FI-DV 08 IT-Security in der OT (EN)

IT-Security in the OT

In this module, you will explore the specific challenges of IT security in Operational Technology (OT). You will learn the basic concepts of the IEC 62443 standard and understand how network segmentation according to the Purdue model contributes to securing industrial facilities. You will acquire practical knowledge in the use of firewalls in the manufacturing environment and gain insights into the work of ICS-CERTs.

Participants will be enabled to evaluate and implement security concepts for OT environments. They can identify vulnerabilities in industrial networks and implement appropriate protective measures to ensure the availability, integrity, and confidentiality of OT systems.

Concepts and Background

IEC 62443

The international standard series for IT security in automation technology and industrial control technology. It defines security requirements, security levels, and provides a framework for the security design, implementation, and maintenance of OT systems.

Network Segmentation (Purdue Model)

A reference model for hierarchically organizing industrial facilities into security zones. The Purdue Enterprise Reference Architecture (PERA) divides the facility into levels from corporate IT to the field level, with strict barriers between zones to limit the spread of attacks.

Firewalls in the Factory

Security devices or software specifically designed for OT environments that filter network traffic between different zones (e.g., IT/OT). Unlike conventional firewalls, OT firewalls take into account protocol-specific characteristics and real-time requirements of industrial communication.

ICS-CERT

Industrial Control Systems Cyber Emergency Response Teams are specialized units focused on defending against cyber attacks on critical infrastructure. They issue threat warnings, coordinate incident response, and provide security consulting for OT system operators.

Architecture Diagram

flowchart TB
    subgraph "IT-Network"
        A[Internet]
        B[DMZ with Web Server]
        C[IT Servers]
    end
    
    subgraph "OT-Network"
        D[Engineering Workstation]
        E[SCADA System]
        F[PLCs/RTUs]
        G[Sensors/Actuators]
    end
    
    A --> B
    B --> C
    C -->|Secure Tunnel| D
    D --> E
    E --> F
    F --> G
    
    classDef zone fill:#f9f,stroke:#333,stroke-width:2px;
    classDef firewall fill:#bbf,stroke:#333,stroke-width:2px;
    
    class A,B,C,D,E,F,G zone;
    class D,E firewall;

Practical Steps

1. Create a network segmentation plan based on the Purdue model that identifies all critical assets and divides them into security zones. This forms the basis for all further security measures.
2. Implement physical or logical barriers between zones using OT-specific firewalls that only allow necessary traffic. Configure the firewalls with strict rules that only release the required protocols and ports.

3. iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.10.0/24 -p tcp --dport 502 -j ACCEPT
   iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.1.0/24 -p tcp --sport 502 -j ACCEPT
   iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.10.0/24 -j DROP

   Configure firewall rules that only allow necessary Modbus communication between IT and OT zones and block all other connections.
4. Install and configure a system for monitoring network traffic (Network Detection and Response) in the OT environment to detect anomalies. Use tools like Zeek (formerly Bro) or specialized OT security platforms.
5. Implement a patch management system for OT systems that takes into account the special features of the industrial environment. Test patches in a staging environment before deploying them to production.
6. Create an incident response plan specifically for OT security incidents that prioritizes rapid restoration of production. Define clear escalation paths and communication channels.

7. sudo systemctl enable --now auditd
   auditctl -w /etc/ot-firewall.conf -p wa -k firewall-config
   auditctl -w /var/log/ot-traffic.log -p wa -k traffic-logs

   Set up monitoring of the firewall configuration and network traffic to detect unauthorized changes or suspicious activities.

Common Pitfalls

Further Resources

• IEC 62443-3-3: Security for industrial automation and control systems - Part 3-3: System security requirements and security levels
• CISA ICS Security Summary: Understanding and Implementing Defense-in-Depth Strategies
• ISA/IEC 62443 Standards Series - ISA
• US-CERT: Understanding Industrial Control Systems (ICS) Cybersecurity
• Purdue Enterprise Reference Architecture (PERA)

Knowledge Check

Four questions for self-assessment. Click on each question to see the correct answer and explanation.

What is the main purpose of network segmentation according to the Purdue model in OT environments?

• A) To increase maximum network speed
• B) To limit the spread of attacks between different security zones
• C) To reduce the number of network components needed
• D) To simplify the implementation of cloud services

Correct Answer: B. Network segmentation according to Purdue primarily serves security purposes by limiting attacks to individual zones. The other options address network topics, but not the security aspect of segmentation.

What distinguishes OT firewalls from