Getting Started in ICS/OT Cyber Security - 20+ Hours - Part 4 (Secure Network Architecture)
FULL TRANSCRIPT
hello and welcome back in this section
we're going to talk about secure network
architecture so so far in the first
three parts of the course we've really
level set trying to get everybody
whether you come from an IT background
or an OT background a basic
understanding of the different
components that can make up a IC or OT
environment and looking at some of the
basics of cyber security but now we're
going to look at how we bring all of
that together and starting moving
forward really what we're talking about
is how do we especially from a a
practical perspective how do we secure
our critical infrastructure environments
how do we secure our OT
networks and so let's go ahead and jump
into this section and you can see what
we're going to look at at this idea of
what secure network architecture brings
us and this is where I always start when
when I talk about if I could only do one
thing to protect an OT Network what
would it be and it would be to put a
firewall between it and and OT and that
sounds very simple and simplistic to
many many people and some people think
of it as a joke and and and and others
realize the the beauty in that
Simplicity and I know and understand
it's not always possible but we'll have
those discussions um the idea is that we
start with a firewall and then we'll
look at how we build additional layers
of secure network architecture to help
protect the
environment a big part of that is what
we're going to use to help us do that is
the Purdue model or what we call really
the expanded Purdue model today in
2024 so so we'll talk about the the
expanded Purdue model and how we can do
additional Network segmentation around
zones and conduits based off of Isa
62443 right we've started to talk about
Isa 62443 as the golden standard of how
we build a cyber security program in
control system
networks we'll also talk about how
attackers get into the environment with
the killchain and whether we talk about
the it cyber killchain from loed Martin
so how do the attackers get into the
environment into the IT
Network versus well once they're in the
it Network how do they get into the
control system Network and then how do
they spread control and and gain access
and gain further control over the OT
Network and that's really what's
described in the IC silver cyber kill
chain that we're going to talk
about and then we'll wrap up with brief
introduction to the industrial internet
of things or iot where we're basically
allowing the OT Network to have internet
access but of course we want to do that
as securely as possible so we're going
to introduce that here and we'll come
back and talk about it in later sections
and same thing with secure remote access
which is it's this guess necessary evil
if you want to describe it as such to
allow remote parties like
vendors to be able to come in and do
things like maintenance Maybe some needs
to come in and maybe do a firmware
upgrade on a on a PLC during a
maintenance window we want to allow them
to be able to do that and especially if
it's in a dangerous environment we don't
necessarily want somebody standing there
in the plant doing the upgrade when they
can do it safely from
home we just want to make sure if we're
allowing them to do an upgrade safely
from home remotely that that secure or
that network connection is as secure as
possible you just have to remember it's
it's never 100% so if we're going to
have it we have to be extremely careful
and we have to make sure we do secure
secure remote access the right way so
that's what we're going to talk about in
this part so we already previously
started to talk about the five main ways
that attackers get into OT networks and
the primary route that we see is they
first get into the IT Network right
using a fishing attack which is the most
common way that attackers will get in
and we'll come back and and talk more
about that and that's really kind of the
the main example that we're going to
talk about in this section we'll come
back and talk about all of these as
we're going throughout the course but
the main focus in this part is really
talking about as attackers gain access
to the it Network then what do they do
how do they gain access to the OT
Network and then once they're in the OT
Network it's our job to ideally detect
them be able to find them and get them
off the network unfortunately we know
that a lot of OT environments at least
half don't have any type of network
security monitoring capabilities to find
attackers in the
environment so let's take a step back
and well where do we
start so taking that step back let's
talk about the
it kill chain or the it cyber kill chain
that locked Martin had created you can
see back in 2011 when uh they had
introduced this idea of this process on
explaining how attackers get into the
environment and this is not every
attacker and this is not every every
route that they can use to get into a
network but in general and this is the
the common kind of scenario that we're
going to use uh for our conversation for
this part at least when we talk about
attackers breaking into the IT
environment the most common route
they're going to use still today is
fishing attacks like we saw with
Colonial pipeline right attackers
whether they're it's an advanced
persistent threat trying to get into the
environment for Espionage or it's a
ransomware group like dark side and
Colonial pipeline that wants to infect
your computers just to get a couple of
bucks at the end of the day they all
realistically follow the same type of
pattern and how they break in into the
environment so the first step is they
perform reconnaissance or sometimes you
hear of things like ENT or open source
intelligence gathering but they they
perform reconnaissance right they want
to find out information about your
organization information that they need
to help their attack be more successful
so if I'm an attacker and I want to
break into your environment using a
fishing attack I want to send fishing
emails well I'm going to need to start
with email addresses so we'll
use the greatest open- source resource
in the world the internet typically
Google to be able to go ahead and find a
list of email addresses for employees
that work at your company and maybe I
don't have as many email addresses as I
want but if I understand the email
structure how are your emails created
meaning oh or when we have a new
employee right we create an email
address for that employee with their
first name followed by a period followed
by their last name followed by the at
sign followed by the the company
domain so I might have michael. holom
microsoft.com so if I go into LinkedIn
and see another Microsoft employee
even though I don't know their email
address if their name is say Jennifer
Salvador I know that more than likely
her email address is jennifer. Salvador
microsoft.com so understanding that
naming convention or that syntax I can
use that to go
through social media especially sites
like LinkedIn to gather names of
employees that work at companies
generate their email
addresses and so I have that list of
targets and there's other information we
can gather but that's a lot of what
we'll find in you kind of General
fishing attack
reconnaissance if you want to make you
know the fishing attacks more specific
to the organization you can see you know
look for different events that are
happening with the organization or maybe
you want to tailor those fishing emails
to specific individuals so you might
look them up in social media media maybe
not just LinkedIn but more like Tik Tok
and Facebook and insta to be able to see
more of their life so you can put more
personalized information into an email
just for
them this isn't necessarily a course on
creating fishing attacks but the idea is
we get as much information as we need to
make a realistic fishing attack to be
able to send to the email addresses that
we've gathered for for the organization
now the fishing email itself is is
pretty harmless we need to couple that
fishing
email with either and usually one of two
things it's either going to contain a
link to a malicious website and that
malicious website is going to host code
that'll infect the victim's
computer or we're going to put a
malicious or infected
attachment in the fishing email so when
the victim receives the fishing email if
they double click or launch that
attachment then it will infect their
computer so that's the idea of
weaponization now the key with these two
phases when we talk about reconnaissance
and weaponization is these are typically
almost always the two phases that we
cannot
detect from some type of network
security monitoring process and we can't
we can't see if an attacker is using
Google or to look up information about
our company or if they're in LinkedIn
looking up information about our
employees we
can't we can
uh we don't have an idea of what type of
malware are they creating right as an
attachment or a malicious file or or
site or what site that is right we have
we have no visibility unless we're
literally looking over their shoulders
or we have their systems down we have no
idea or visibility into what they're
doing
so these two phases of the kill chain
there there's not much we can do here
other than we assume that they're
happening so we're going to assume that
attackers are performing reconnaissance
