The number of cyber attacks has increased rapidly in 2021. With growing networking and the integration of software, operational technology (OT) is increasingly becoming the focus of attackers. Endian recommends ten safeguards for the OT in 2022.
“Security in OT has completely different challenges than in a classic IT environment,” says Endian CEO Raphael Vallazza five years at the longest and will be replaced. In industry, machines and systems are in operation for much longer, which leads to very heterogeneous environments. Uniform updates for the operating system, firmware and the anti-virus software, which is so dependent on being up to date, are made significantly more difficult.”
The networks in industrial companies that have grown over the years also pose a security risk: Malware can quickly spread to entire production plants via the numerous networking points. The corona pandemic has further aggravated the situation. “With the pandemic, the clear demarcation between internal and external access has further dissolved,” explains Vallazza. “External maintenance staff needed stable remote access, as did those employees who needed to do their jobs from home.”
Endian recommends that companies implement the following measures to secure their OT environments:
1. Visualize networks
The graphical representation of networks helps to make their increasing complexity manageable. If you can see the various components, sensors and connections in front of you, it is easier to understand communication within the company and beyond. Irregularities in the processes can thus be detected more quickly. At the same time, the visualization forms the basis for network segmentation.
Please confirm your email address!
Click on the link in the email we just sent you. Also check your spam folder and whitelist us.
More information about the newsletter.
2. Segment networks
Ransomware is still the biggest threat to companies in Germany. The attackers encrypt company data using malicious code in order to then extort a ransom. The malicious code often aims to spread as unobtrusively as possible in the networks in order to achieve maximum effect. The subdivision of the operating network into individual, separate segments is therefore a fundamental step in ensuring security in the OT area. Networks can be subdivided via IoT security gateways, which are connected in front of the individual segments, without requiring changes to the network structure.
3. Introduce Zero Trust concept
The further digitization progresses, the fewer company networks have clear boundaries: for optimal planning, suppliers and business partners need access to certain company resources and the pandemic has brought many employees to the home office. The Zero Trust concept is based on the assumption that no access – whether internal or external – is trustworthy. It no longer relies on locations, but on identities, authorization and secure authentication of users and machines for every access.
4. Centrally manage authorization and authentication
Setting up user accounts and credentials ensures that only authorized employees access machines and systems. For administration, administrators need a central tool that allows them to set up, change or delete roles and permissions in real time. The introduction of access rules can further increase security. For example, it can be specified that employees only have access to the networks from certain countries. Regions where the company has neither branches nor customers can be excluded.
5. Two-factor authentication (2FA)
Insecure passwords are also a high security risk in the OT environment. Companies should rely on two-factor authentication, especially before the continuing home office trend. In addition to a password, users need another factor to log on to a machine or network. The so-called “possession factor” is often used, for example, in which a one-time password is sent to the user’s smartphone.
6. M2M communication with certificates
Machines are also increasingly communicating with each other. The same principle applies here as with human-machine communication: Appropriate authorization is required for access. Certificates give each device a unique identity so that it can identify itself to machines, systems and people.
7. Focus on Edge Computing
Before data is sent to a central cloud, it must undergo a preliminary evaluation where it was collected, i.e. in the respective machine or system. The approach saves bandwidth and ensures that less data is at risk of theft or tampering during transmission.
8. Encrypt communication
As soon as data is exchanged between edge and cloud, it is exposed to special risks. A VPN creates an encryption tunnel for each transmission, making the data unusable to anyone trying to intercept or sniff the communication.
9. On Premises Solution
Companies should remain independent at all times and be able to decide for themselves where their sensitive data is managed. On-premises solutions offer maximum flexibility because they can be used in the cloud, in your own data center or at the system house partner.
10. Raising employee awareness
Most malicious code enters the company via phishing emails. By misrepresenting facts or identity, attackers attempt to trick an employee into opening an infected attachment or link. Regular training and tests can help to actively involve employees in cyber defence.