentation policies to take advantage of continuously updated threat intelligence and vulnerability assessments available through Illumio.

If Illumio detects a new type of threat targeting OT devices, companies can adjust their policies and update their devices quickly and easily, preventing that type of attack from reaching their networks. In addition, Illumio’s ability to automatically contain attacks when they’re detected saves organizations the trouble of dispatching technicians to remote sites to manually disconnect affected devices. Instead of "truck roll” responses that give ransomware ample time to spread, Illumio’s automated containment can quickly "box in” attacks within minutes, minimizing the damage from ransomware or other types of malware and keeping OT devices operating normally.

Securing the bridge between IT and OT networks

By protecting IT networks, Illumio prevents cyberattacks from using IT networks to reach OT networks. Illumio stops attacks that have been designed to traverse IT networks to find OT targets. Illumio can also stop suspicious traffic from OT networks from reaching IT devices.

To learn more:

• Check out this Illumio Core video.
• See Illumio's visibility in action.