on our environments that's why you
should be performing reconnaissance on
your own environments to see what the
attackers are going to see and that's
what we're going to come back and look
at in part seven especially when we talk
about using showand toine exposed OT
assets on the internet
so we want to perform reconnaissance on
ourselves we do the
ense on ourselves to see what the
attackers are seeing so if we can find
an issue before they do then we can fix
it before they can exploit
it so in those first two phases we
don't necessarily know 100% that they're
happening but we're assuming they're
happening
regardless now next Once the attacker
has their fishing email created and
they've created let's say in this case
they've created a malicious attachment
that's going to go with a fishing email
so they're going to send that to their
target employees and whether it's every
employee in the organization or maybe
it's just a select few you're going to
send those fishing emails right that's
the the delivery phase now when we get
an employee to fall victim so they get
the email they fall for it and they
doubleclick that attachment
that's where the exploitation comes in
where it starts so then that malware
installs on the machine during the
installation phase and once it's
installed almost always that system is
configured with the malware to go out
and make a connection to what we call a
command and control server out on the
internet that's a host that the
attackers have control over so when
let's say Jennifer Salvador at Microsoft
Falls victim to and I hope there's not a
real Jennifer alador at Microsoft but
there could be but when she falls victim
to that fishing email it opens up that
connection to the computer that the
attacker controls and it gives the
attacker then access to her computer as
her so the attacker now has access to
all of her data her application her
email and then potentially the attacker
can then take additional steps to gain
full administrative control control over
that system and then look at gaining
full administrative control over other
systems in the environment especially if
they're looking for sensitive
information so those are the first kind
of the six main phases and I it's
jumping ahead a little bit but then the
last phase is really once the attacker
has that foothold in the environment
once that machine's infected and they
have that connection to their command
and control
server then they want to be able to do
what they're going to do so depending on
what is their objective right what is
their mission is it for industrial
Espionage is it to plant ransomware is
it to the list goes on and
on but it's going to depend that's the
again that's the general it cyber kill
chain as far as explaining in general
most of the time how attackers get into
the
environment so building off of that
let's go back to the you know thinking
of colonial pipeline or the common
ransomware compromise and how that
impacts an an OT environment when it's
connected to an IT Network and there is
no security or we talk about a world
without secure network
architecture so again using this example
of a fishing attack let's say we have an
attacker that sends a fishing email to
an employee there's there's Jennifer
Jennifer gets the email address and she
falls victim to it and she double clicks
she opens up that attachment in this
case that ransomware is designed not
only to infect her computer but to also
spread to all of the other Assets in the
environment at least those that are
running Windows so anything in this case
running Windows is going to become
compromised rather easily rather quickly
and so you pretty much have the entire
it Network completely compromised we
talk about the entire environment
burning down to the to the
ground but if this is an IT environment
connected to an OT Network like let's
say our power plant it's this is the
back office to our power plant and if
there's
no segmentation there's no protection
between it and OT then that infection is
just going to move right into the power
plant and and in fact all the windows
assets that we have and as we've already
started to talk about most of our assets
that we see at least higher levels of
the Purdue model which we're going to
talk about in this
section most of those section most of
those assets they're just other
computers running Microsoft
Windows so there's no additional
protection and so this is where when we
have different types of compromise is
like Colonial pipeline again I don't
know all the details unless you probably
work at the FBI or at Colonial pipeline
you nobody knows the complete details of
what
happened but when the it environment
became infected with ransomware you know
did that infection start to move into
the OT environment because of a lack of
security control again I don't I don't
know I believe
so but I don't know
so how do we protect against this this
is where we were talking about firewalls
earlier not to jump
ahead to take a step to the side though
and talk about the Purdue model which we
started to mention right this idea that
we have this structured almost
framework that we can use to understand
how it and OT talk with each other and
then how the it and the OT networks are
comprised of their own layers that talk
amongst themselves and that we can use
this to start to have a conversation
about
security so the Purdue
model and you can see it was created in
in the early 90s I actually I'm actually
I get to nerd out about this because
there was a floor engineer that was on
the in in the working group that created
the the Purdue model and this is this is
not the original Purdue model this is
what we call that you see here this is
what we call the expanded Purdue
model but the idea is that the Purdue
model and the expanded Purdue model
right can be used to break up an itot
environment into these different levels
or
layers and that we look at how we can
secure the environment from a network
perspective and so this is where we
start when we talk about secure network
architecture in OT and you can see at
level four or five those top layers
that's the it environment that's the bo
the back office right that's where our
employees sit and they read their emails
and they browse the internet and they
get
infected but they're they're directly
connected to the internet right so
that's where we see the the most danger
now at the lower levels that's where we
have the the OT environment so you can
see levels 0 1 and two to really that
kind of make up those say the lower
levels of the OT and that's where we
have our things like our
plc's that bring in data from things
like sensors right and control different
systems like in our power plant the
turbines and the combustion Chambers and
the
generators and then we use different
systems like engineering workstations to
be able
to update programming on those plc's or
upgrade the firmware and we collect
process data and store that on data
historians and we're able to see or
visualize the process that's that's
happening in the environment on those
hmis and and so on and so
forth and then we still have more to the
OT environment because at level three we
have a whole other layer an upper layer
if you want talk about they have it
labeled here site operations and this is
this is based off of the the S version
of the expanded Purdue
model so we have an additional layer of
engineering workstations and data
historians which we're going to come
back and talk later about why we have
multiple
layers we can have things like active
directory for doing authentication for
our windows-based
assets might have some other type of
management
system that's specific to that different
type of environment so if I have a power
plant versus a Manufacturing facility
versus a railway right where each is
going to have its own different type of
management system or
systems that are specific to that type
of environment so we'll look at some
more examples of that later on as
well so really what we're doing is we're
saying levels four and five are the o or
sorry levels four and five up top that's
the it environment levels 0 1 2 and
three that's the OT Network
now between the two we create a DMZ or
what you see here is level
3.5 so just like we have if you're
familiar with an IT DMZ between the it
Network and the internet right we put
that that DMZ to help protect an extra
layer of protection between the it
Network and an untrusted Network like
the
internet now from an OT perspective
right we're not con connected directly
to the internet ID
but the one network we're going to be
connected to is the it
Network and that's the untrusted network
from the OT
perspective so we want to make sure
we're going to put a DMZ between us and
the IT
Network so that's what level 3.5 is so
we're going to create a DMZ and ideally
with two different layers of firewalls
and that when we have resources that
need to talk with it we're going to
place them in that
DMZ now remember we don't if we can get
away with it if we can if it's
technically possible we don't want it to
be able to originate connections and
talk with
OT we want ot to originate those
connections and send data to
it like in this example let's say I do
want to automate the installation of
Windows patches on things like my domain
controllers and my data historians and
my engineering workstations remember
those are just Windows servers and
workstations
