Topics:
Legacy operational technology (OT) communication protocols are not secure by default. This is understood; forests of digital trees have sacrificed themselves in order that it may be shouted from the highest rooftops.
What is also known and understood is that there are secure versions of many prevalent OT protocols that would seriously impede a threat actor’s ability to impersonate devices, modify messages in transit, and deny their ability to disrupt or damage automation processes across industries.
Yet organizations don’t deploy them.
New guidance published last week by the Cybersecurity Infrastructure and Security Agency (CISA) titled “Barriers to Secure OT Communication: Why Johnny Can’t Authenticate” reveals why some asset owners and operators are hesitant to move forward with safer versions of Modbus, DNP, and others. The paper, based on a voice-of-customer survey, also looks at the market forces keeping vendors from adding these capabilities by default. On the Nexus Podcast, ICS Cybersecurity Lead Matthew Rogers explained the methodology behind the research and some of the results.
“What we found is that a lot of people wanted the authentication benefits. They've cared about identifying who's saying what. They cared about integrity—is anybody messing with my process data as it goes over the network?” Rogers said. “But they really hated encryption. … A lot of this ends up coming down to in the paper is that as a rule of thumb in the OT security space, encryption is a bad word. The goal of this paper in part is to make it so that we don't think of encryption how we do with modern internet browsing.”
Encryption is often frowned upon in OT because of latency concerns and the potential to disrupt the availability and reliability of OT assets because many devices cannot support its computational requirements. An alternative, the paper suggests, is to cryptographically sign OT commands and process data, bringing authentication and integrity into the equation without the overhead of encryption.
“Just signing—and integrity—is such a big benefit because it stops a lot of these attacks,” Rogers said. [Signing] is great because it's hugely impactful. As we look at incidents like Poland just this last December, they're writing illegitimate firmware to a device. And in that case, I know it's an HTTP web interface instead of an HTTPS web interface. But the point is the same, right? Like you're sending illegitimate upgrades. There's no authentication for who should be sending those upgrades beyond just the user auth on the device. There's a lot of these solutions that would have at least been helped by secure comms if not stopped.”
CISA has been a staunch advocate of secure-by-design/default concepts, and has urged OT OEMs to adopt these approaches—including open standards as an alternative to proprietary protocols.
“We get into these problems where there isn't a clear incentive structure for certain groups to fix the problem, but it causes a wider dampening effect on the security community because people now think these things don't work,” Rogers said. “The point of the paper is really just trying to say, yes, all of these things can work.”
Rogers adds that more of the vendor/integrator/partner ecosystem must be involved in order to work out interoperability issues and demonstrate that open standards can work.
“Then we can get beyond this initial work and hopefully give all these people who are already doing great work and pushing these standards, including all these security features, a little bit more traction within their organizations to make these things more usable,” Rogers said.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
