Articles / Tailored OT Security

on 13 Mar 2018

Unless you’ve been off the grid the past few years, you’ve no doubt noticed an increase in cyber security risk for operational technology (OT)-based systems. Whether for factory control, connected cars, military weapons, smart energy systems, safety monitoring, and the like – the challenge of keeping malicious adversaries away is increasingly falling upon a functional protection component that barely existed just a few years ago: The IT/OT Security Gateway.

Now, if you will remember back to the Awesome Nineties, technology from a company called Novell powered most local area networks. Notably, LAN technology was not based on IP, but rather on a Novell protocol called IPX. The enterprise networking result was non-interoperability between LANs and the Internet, which aggravated IT administrators as much as it delighted security experts. Non-interoperability implied non-cascading of attacks.

A somewhat comparable situation exists today for OT environments. That is, industrial control systems (ICS) operate using networking technologies that are largely incompatible with conventional IT infrastructure over IP. Instead, hybrid arrangements of legacy and new network and processing systems are put in place to monitor (usually remotely) and control (usually locally) the safe operation of OT-based networks.

This topic was at the forefront of a conversation I had last week with Kevin Senator, CEO of Bayshore Networks. Bayshore is an industrial cyber security company headquartered in Bethesda that offers a comprehensive solution for real-time visibility and mitigation of ICS traffic, policy-based access controls, and remote access management using VPN. For industrial environments that demand bi-directional traffic across the OT gateway, Bayshore Networks is an excellent option.

What I found fascinating in my discussion with Senator was the approach Bayshore takes to the classic long-tail problem in OT security.  Whereas a healthy percentage of present ICS environments will be using reasonably well-known network and system technologies such as MODBUS, an even healthier percentage will operate using non-standard technologies that are proprietary, legacy, and less understood – hence, the long tail.

“What we do in these familiar cases of highly proprietary and differing OT protocols,” Senator explained, “is start with our baseline Bayshore technology, one that we believe covers many practical cases. It was designed with this intent, namely to offer visibility, control, and access for many common systems. But then we tailor this baseline to match the specifics of a proprietary or unusual case. This allows us to cover a large range of engagements.”

This concept of providing a well-known technology core that can be tailored to specific cases is powerful in computing, and will be a requirement as more ICS environments become subjected to stringent cyber security controls. It is highly unlikely that an OT ecosystem will be completely redesigned to match the capabilities of existing IT security systems for the purposes of threat reduction or compliance. Instead, vendors will be asked to fine-tune from a common base.

“We understand the challenge that so many of our customers have,” Senator explained, “where the emerging cyber threat to industrial applications is growing, but the OT security team cannot deploy effective off-the-shelf tools We’ve tried hard to create ICS security solutions that come as close to off-the-shelf as possible, but with our supporting efforts to tailor the base solution into the proprietary environment operating inside the OT gateway.”

My advice, if you are running industrial infrastructure, is to take a close look at what Kevin Senator and the Bayshore Networks team are doing. I’m familiar with the plethora of different systems, applications, controls, and networks that exist in modern OT infrastructure. The focus Bayshore offers on helping customers integrate cyber solutions consistent with local needs is long-needed in our industry.

So, give them a call or request a consultation, and please share your experiences and learnings with us.