laptops so what we can do is we can put
that patch management server in the DMZ
so we configure the OT window servers to
reach into the DMZ and get patches well
the patch management server in the DMZ
it reaches out to the it patch server
and pulls those in to the network so
everything's being pulled into the OT
Network all those connections they're
originating from OT right OT is going to
it asking for that data not the other
way around and if we it's the other way
around if we allow it to reach into OT
then if an attacker gets into the IT and
network and they will they can find that
route and they can use it to get into
the OT Network
we'll talk more about that as we go
on so even just by simply placing a
single firewall this is what robley even
even highlights he talks about in just
at the the last drus uh Summit uh he
mentioned this and and I've heard him
say it
before most OT they don't need zot trust
they don't need the the latest Shiny Toy
I always
say they just need a fireball
okay if there's one thing we can do to
protect OT is to install a
firewall now obviously there's a lot
more that we want to do on top of that
but if we could only do one thing it to
install a firewall because of this exact
example so if that attacker sends that
fishing email and Jennifer Falls for it
and that say that ransomware takes off
and starts infecting all the
windows-based resources in the
environment
and it goes to move to the OT
environment if that firewall is there
and the firewalls configured
correctly the ransomware infection is
stopped from spreading into the OT
environment we're
done so yes the it environment has
burned down to the ground that's
bad obviously but if we have a truly OT
resilient
environment we're still up and running
right our power plant is still up and
running and generating power the
business is running around scrambling to
try to fix everything so they can get
back up and running from a business
perspective but hey you know what we're
still generating power and that's
ultimately what matters that we're still
generating power and we're doing it
safely you can take the couple days or
couple weeks to rebuild the it
environment but we still want to make
sure that the OT environment is up and
running and it's doing things
safely so just by adding that one
firewall right we've taken a huge step
in protecting the OT
environment so let's talk about
firewalls for for a few
minutes and so just if you're not
familiar with a firewall right we
typically think of a firewall as a a
hardware Appliance and yes there's
there's virtual firewalls and and we can
talk about network based and host based
right now we're talking about a network
Appliance physical Appliance and that's
what we want to focus on for for right
now and that we're going to put it in
the network to filter traffic between
two you see two or more Network segments
for now we're talking about what we were
just looking at right having that
firewall that physical Network Appliance
between it and OT right filtering
traffic between it and OT because by
default that firewall says we're going
to block all
traffic between it and OT from it to OT
and ot to it and then we only come back
and open up those specific holes in the
firewall that we need to allow the
business to
operate so again if we can we don't want
to allow any traffic directly from it
into OT
remember we want the traffic connections
to originate from
OT and allow them to reach out to get
that
information there are also the idea of
OT specific firewalls like mards that
can understand not only protocols like
tcpip but other common OT protocols like
like bom buus the most commonly used OT
protocol
and we're going to come back and talk
about those later really what at this
level when we're talking about just
protecting it from OT or OT from it or
both right we're really just talking
about common old firewalls that we see
in in it environments cisos and poo alos
and
foret now there's a couple of main
different types of of firewalls the most
basic that you see and you see
originally they started out just as
simple packet filters and there's a lot
to unpack here but bear with me for a
few
minutes idea with the packet filtering
this is where you have the firewall and
it's going
to filter traffic or either block or
allow it based off of what we call the
five tupal and a tupal just means it's a
list of things so we have this list of
five pieces of information these are
five pieces of information that are very
important from a network intrusion
detection perspective so we're going to
come back and talk about this in one of
the last parts of the the
course but when we want to allow traffic
and we want to allow that traffic based
off of and make it as specific as
possible so we can say where it's coming
from and not only just the IP address of
where it's coming from but but what port
is it coming from and where is it going
to so what's the destination IP address
and again not just the IP address of the
The Host
that is going to but the
port and then what protocol are we using
in this case we're talking about the
transport protocol so is it TCP or UDP
typically icmp is typically the only
other protocol you'll see when you're
talking about the five tup at this
level and that was the most basic form
of packet or firewall where it's doing
packet filtering now you can even do
packet filtering on on switches and
we're going to come back and talk about
that layer
later but for now remember a switch is
not a firewall and a switch does not
replace a firewall I've gone into
environments where I remember going into
into one environment very large
environment and and the the gentlemen
that was in charge of of the site was
really proud of their new firewall that
they had installed and I had to break it
to him it wasn't a firewall it was it's
a
switch so switches can some emulate
firewalls but they're not firewalls and
they're not designed or meant to replace
firewalls so we'll come back and talk
more about that as well now all
firewalls over the last 20 years
probably at least do packet filtering
and stateful inspection the idea is with
stateful
inspection it tried to kind act as a
stop Gap to address an issue where if
you had a a previous or an older
firewall that you could have an attacker
try
to pretend to be return traffic saying
you know saying maybe let's maybe using
a common example would
be in our it environment we had that
firewall right between us and the
internet and we know that the employees
at that company go out and
visit websites out on the internet and
we almost know always right they're
going to Amazon and Google right there's
a lot of common websites so what if an
attacker could SPO Pro one of those IP
addresses and send packets to the
firewall pretending to be from let's say
google.com say hey oh I'm just return
traffic now it's all spoofed and it it's
kind of hard to pull off these different
attacks but it's not impossible so it
was a way for attackers to slip
through because the firewall didn't have
any idea of is that legitimate return
traffic or not so that's what stateful
inspection does it watches when your
employees leave goat when they go out to
the Internet so it says oh okay Mike
just went out to google.com and oh
there's the return traffic from
google.com if
there's someone else saying oh I'm
return traffic from google.com trying to
go to Mike the firewall says I don't see
where Mike went to see you at this one
point in time so I'm just going to drop
you that's the idea of stateful
inspection so that's what all firewalls
do these days the most all firewalls at
a bare minimum do stateful inspection as
well as packet filtering we're going to
talk a lot more about packet filtering
though now there's also deep packet
inspection this is where we came up with
you know NextGen firewalls um at this
point 10 15 years
ago the idea where you have a firewall
that not only right allows traffic in
and out and we filter it and does
stateful inspection but it essentially
acts like an intrusion detection sensor
and it looks at the
traffic and it can look for suspicious
or malicious
activity and whether it's at the TCP
level maybe it's an application layer so
maybe it's it's looking at HTTP traffic
or FTP traffic to see if there's some
type of attack there and then a lot of
times you can also use these to do
things like like U like URL filtering
right so don't allow your employees to
go to gambling websites and and porn
sites those types of things but deep
packet inspections really this idea of I
want to open up the packet and look to
see is there anything in there that
looks suspicious or malicious that's
also what we'll see when we come back
and talk about the OT specific firewalls
like an Mard where you can actually go
in and determine what specific commands
do you want to allow let's say between
an HMI and a PLC so if an attacker
gained access to an HMI and they tried
to use it for anything other than IL
legitimate command they would be
stopped great right so it's another
reason why we want to implement
firewalls and the more firewalls the
better almost always I was in one
environment they literally wanted to I
mean Implement hundreds of OT firewalls
which in a way I really appreciated but
even in that environment it was Overkill
so we were able to scale them back a
little
bit now this is the idea of an access
control list that we were
mentioning so if you've never seen one
