Predictive maintenance, efficiency studies and controls, security monitoring, and other cloud services can offer real benefits to asset owners. This trend of vendors offering, and asset owners using, cloud services is almost certain to increase. The challenge is to use these services in a way that doesn’t introduce unnecessary or unacceptable risk.
The most common OT cloud service security approach is:
We (cloud services vendor) will create a secure VPN to your site to offer these services. We will use MFA, keep everything patched, perform background checks on our people, have physical security on our side, and take other measures so our connection to your site is secured.
This is a fundamentally flawed approach. It typically allows the OT cloud service provider unrestricted access to your OT networks. The only thing preventing them from attacking your system is their good word and a perfect security program. If they are hacked or have an employee go rogue, the attacker has unrestricted access to your OT networks.
Cloud service providers are a leveraged point of attack. Gain control of a cloud service provider and you could have unrestricted access to all their customers’ OT networks. This is much easier than attacking asset owners one by one.
This common cloud service provider approach violates the least privilege security principle. The OT cloud service provider should only have the access that is required to provide the service the asset owner wants.
Consider OT cloud services as a control loop.
One-Way Communication (Open Loop)
If you, the asset owner, are sending data for analysis to the cloud service provider, they do not need access to OT. They will provide the analytical results to you in the cloud or in reports or notifications sent to cyber assets on IT. Open loop cloud services are an ideal place to deploy a one-way / data diode device. You can send the cloud service provider the data without introducing any risk to your ICS or Operations.
Many cloud service providers will fight the deployment of one-way / data diode devices because it limits the future services they could provide, or they actually are doing something on your system they have not disclosed. Any resistance to deploying this one-way technology for data export or other open loop cloud services should raise a yellow flag.
Two-Way Communication (Closed Loop)
Here the cloud service provider is getting data, analyzing the data, and sending information or a control command to the ICS in OT. In some cases, the information or recommended control command is sent to an HMI for Operator consideration. In other cases, the control command is sent directly to applicable the PLC / controller.
Example: Boiler Efficiency Analysis and Control
An asset owner is paying the vendor that manufactured, installed, and maintains a boiler to monitor its performance and make changes on specific points within a specific range if it will improve boiler performance. The asset owner understands and approves the cloud service provider making this limited set of changes directly to the boiler.
Most cloud service providers will suggest or demand the asset owner allow them to securely connect to OT to provide these services. However, the connection will not restrict the cloud service provider to these services. They will be able to perform any type of control on the boiler and likely anything else in OT.
A least privilege solution will require an industrial firewall with deep packet inspection (DPI) such as Belden’s Tofino or Phoenix Contact’s mGuard. Industrial firewalls with DPI allow you to restrict access by function code, point/tag, and value range. There can be detailed rules.
In the boiler example, the industrial firewall would restrict the write function code to a set of tags on specific PLCs and with a value in an approved range.
Note: An industrial firewall is also a high fidelity detection source for cyber attacks coming from your cloud service providers. The cloud service provider should only be sending agreed upon packets, so any packets rejected by the industrial firewall warrant investigation by the incident response team.
_________
Identify all OT cloud services your company is using. For each cloud service:
- identify if it requires one-way (open loop) communication or two-way (closed loop) communication.
- if it is closed loop, identify what specific actions the cloud service provider is approved to take.
- verify that security controls, under your control, are in place to restrict the cloud service provider to the agreed upon communication and actions.
Cloud Service Open or Closed Loop Allowed Communications