If you work in a Life Sciences company, you’re probably hearing more and more about Operational Technology (OT) security. But what does this mean? An OT network consists of all of the systems that support operations, such as industrial control devices, lab processing equipment, and QC test instruments.
Often, automation engineers and IT system administrators suddenly find themselves in charge of an OT Network. Anyone in that position may be wondering where to start when it comes to securing the network or simply proving that it is, indeed, secure.
Here are 5 steps to get started:
Step 1: Segment Your OT Network from Your Enterprise Business Network
If your OT network is not segmented, plan to segregate it at the next opportunity. Some of the most publicized attacks on Life Sciences companies came to be simply because the control systems were connected to the Enterprise Business Network and/or the Internet. We recommend thinking about the Enterprise Business Network as the “untrusted” network. Since it is connected to the Internet, anything on it can be affected by one bad download or a cleverly crafted email that installs ransomware. Some malware kooks for OT devices so a segregated network prevents exposure of the assets to the malware.
Step 2: Review Your OT Firewall Rules
If you can’t recall when you last reviewed the firewall rules, then now is the time. What we are looking for are rules that are too permissive. For instance, if the rule that allows files to be sent to an offsite storage location, and that rule allows communication over all protocols and all ports, then that rule is too permissive.
Sometimes, when troubleshooting a network problem, firewall rules are created to solve the problem. When the problem is fixed, these rules can easily be left behind.
Are there any overlapping firewall rules? Rules are said to be overlapping when they both allow the same traffic to pass to the same devices over the same protocols and ports. For instance, if rule #1 allows file sharing from the lab zone to the infrastructure zone and rule #2 allows file sharing from a particular server in the lab zone to the infrastructure zone, you have an overlapping rule and one that is too permissive in rule #1.
Are there any ‘deadwood’ rules that can be removed? Any firewall rules that aren’t filtering traffic should be removed in the same way “dead code” is removed from a program.
Step 3: Use a Standard Network Design Approach
Make sure your OT Network is separated from the Business Network with a next-generation firewall. These firewalls allow for deep-packet inspection, which aids in hunting threats on your network. The OT Network is only connected to the enterprise network though the OT firewall, thus allowing us to control the traffic allowed in and out.
Step 4: Physical Security Should Not Be Overlooked
Physical security is not a significant challenge in the Life Sciences Industry since some form of perimeter security is already in place and an electronic badging system controls access to different areas of the building. With that said, all server rooms should have badge or key access, all OT network equipment should be secured in a lockable network rack, unused network ports should have port-locks installed, server enclosures should be locked, and the keys to these items should be controlled.
Step 5: Control Access Via Logical Security
Logical security should control access to the different areas or zones of the OT Network. Each user should have rights only specific to the information to which they need access. We can achieve that by creating a list of users and groups and mapping the users to those groups. Then, we verify that the user needs access to the groups to which they are assigned. Sometimes people move departments and retain access they shouldn’t have. This is also a great way to find users that have left the company.
To see 10 additional steps to ensure operational security, view our whitepaper on Ensuring Operational Technology (OT) Cybersecurity in Life Sciences.