and this is one from a standard Cisco
firewall looks the same on a firewall or
switch uh and these are very similar to
other firewalls so that's why I like use
using the Cisco
one now the Cisco ACL always starts with
at the very bottom even though you don't
see it actually has what we could talk
about as far as the the deny IP any any
so by default if you don't add any of
these additional Rules by default a
firewall right will block all traffic
insane block everything
but then we come back and we want to
open up individual
holes so we can talk about the ACLS here
but let's jump to the next slide so
hopefully this will
help give you a bit better idea of what
we're trying to accomplish with the ACL
so you can see the ACL that we were just
looking at in the upper right hand
corner and then that little line below
trying to show you how the the rules are
written how the acl's are are written
and then we have our example of our
power plant with the it and the OT
networks separated by a single firewall
so a simple example but it's a great one
to start
with so here you can see we have the it
environment and then down below we have
a number of control system assets with
IP
addresses so bear with me because in
this environment this is a let's say a
smaller power plant environment where
they started cyber security to have a
fireball and they want to allow certain
traffic from it into OT
so we're going to we're going to go with
the example right it's not ultimately
what we want to do but it's a it's a
good
start so you can see in this example
right they have the it environment if we
look at that first ACL
the ACL is written so that the first
thing you're going to see is permit or
deny right are we going to allow the
traffic or are we going to deny the
traffic the next thing we're going to
see is the protocol that we're going to
either allow or deny so you can either
see transport protocols like TCP or UDP
or mention
icmp which is what we use typically for
Ping even though it has other uses or if
you want to just block everything you
say block
IP so we can see TCP UDP icmp or IP
which means all of all of them and then
we're going to say where is the traffic
coming from that we either want to allow
or deny so where is it coming
from we want to specify the IP address
in the port and then we're going to say
where is it going to and then remember
we want to be as specific as possible we
want to specify the destination IP
address and the destination Port now in
this case the acl's are it's somebody
just starting off so they don't know to
make them as specific as possible so in
this case if I'm looking at that first
line is saying okay allow right permit
TCP traffic
from
any Source IP address and any port
basically on the it Network to
access the device at
101050 52 over Port
80 and if you're not familiar Port 80 is
used for H TP which is the unencrypted
web
browsing so more than likely if we
allowing somebody to talk with an OT
asset running a web interface is
probably going to be uh either some type
of management server where they're
running an application or an HMI so in
this case if I look at 101050 152 this
is my little icon for an
HMI so they're saying allow anybody in
it to talk with his HMI over 80 and you
can see the next line says oh permit TCP
any host to
101050 152 on Port 443 right the
encrypted version of web browsing so
we're allowing basically unencrypted and
encrypted web browsing to the HMI
interface now we can also see there's a
permit TCP any host 10.10 50150 same
host on Port 3389 which is used for
remote desktop which is for Windows host
so we know not only is this probably an
HMI but it's also an HMI that runs on
Windows and that you can remotely
connect to it with remote desktop so you
could log into it as if you could
remotely any other Windows
machine now the next line actually
references a different hose so you see
permit TCP remember coming from any host
any Source IP address any Source port
and going to the specific host at
101050
154 over Port 502 which is the port for
modbus so this is almost always just by
looking at we're allowing mod bus
traffic almost always going to be a PLC
and that's the little icon down at 1010
50154 that represents a a
PLC and you can see we're going to allow
icmp to that host as well so somebody
could ping it even though we might not
want to allow ping traffic cuz ping even
ping could potentially bring down an
older asset now we're talking 20 plus
years older but it still could happen
never know but we'll come back and talk
more about that
later and then the last thing you can
see is we allow permit UDP traffic from
any host from anywhere on the it Network
to that PLC at 10.10
50154 on Port 123 which is used for
Network time protocol with ntp now
there's other ways we can do time
synchronization in OT environments as
well but ntp will see most commonly you
usually in the windows and Linux and the
traditional it world so a lot of that
does creep in into to
OT so this is an environment where
they're just starting with security and
they know they need a firewall which is
great and they block all the traffic by
default but a couple things they're
missing one is they're allowing it to
talk with directly with ot not the other
way around right so that's a big
Miss and they're not being as specific
as possible with those ACLS and they're
saying oh just allow anybody in it to
talk with those resources over those
ports so again the ACL is somewhat
limited right it's saying which IP
addresses we're going to and which ports
we're going to but it doesn't say well
what IP addresses and what ports are we
coming from
from so remember we want to make it as
specific as possible so again it's a
good start there's just a bunch of
misses and this is very common when I
work with you especially smaller
environments that are just starting out
in in securing their their OT
environments this can be very similar to
what you might
see but we'll have the traffic now here
we have a slide that just lists some of
the common ports like we're just going
through that ACL list and so oh 80 and
443 and 3389 and 502 and like what what
do these mean right
so different ports are commonly
associated with different services or
protocols and that's not always the case
but there are some common ones so if you
see TCP 21 it's
99.999% of the time going to be used for
FTP for file transfer
TCP 22 is almost always going to be used
for SSH right to remotely log into that
host from a a command line perspective
and be able to make
changes and and you can see tell then
the list goes on and on so I try to list
some of the common it protocols on the
left hand side that you're going to see
in OT environments because you'll see
things like ldb on active directory
domain controllers or you'll see
Microsoft SQL Server running on a
Windows
server for that's acting as a data
historian because it's running SQL
Server which is where it stores all the
process
data and then we have some common IC or
OT protocols as well I put these in
numerical order so things like S7 mod
bus I think those are the always the
easy ones to remember because they're
kind of similarly numbered right 102 502
and then you get into other ones like
cod assist PC Works Omron tmp3 backnet
for our building management
systems if you want a more thorough list
um obviously Google is your friend but I
also have some cheat sheets in my GitHub
repository so uh check out GitHub go to
github.com
SEC and uh you'll see the uh go to Quick
Start guides and then there's I have
Quick Start guides for showd in as well
as nmap and then they're there for it as
well as OT so they have more
comprehensive list for it and and OT
separately
so uh but it's a great reference to
have so we can come and look at there's
also additional ways that we can
configure firewalls in the environment
this again is where we're just talking
about
protect I should I always keep saying it
the wrong way I I it makes me sound bad
we'll say in this case we're
implementing secur security between it
and OT we haven't even got into well how
do we Implement security within the OT
environment for now again we're still
focused on you between it and OT now
here's where we Implement not just one
physical firewall but two layers of
physical firewalls to form that itot DMZ
or level 3.5 of the expanded Purdue
model and so the idea then is we have
that lay layer of communication
separating the
two and so as we need to get information
from the it Network into OT we can pull
it into the DMZ first and then pull it
or move it into the OT Network or vice
vers if we need to push data like
process data from the data historians we
can take it from the OT data historian
push it to the data historian sitting in
the DMC which can then forward it to the
data historian in the it Network so the
business gets the data it needs but we
never allow the business to reach in and
gather that information
itself now there's the idea of the
triple home firewall I want to talk
about this real and then we're going to
go back to the last
one so remember in well we'll go back
there already so in the last one we talk
about a what I consider the true DMZ is
where we have
multiple layers of firewall physical
firewall
appliances you do see some environments
and this should only be an IDE and even
then this is just not a good
idea in order to usually save money
right which is not a bad thing but this
