2 Min Read
The Case for Bolt-on Security Protections
Written by Paul Robertson
In the Information Security community, we have often made add-on security a bad concept. We would generally prefer equipment had built-in security features provided by savvy vendors with a history of security development. Yes, I’m laughing at myself for even hoping that is the case. New features mean new bugs. New technologies mean new vulnerabilities. Worse, new exploitation techniques mean new vulnerabilities in old products!
The reality in Operational Technology (OT) networks is that stability is a feature. Plant, process and field equipment operators won’t replace older units before they have to for a variety of very good reasons- budget just being the most obvious one.
The question therefore is how do we add protections for new Cyber threats for OT environments without changing out all the equipment or breaking the bank? The answer is bolt-on security layers built specifically for OT networks and equipment.
Many entities struggle with repurposing Information Technology-based protections like firewalls and intrusion detection systems for their OT networks. Unfortunately, these units are often expensive and not suited for the purpose.
Typically, open OT systems can benefit from purposely designed OT security layers. Let’s say you have a control center operator with a Human Machine Interface (HMI) view into a production process, but you only wanted your engineering workstation to be able to change certain process set points. Alternatively, you wanted certain shift personnel such as supervisors to be able to make changes, but not everyone. Adding security layers to bring authentication, protocol-specific permissions or role-based access security without purchasing and installing new control systems is a huge advantage in lowering overall risk in a mature operating environment.
The MSI Platform is designed to be retrofitted into existing OT environments, bringing a hardened security infrastructure to the soft, unprotected center of your operation.
Access control can be added for systems as well as users. Instead of allowing any system or user to connect to any particular controller, field equipment or device, you can erect a logical barrier for access control, or provide an encrypted tunnel for authorized equipment, quickly setting up micro-segmentation barriers around critical components.
Adding strong two factor authentication (2FA) to a controller with no native access control at all limits the potential attacks that can be launched, and who can launch them pretty significantly.
With user access control, you can backfill Role Based Access Control (RBAC) for specific supported protocols. Allowing engineers change-level access, and operations read-only monitoring capabilities for example.
So, we can add new and additional security controls without negatively impacting our current production networks, spending on costly upgrades that may contain new security vulnerabilities or cost serious production downtime. What else do we get for our new bolt-on security dollar?
We get new visibility into the status of and issues with our operational network. We get a strong forensic record of any issues, and the ability to see operational efficiencies change over time.
Less chance of security issues, more visibility into operations.
Schedule a demo today to learn more about the MSi Platform.
Originally published September 25, 2018, updated November 19, 2020.