Convergence of Cyber & Physical Security to Protect OT Networks
Bringing together Cyber and Physical security
Integrated physical security systems, e.g. between a video surveillance system and a swipe card-based access control/user permissions system, have been around for quite a while.
Bringing together Cyber and Physical security is a different story. In a typical enterprise environment the value of such integration is limited, since cyber and physical-related alerts do not overlap so much. However as the use of automation is growing in critical infrastructure networks, the potential of such integration is re-evaluated. For utilities’ remote unmanned sites, the correlation between physical security-produced data and network activity can provide valuable indicators of malicious actions.
Unfortunately the traditional lack of overlapping between cyber and physical security is often reflected in utilities’ organizational structures: in many organizations, cyber security is the domain of the IT or the Operations department, while physical security is handled by the security department. Organizations planning to implement an integrated system, then, need to assign a single point of ownership for the entire integrated operation.
Obviously, the depth of, and the investment in bringing together multiple systems to protect network traffic depends on the type of risk posed to the network, the impact of a potential attack and whether such an attack can be detected using different mechanisms. That said, since physical security and cyber security systems already operate in parallel in sub-stations, it introduces an opportunity for integration without much additional investment.
Considering the value of cyber-physical security integration for remote, unmanned critical sites, and at the opportunity to implement it as part of the utility operator’s planned (yet currently separate) cyber and physical security deployments, we have taken the initiative to design such an integrated solution that utilities can easily deploy.
As an example, we’ll examine the use of integrated cyber-physical solutions by electric power providers, whose operations span multiple sites. Here, threats can emerge in two forms: (i) penetrating the network from the outside by hacking into it, and (ii) gaining access to the network by physically entering a facility and connecting to a server or other device (in some cases, malware loaded to a technician’s laptop, unbeknownst to the technician, will infect the network). The latter case is when integrated physical- and cyber-security comes into play.
Another distinction that needs to be made is whether the entrant to the substation is legal, namely a technician performing maintenance at the site, or a person who had illegally penetrated the site.
In the first case, of the technician entering the site for scheduled maintenance, the objectives of the integrated system are:
- Authenticate the entrant’s credentials, preferably using multiple-stage authentication, prior to entry; AND authenticate the time and reason for entry, based on an approved work order.
- Grant the technician per-case network access: make sure that the technician has access only to the physical and logical zones within the site and the network, based on the work order. Any deviation from the work order would trigger an alert in the system, and if needed disconnect affected devices or subnets from the OT network. During maintenance, the IDPS (Intrusion Detection and Prevention System) will change its normal operating mode for the maintained network segment, so that the technician’s activities are validated by a specific set of policy rules defined for the specific work order. Such dynamic validation enables restricting and recording technicians’ activities without generating irrelevant alerts.
- Physical devices (video surveillance, swipe cards, biometric, etc.) are used to determine the location of the technician inside the facility. In case the technician strays from the work order by entering an unauthorized area, or if he connects to an unauthorized device or issues an illegal command (whether purposefully or inadvertently,) the goal is to contain the damage by segregating the affected device or network segment.
Conversely, in the case of illegal entry (intrusion), the goals of the system would be:
- Preventing persons from entering the substation using physical barriers – fences, liftgates and other; and upon breaching the physical barrier, detecting the point of entry and tracking the intruders as they move inside the site, using a video surveillance system linked to the access control system.
- Minimizing damage by segregating affected devices and subnets, using a DPI (deep-packet inspection) firewall to contain the attack in one network segment. Since such DPI firewalls dynamically activate per-person cyber policy rules, the default rules will block any network activity attempted by the intruder.
- Increasing the alert level in the rest of the network and alerting the operator and appropriate authorities upon detection of anomalies, either by the physical security devices or by the IDS that monitors the local network.
Correlating between the data produced by an organization’s cyber and physical security systems, to create a true integrated solution, should not require expertise in cyber-security. The best cyber-security tools are those that are capable of self-learning the network, and that can independently alert for exceptions. Integration with physical security requires that the provisioning of cyber policies per maintenance task is done through the same system used for the physical operation, and that the alerts from both domains will be viewed on the same system.
Finally, the successful implementation of an integrated system requires changing the split ownership between cyber and physical security, and creating a single point of oversight.