is the one place where you don't want to
save money you can see they have an IT
OT DMZ they have an IT Network and an OT
network but they're only using a single
firewall to do this so you get a
firewall appliance that has three or
more
interfaces the problem with this is what
if the attacker can take control over
the firewall from any of these segments
especially it if I'm in the it Network
and I take control over the N the
firewall then guess what I have access
to the it DMC and I have access to the
OT Network done
deal whereas at least if I'm back in the
traditional dual homed DMZ
the whole point of having those two
layers of
firewalls is that if an attacker gets
into the
environment can they gain access to that
firewall and this is where we come back
and say well let's say if they're both
Cisco ASA
firewalls and the attacker gets in and
they have a zero day attack for Cisco
ASA and remember zero days are not just
for nation states anymore see ransomware
groups and other types of attackers have
zero days as
well but let's say they have a zero day
attack for Cisco ASA so then they can
use that and they can blow right into
the IT DMC and then they can get right
into the OT
Network so the one caveat or the one
exception we want to make when we talk
about creating this dual homed DMZ not
only do we want two layers of physical
firewalls but we want those layers the
physical firewalls to be from different
vendors so let's say I have a Cisco ASA
layer up top between it and the DMZ and
then I have let's say for to net
firewalls between the DMC and OT
Network so even if an attacker has a
zero day for Cisco ASA and they can get
directly into the DMZ they're not going
to be able to bypass the foret to get
into the OT
Network now if the attacker has zero
days for both they're more than likely
going to be nation state and there
nothing you're going to do ever to to
keep them out 100% so this is one we get
to a point where we can only do so much
right before we need to shift our
priorities right and our resources to
focus on building up security elsewhere
like in network security monitoring so
when the attackers do get into the
environment then we know about
it but for now remember if we're going
to have those two of firewalls do it the
right way and have them from two
different vendors companies don't like
to do that because well you have to have
people that understand how to manage and
administer two different types of
firewalls and they can be different but
there's a lot of similarities between
them as well so it's not not the end of
the
world but that's the best approach is to
have two different layers of firewalls
from two different vendors actually just
to work with a client uh an outside
client from uh you know outside of my
job and they had two different layers of
firewalls from two different providers
absolutely impressive it's like that's
exactly the way you do
it all right so enough about that all
right so let's move on so this is what I
was alluding to earlier now Network
switches can say pretend to be be
firewalls because we can add Access
Control list to to switches
so that way as traffic comes into a port
we can say what traffic to allow or not
just like with a firewall and the nice
thing again is especially like in the
Cisco world or others is if you can
write a ACL for the the firewall you can
write an ACL for a
switch and you're just doing it on a
port by Port basis and this is what
we're going to want to come back and do
later on to
further limit the traffic that's flowing
between segments and devices within the
environment we want to do as much
segmentation as possible we want to do
as much filtering as possible because
that's going to limit what the attackers
can do when they get into the
environment because they will get into
the environment it's just a matter of
time so we want to apply ACLS and
switches that's great but again what
does mentioned earlier is we don't
replace firewalls with
switches so when we're talking about
segmenting different networks completely
one from the other like it and OT we use
physical
firewalls if you use a switch to do this
you're just increasing the chance that
an attacker a can take control over that
switch and then they can bypass the
security
features so just remember for now a
switch is not a firewall we're still
going to leverage all the security
capabilities of of a switch no doubt but
switches are not meant to replace
firewalls so next let's talk about data
diodes and we can also mention
unidirectional gateways but data diodes
have been around forever I remember the
class I took with Rob Lee he kept you
know talking about data diodes and that
they're one of the single greatest
assets you have in protecting your
environment and at the same time nobody
uses them and and that was practically
10 years ago at this point well little
little under but yeah it and it's people
use them even less and less um now they
have an alternative called a
unidirectional Gateway or something like
a unidirectional security Gateway um
that essentially does the same thing but
and let's talk about him and you'll see
what I mean so the idea is a data diode
is it's an appliance right kind of like
get a network firewall wall is an
appliance and you use it to connect
networks to together but with a data
diode it's not
electronics that Gap the the two
networks that that bridges that Gap I
should say between the two networks what
it does it it has a it uses physics
right it's a it's a a light system to be
able to transmit data and and it only
goes in One Direction just like if
you're sending uh data down
fiber so it literally can only send data
in one direction there's no possibility
of return traffic
zero so if we're going back to the
premise that we only want to allow ot to
send data to
it a data diode fulfills that that
need it's the perfect tool to be able to
do that job I think the problem is these
days is sometimes they're seeing just as
older systems that aren't that popular
right they typically now they tend to be
a lot more
expensive than unidirectional gateways
or or fire
walls and so I think you just don't see
a lot of
people rushing out to buy data diodes
and Implement them even if they're sold
on the fact of we only want ot to send
data to it and not the other way around
so if you don't want to go down the data
diode route and invest in those then a
unidirectional gayway is a you know I
guess a reasonable
alternative it's just not as physically
and and secure from a physics
perspective right it's it's it's more of
it's Hardware it's software to and it's
kind of emulating that hey we're only
going to allow the OT Network to send to
it not the other way around right
unidirectional
but it's not as secure because it's
Hardware sof hardware and software can
be
hacked so unidirectional Gateway vendors
drive me crazy because they all talk
about their Appliance they all talk
about their appliances this will make
your network unhackable no it does not
make the network
unhackable right it uh allows me to send
traffic from the OT Network to it and
and not necessarily hopefully have it
return traffic to OT but I would not
consider your gateway unhackable and it
doesn't make the the network unhackable
there's lots of other ways to break into
the
environment you're addressing just one
of them one of the big ones sure but
just one of them so let's kind of calm
down the marketing rhetoric and and be a
little bit more
realistic it's a piece to the puzzle
right it's a layer of security we're
going to implement so if we're not going
to do data diodes let's do a
unidirectional Gateway yes but we're not
going to assume that it's going to make
the network unhackable because it
doesn't right if anything right somebody
brings in an infected USB drive and imp
plugs it into the the
network the network was just hacked the
network was just
compromised so saying a unidirectional
Gateway makes your network unhackable is
ridiculous that's that's me how I so so
I'll get off of it
now and this was just going back to
looking at that expanded Purdue model
and the idea that when we Implement data
diets let's say again we want to push
let's say process data from the data
historians in the it DMZ we want to push
that into the IT Network we want to make
sure it's that one-way communication so
we could do that with a data diode that
doesn't allow return traffic that's all
we're just trying to show there
remember and then boom it's blocked can
you do that with a firewall sure can the
firewall be hacked yeah just like a
unidirectional Gateway data diodes the
chance of it being com even if it's
compromise it's still physically the
path will not allow traffic from it to
OT period the end that's why it's that
much more
secure it's just going to be more
expensive so most of the rest of the
part of the section we're not going to
spend a ton of time on these but looking
at going back and looking at each of the
layers of the expanded Purdue model now
one thing I want you to keep in mind as
we're going through this and let's kind
of go back to this one just for a minute
is that there's a general rule when
we're talking about designing how
systems communicate within the Purdue
model or the expanded Purdue model I get
in trouble when I just say the Purdue
model all the all the the older folks in
OT cyber secur they jump on you because
you know there was no level 3.5 right
there was no it DMZ so if I call this
the Purdue model they literally will
jump on you that's not the Purdue model
you don't know what you're talking about
I've I've had people tell me tell me
that you know it's I I get it okay the
expanded Purdue model
right with the expanded Purdue model
we have kind of this General saying a
lot of people will use saying only allow
traffic to travel up one
layer and down one layer meaning if I
have an asset in the like the OT it
DMZ that data historian that patch
management server the antimalware server
I only want to allow it to communicate
with or have assets communicate to it
with with it from level four or level
three
that's it right it should not be able to
reach level five it should not be able
to reach level two or one or zero and
vice versa level 012 should not be able
to reach into level
3.5 remember one up one
down so if I'm at level two right those
level two assets they can talk with
level one assets and level three assets
but I don't want an engineering
workstation at level two to be able to
reach into the DMC right it's two levels
up to one level up one level down and
that's a pretty good general rule of
thumb I think for most people to get
started all right I'm now I'm going all
the way crazy so those upper levels and
I just I just for me I just group them
all together right the idea that okay we
have level four level four we have the
it back office or the Enterprise it
Network right again that's where
everybody does work they're sitting at
their desk they're browsing the internet
they're reading their emails they're
using their applications they're putting
data into
Excel again the most danger there is
that's the internet connection and
that's where we're receiving the emails
and bringing in the fishing attacks that
our users are going to be or our
employees are going to be
clicking but at least we have that an
enforcement boundary slf
firewall between it and the rest of the
OT Network including the the
DMZ and then we can
still it's I just grew four and five
together but if you get back into the
well one up and one down any resources
that are talking with the DMZ should be
in level
four so now the rest of the everything
else is the OT Network right the
DMZ and then the rest of the the OT
Network
itself and then we can break these down
one at a
time so again we have the the
DMZ so that way if we do want to allow
communication between OT and it and in
most environments there's some need for
some type of communication okay IDE
ideally we can push the data from OT
into it and we don't allow it to talk
excuse me with the OT
manufacturing is the one environment
where it's almost you have it talking
with with OT unfortunately because of
the way the manufacturing uh systems
work but most others thankfully that
I've been involved in I've been involved
in a lot of different projects some very
large environments that you can
configure it so only OT sends to
it there are some small exception we're
going to get to those in in a little bit
but we've talked about the DMC remember
we have those two layers of firewalls
ideally from different vendors to
protect those resources that are sitting
in the DMC and that we use those as
those those kind of middle pivot
Points or transfer points to get data in
and out of the OT Network so if I want
those patches or anti-malware updates I
go to the DMC to pull them into the OT
Network and they got on those servers
because they pulled them from the it
Network the it Network never initiated
any of those connections they were all
initiated from the OT
side to get data historian our process
data to it we push that right we push it
into the DMZ from the OT data historians
and then we push it into the IT Network
so the business gets its processed data
we give it right we pushed it there we
put it there they didn't come get it and
if we allow them to come get it that
while they're legitimate an attacker is
going to get into the environment and
use that same process against us so
that's why we don't want to allow it to
open up communication with us we open up
communication with
them that's basically what we're saying
here so now there's level three for site
operations and it get the Purdue model
also an expanded Purdue model talks
about not only what if I have a single
site but with managing managing multiple
sites how does that come into play so in
this case we're just talking about a
single site but so there's site
operations so right we're we're doing
what we do in OT and when we say like
scada right supervisory control and data
acquisition the whole point is be able
to acquire the data so we're monitoring
what's going on in the
environment and then we have the ability
to control to make changes to the
process if we ever see an alert or get
some other reason why we need to make a
make a change so we're monitoring and
control so ultimately a lot of what
we're talking about in security is
ensuring
visibility into the
process and the ability to control the
process fundamentally those are the two
things that we're trying to secure which
then gives us the ability to ensure
physical security environmental security
and operations or availability but we'll
come back and talk more about that
later at these higher levels and this is
what we've already been talking about
when I look at yeah the engineering
workstation hey that's running Windows
10 or Windows 11 that data historian
it's Windows Server active directory
definitely running Windows server that
operations management server more than
likely going to be running on Windows
Server all windows
servers which is great from an ease of
administration perspective which is why
they're there that's why we see Windows
everywhere in OT because we can transfer
it skills to make it easier to
manage but if we're making it easier to
manage we're also making it easier to
hack into right to break into and
compromise and that if we don't have
those boundaries remember in our example
without secure network architecture that
ransomware infection went right in from
it right into
OT
and it happens like that because all of
those higher layer assets that are
directly exposed essentially to the it
Network they're all running Windows if
we go down another level guess
what almost everything there is running
Windows as
well that engineering work another
engineering workstation whether it's a
laptop or a workstation it's running
Windows 10 or 11 or mayy
older that data historian is running
Windows server with SQL
Server that HMI it's probably running
Windows the ska now that might be some
type of proprietary system like with I
was just you know thinking back to the
the mandian announcement about the the
latest Ukrainian power outage where the
Russians had broken in and used live
living off the land techniques to move
through the window systems to then move
to the one micro skada server that they
used to turn the power off to flip all
the
breakers so almost everything at level
two once again it it's almost always
windows so it's going to become
important for a number of reasons
especially when we talk about Network
intrusion detection and things like
vulnerability management and and asset
registers which we're going to get into
in the the next part of the
course but again think almost all
windows almost all
then when you get to level one zero this
is where Windows drops off and it's
almost never going to be seen so this is
where we see our
plc's that are running typically their
own custom operating systems now some of
them I I have one over here from Phoenix
contact that it runs
Linux and it runs Linux just like any
other Linux so you can install all the
Linux based attack tools on it if you
wanted to so you could turn that PLC
into quite the little attack platform
which which which I've done for the home
lab of
course and then things like rtus and and
IEDs and in power environments but and
then the sis remember the safety systems
are fail
safes right those controllers that we
use to create the back the fail safe
backup to be able to shut down the
environment if we ever detect that fault
condition that's going to present any
risk to physical safety environmental
safety or you people or to the
operations of the
plant and then finally we oop sorry we
have things like our sensors and
actuators right the things that we
moving out in the real world the things
we're
controlling with our controllers like
the
plc's but no windows there right no no
windows at level
one but level two mostly Windows level
three all windows typically level 3.5
almost all windows maybe you have a
little Linux in there everyone it's
almost all
windows so when we go back and look at
this overview of the OT Network level
3.5 level three level two almost all of
that is going to be all windows space
and then when you get down to level one
two the true when we talk about Control
Systems that's where Windows
dramatically drops off
not that we don't have Windows based
plcs but that's where some people I
think they draw the
line but it's becomes important because
when we look at think of from an
intrusion detection perspective or the
attacker perspective it's windows I know
how to break into the IT environment and
move from Windows to Windows machine so
yeah I can just do that just as easily
in OT until I get down to things like
the plcs that's where the attackers slow
down and we'll talk about why that
happens coming
up what about things like vulnerability
scanning or penetration
testing there usually that General well
we don't do those things in the OT
environment because we don't want to
crash the systems like well we might
worry about level one and level zero
maybe that ska system at level two but
if everything else is running windows at
least maybe from a vulnerability
management perspective scan
away maybe maybe that's again that's a
conversation for the vulnerability
management unit so I'm I'm jumping ahead
again but just to kind of plant those
seeds so it's not just as cut and dry
because now we have most of the
environment is
Windows and so that's where we get a lot
of this crossover between it and OT or
we talk about it and OT conversion which
is the most you know risk that we have
in OT is from it OT
convergence all right but to get us back
on track let's kind of jump back ahead I
don't want to go too far down that
rabbit
hole all right so earlier we talked
about we kicked off the section talking
about the it kill chain from Lock Mar so
Micha lante which we again we really
think of as the the man who and there
were others as well but Michael Sante
really was the spearhead of really
creating this idea of this field of OT
cyber security I think they didn't even
have the term probably OT back then so
right or industrial Control Systems uh
cyber
security and uh of course
his um right-hand man was was Rob Lee so
they created the idea of the IC kill
cyber kill chain so what they're trying
to demonstrate here and you see the the
link in the paper is there if you tilt
your head and you can you can read it
but the idea is you
there's the normal proc process that the
attackers use to get into the IT
environment right and then okay they're
in the it
environment but if their ultimate goal
is the OT Network well then then they
have to get into the OT Network so they
basically have to start all over again
now remember one thing we were just
highlighting is that a lot of the OT
network is made up of those Windows
systems that well if an attacker got
into it Network because it was Windows
and they mooved probably pretty quickly
through the environment because it was
windows they're probably going to do the
same thing with the windows environment
on the OT side if we haven't done secure
network architecture appropriately so
that's where we talk about having
multiple layers of firewalls for the DMZ
different providers don't even allow
connections to originate from
it right only OT talks with it not the
other way around if we can do that we
vastly address the vast majority of the
risk in the environment it's as easy as
that again not all environments can
Implement that like we mentioned
manufacturing earlier just the way those
Manufacturing Systems
work
sadly but a lot of other Environ I've
been in environments where they have it
talking with OT when there's no reason
to and I see the these large or huge
holes in the firewalls and it's like
why and it's just because we don't know
better and I I completely understand
that's a big part of why I'm here right
so so hopefully we can get that
education and awareness out there so
people do know
better but take the time to go back and
and read the the IC cyber kill chain
anything Rob uh writes anything Michael
had written I definitely read um there's
some great videos if you go back to um
that not only Rob but micheel have you
know out on YouTube you know a lot of
the older stuff that Mike had done um
especially with his government work
there's a lot of his kind of lectures or
speeches and like to different groups in
government and Military um that I find
really really fascinating because again
that's really it's where it all started
and when we talk about things like
operation Aurora that that he led to
demonstrate right how computer code
could be used to blow things up in the
world in that case it was just a
generator out in the middle of nowhere
but they used computer code to blow
something up in the middle of nowhere it
can be
done so definitely check that out all
right now we also talked about in the
very first section or our history of at
least the annotated history of of events
in
IAS um over the years when we talk about
different incidents so tcis was the one
where the Russian nation state had come
in and into that petrochemical facility
that was run by saudio
rco and they gained access pretty much
the entire environment including they
had complete control over the
DCS and remember they had
99.99% control over the sis the the
safety system right the backup so those
trionics controllers that's where the
tcis comes from right try from trionics
and then the safety instrumented systems
or the fail safe
backup so with tcis one of the things
that that really sticks out well there
were a couple things there a lot of
lessons to be learned from tcis one was
the the sis those controllers they were
connected and exposed to the rest of the
network so there was no network
segmentation your your sis controllers
should never be exposed to the rest of
the network they need to be air gapped
and they need to be island off if you
want to send their processed data to
something like your sock that's great
put in a data diode and only allow it to
send traffic to your sock no one should
remotely be able to connect to your sis
ever period the end so that way if
somebody was going to compromise it they
would physically have to be on
site and then the other idea and this is
where my thesis comes in is where we
talk about
that most controllers have a key switch
I think we've already talked about this
right and then idea is if the key switch
was in Run mode then it would
prevent a remote attacker from being
able to make changes to code running on
the
system so the controller had its key
switch left in program mode which
allowed the attackers very easily to
make changes now you'll see this is
getting into my my m cees been talking
about where you there's this general
statement where we say oh if you put the
key you know key switch into run mode
then no changes can be made to the the
controller whether it's sis or PLC or
whatever type of controller and that's
not necessarily the case in some sure
but in a lot like the the plc's that I
tested for my master CA which are more
commonly used plcs in environment
especially in the United States or North
America there were a lot of bypasses
that existed so even though it was in
Run mode that if you went to update the
PLC programming code it would let you it
would actually say hey do you want to
bypass essentially the the safety
feature of run mode to upload your your
new programming code and you be like yes
sure you had to know what the password
was to log into the PLC but that was it
you say yes and your codes up running
now for most if you want to upgrade the
firmware that's where you have to take
it out of run mode so that that's
definitely a positive step in the right
direction so it's still important to
monitor for when plc's come out of run
mode or even more importantly to monitor
for when code changes are made on PLC so
you can investigate to make sure was
this an authorized legitimate change or
is this something more susp suspicious
or malicious in
nature but but that was remember tcis so
if anything with those controllers right
key switch is good right still not
bulletproof but still step in the right
direction right monitor for those
changes investigate when you need
to and then also make sure to isolate
the sis from the rest of the network
don't allow a remote attacker to be able
to connect to it if you're going to come
for it you have to be on sight and you
have to know where it is so come for it
and hopefully we'll have guards on guns
protect with guards or guards with guns
protecting it so and really big
dogs all right so the next part of the
section we're going to talk about
is how do we further break down or
segment or protect the OT Network itself
right so we've talked about the DMC that
we're going to put in between it and OT
maybe even a data diode or
unidirectional Gateway but now we're
looking at let's just focus on the OT
Network and this is where we go to
62443 so 62443 talks about the idea of
zones and conduits
which for me I admittedly it was just
kind of weird terms but I completely see
how Engineers came up with
this the idea is a Zone if you're coming
from the IT world think of the the zone
for now for now and it's not perfect but
for now as a
subnet and that in that
subnet we're going to put in all the
assets that share a common function like
we're just talking about the sis so let
say I have these these four different
controllers that make up the sis I'm
going to put them in this one zone and
actually we'll we'll add uh some data
diodes right also so they're in this
zone I'll have another zone for things
like maybe my control systems for uh how
about fire suppression right that's also
another very important Zone to
have so we have these different zones
that represent all these
different processes in the
environment and then we can allow
communication between those
zones again we might want to allow the s
has to send data to maybe a sock right
but that's it so it can push data to the
sock but that's it that's the only
communication that communication is what
they call a conduit so any communication
between zones is called a
conduit so with 62443 one of the things
we do to implement security is conduct a
risk assessment well that risk
assessment is based off of looking at
the zones right seeing how the assets
are grouped
and again usually those are grouped
within the same subnets which makes it
really easy uh to work with if they're
not still not impossible but it's just
not as nice and that between those
subnets any communication right if we're
allowing this case this engineering
workstation on the right hand side maybe
this is like the operations um
Zone that we're allowing that works that
uh engineering workstation to connect to
the plc in the the second Zone on the
left hand
side right that communication from the
engineering workstation to the PLC
that's a conduit so we do those risk
assessments we document all of the zones
all the assets and those zones to
understand everything that happens in
each of those zones and then also the
conduits between them which people
always hate because they typically they
might have the zones and the assets
documented but they probably don't have
the conduits documented but you need to
get them down to be able to review them
so usually you can pull those out of um
you firewall configs if you have
firewalls between them if it's maybe uh
just switch connectivity so you might be
able to pull that data out of the the
switches and things like net flow data
which can show us you know what systems
are talking with what other systems
without having to go onto each of those
systems and log in in and look at try to
see if they have something like an ARP
table or other way to be able to look at
network communication like netstat like
a lot of these devices have something
equivalent to to netstat like the I was
just playing with a a seaman PLC the
other day and it even exposed netstat
over SNMP just like in the windows world
it's like oh this is horrible not
secure that's the idea of zones and
condu we're going to come back and talk
about that more because we have a later
section talking more specifically to 62
443 and my next class that I'm going to
build it's all dedicated to
understanding 62443 because it's one of
those where it's just like this to me
and I think a lot of people at least
those from the IT background I I think
feel the same same way the ones I talk
with the people I talk with because it's
like you get this great standard or
Frameworks like here's all the
information you need to secure your OT
environment that's awesome it's like
this is what I've been looking for my
entire
life but then you start reading it and
the way they've structured it and the
parts and it's just to me there's like
no logical flow and there's no it's not
explained from a practical perspective
it's like I just want to know how to do
it and the way it's structured and laid
out just doesn't I again for me it just
does not work so so the the class I'm
writing now now is this is the Practical
approach to implementing a cyber
security program based off of 62443 I'm
really excited about that because I
think it's it's really key I think it'll
it'll help a lot of people
so so again we're going to come back
actually I think this is the wrong unit
number so don't quote me on this so but
it might it might actually be right uh
but we are going to come back and talk
more about zones and and conduits when
we get into 62443 when when we talk
about the risk assessments piece so so
we'll look at those so uh real quickly
let's talk about the the industrial
internet things and we'll come back and
talk about this later on as well but I
did want to introduce it here because we
are talking about secure network
architecture with I iot this is a term
that came from General Electric and the
idea what the way it was explained to me
was GE whether you know and actually
live not too far from the plant here in
Greenville South Carolina and one of the
gentlemen um that runs cyber security
for GE for many of the product lines is
is here in in Greenville he knows
everybody in the the OT cyber security
World hi Rob and
so the oh Gary actually but anyways long
story
there um the idea is that GE were and
two of the things that they built here
in Greenville one are the big turbines
for for wind farms and locomotives so if
you have a train locomotive and they say
you wrap it in thousands of sensors to
do things like Predictive Analytics to
understand you know when parts are going
to break down where they need to be
replaced ahead of time so we don't cause
any accidents right you can have
predicted analytics even on you you
understanding how fast the the train is
traveling is it traveling too fast
there's a curve coming up right does the
train need to slow down what if the
conductor had a heart attack and they're
flying they're laying on the floor of
the the
the the
train right so being able to take all of
this data into
consideration the idea is you need a a
powerful computer to be able to Crunch
those numbers and you're not going to be
able to fit that computer on the
train but you can take that data and you
can push it up to the
cloud and you can crunch the numbers
there and make that information
available in the
cloud so it's awesome that you can get
all this data that we can have all these
sensors we can get all this data up to
the cloud but in that case we're
connecting our OT environment in this
case the train to the internet to get to
those cloud-based
servers so it's another one of those
where we don't want to tell the business
no you can't do this because they're
going to do it anyways but we want to
make sure we say okay let's do this as
securely as
possible
so that's where we started thinking of
things like well data diodes or
unidirectional gateways or a firewall to
be able to allow the OT Network to send
to the cloud in oneway fashion but not
allow return
traffic that can make it as secure as
possible so it's a win-win for everybody
it's secure right we don't allow
attackers coming in from the internet to
talk directly to the OT
environment whether it's the train or a
wind farm or power plant
but we get that data out in the cloud
and then someone can pull up a dashboard
and realize when they need to do
maintenance and replace certain parts on
the train because we don't need any more
derailments we have way too many
derailments as it is that could have
been prevented by things like
maintenance so that's the quick
introduction to Industrial internet of
things which again we're going to come
back and talk about later
on oh and this is just the the idea
right if we're sending data out to the
cloud we want to make sure that
attackers aren't able to come
back so remember we make sure that it's
an outbound only connection we do not
allow the data to come back so we're
just providing the data for readon
capabilities in most environments and
then that's changing as well so more to
come and then the last thing to talk
about secure remote access okay we're
going to come back and talk about this
more in detail later on but again just
to wrap up the secure network
architecture because it is part of that
conversation the idea that we want to
allow remote parties to come in even
before covid but when Co hit it was hey
everybody is doing everything remote
almost
always so we want to be able to I
remember my first site right I was like
yeah we want to allow remote connection
because Sam's the only person that can
come and do maintenance on these systems
and Sam lives on the other side of the
country and we don't want to spend
$4,000 in travel cost every time we
bring Sam out we'd rather put in a VPN
Appliance and give him access
remotely can we do that yes now we're
going to add some more security features
to that things like jump boxes and
OnDemand access and multiactor
authentication to make it more
secure because again you're not going to
have a choice the business is going to
do it but so we want to take the
opportunity to work with them and do it
securely the other reason why we like
people doing work remote is they don't
have to be on site where they're in
danger
potentially so it's much safer to be
able yeah to make those changes from the
other side of the
country again we just have to remember
and we have to always assume no matter
how secure we make it it is going to be
compromised and it is going to be used
against us so we have to prepare for
that and understand how are we going to
detect it and how are we going to jump
into action to respond when it does
happen because it will
happen one way or another one
day and with that that's the end of the
section so I appreciate everybody for
connecting in if you like the video if
you can like it on YouTube if you
haven't subscribed to the channel if you
subscribe I appreciate apprciate that uh
and uh if you haven't already you find
me on LinkedIn uh and reach out to me
there so again thanks and I'll see you
soon for uh part
five
UNLOCK MORE
Sign up free to access premium features
INTERACTIVE VIEWER
Watch the video with synced subtitles, adjustable overlay, and full playback control.
AI SUMMARY
Get an instant AI-generated summary of the video content, key points, and takeaways.
TRANSLATE
Translate the transcript to 100+ languages with one click. Download in any format.
MIND MAP
Visualize the transcript as an interactive mind map. Understand structure at a glance.
CHAT WITH TRANSCRIPT
Ask questions about the video content. Get answers powered by AI directly from the transcript.
GET MORE FROM YOUR TRANSCRIPTS
Sign up for free and unlock interactive viewer, AI summaries, translations, mind maps, and more. No credit card required.