While some hackers are technically gifted individuals who can find their way into any plant OT and/or IT system using their knowledge of computers, networks and cybersecurity tools, in many cases, hackers take the easiest route to their destination — that being your data. And that easy route may actually be through your “front door,” not the proverbial “back door.”

For instance, Infosec reported that its OT Top Security Threat for 2024 is “inadequate authentication and authorization, inadequate or nonexistent authentication and authorization control measures that can allow unauthorized individuals to gain access to OT systems.”

In its 2024 X-Force Threat Intelligence Index, IBM reports cybercriminals are increasingly “logging in” with valid accounts, rather than hacking into networks. Valid accounts became the “most common entry point into victim environments” in 2023, representing 30% of all incidents IBM’s X-Force responded to. Additionally, IBM reports a 71% year-over-year increase in cyberattacks using valid credentials.

The Trouble with OT Systems and Connecting to IT

There are multiple issues with OT systems that prevent implementation of cybersecurity and integration with centralized authentication and authorization systems, says Steve Ward, director, application specialists, EMEA, Emerson Discrete Automation. OT control systems are commonly installed, used and amortized over a long period — often 10 years or more.

While cybersecurity has been an issue for many years, older OT control systems often have few or no cybersecurity capabilities. OT practitioners may not be aware of cybersecurity capabilities and even if these capabilities are present, they may not be implemented. If OT practitioners are aware of cybersecurity, they may consider that their machine or process is air-gapped from the internet, although in practice there often is a connection, and even if they are air-gapped, risks still exist. OT practitioners also must consider ease-of-use over the lifecycle of the machine or process: if cybersecurity protection is implemented, how will this affect the ability to maintain the machine in case of a failure? A password might provide some protection against some attacks, but if the password is lost then a simple failure could turn into days or weeks of downtime.

Early on when IT and OT systems became more “connected,” it was assumed that the IT system could serve as the gatekeeper for logons to the OT network, which added complexity and degraded overall network performance. According to Robert Dunlap, controls engineer for Atlas-OT, a CSIA (Control System Integrators Association) member, even if new systems are designed with enough bandwidth, the technology changes so fast that it’s very difficult to keep ahead of it and keep a plant running. “Having an IT component that grants OT access means IT/OT convergence, which is not necessarily a good idea,” Dunlap says. “Many operators use a common portal for IT and OT applications, which presents another attack vector. Each vendor has a different OT-environment provisioning method.”

“Food and beverage manufacturers must acknowledge that the core of inadequate authentication and authorization in OT systems stems from legacy infrastructure,” adds Brian Van Vleet, CSSE, Rockwell Automation. “These systems were built during an era when connectivity was limited to isolated environments, and robust security protocols were unnecessary. This outdated foundation leaves a significant gap in modern threat landscapes where cybercriminals exploit weak authentication to gain entry. To address this, we need multi-layered strategies. First, implementing role-based access control (RBAC) and multi-factor authentication (MFA) across OT environments is non-negotiable.”

While these solutions are standard in IT, their integration in OT is challenging due to system interdependencies and operational requirements. However, modern control systems increasingly support MFA tied to centralized identity systems.

Microsoft Active Directory a Solution, But Where Should It Run?

Could Microsoft Active Directory (AD) provide these logon and authentication services for the OT network, especially since many controllers and edge servers run Microsoft Windows?

“In many cases, Active Directory can consolidate control-level sign-ons, but this approach is not universal,” Van Vleet says. “Manufacturers in the food and beverage industry and beyond should consider hybrid models where IT grants access to OT systems under strict conditional policies. These policies ensure that access is limited, monitored and revocable in real-time. Emerging OT-specific identity management tools provide similar functionality tailored to industrial protocols and are worth exploring.”

Requiring IT-level resources to provide access to controls resources can have its advantages, however, the priorities and objectives of the controls user are often different from that of the traditional IT user, says Dan Ternes, controls engineer for Egan Company / Industrial Controls, a CSIA member. But when both teams understand each other’s perspectives, they can more readily benefit from each other’s experience and best practices.

Active Directory at the OT Level?

“Manufacturers can overcome the majority of the issues of inadequate authentication and authorization by deploying Active Directory in the OT environment and properly investing in OT security personnel or third-party vendors to deploy role-based security,” says Nar Vang, ICS cybersecurity engineer for TM Process and Controls, OT and ICS Cybersecurity, a CSIA member.

Using tools familiar to most IT organizations, an engineering workstation running Windows server could be used as the primary method for interacting with and managing OT devices, Ternes says. “This workstation would have controlled network access to OT devices and the requisite applications and licensing installed. Technicians access this server via Remote Desktop using Active Directory credentials. While this method can be effective in limiting access and enabling monitoring of activity to an extent, it requires well-developed Active Directory policies and management. It also still relies on the assumption that the user authenticating with an account is who they say they are.”

Van Vleet isn’t the only one suggesting role-based access control. “Role-based security practices the principle of least privilege, meaning a role is only provided just enough access to the system to complete their job duty,” Vang adds. “For example, a controls engineer is only assigned user access to an engineering workstation with programming software, but they are not allowed to modify Active Directory objects. An OT Active Directory deployment will cover a majority of authentication and authorization issues but may not cover device level (VFDs, transmitters, etc.) management and configuration access. For device level, default usernames and passwords must be updated and stored in a password vault where only the appropriate personnel can have access based on job roles.”

“Manufacturers can overcome inadequate authentication and authorization in OT systems by implementing the Zero Trust Architecture (ZTA) framework outlined in the CISA guide,” says Matt Smith, security engineer for E Tech Group, a CSIA certified member. ZTA emphasizes building security around devices and networks, including device authentication mechanisms. Manufacturers can start by identifying and categorizing their OT devices and networks to determine the appropriate level of access control and authentication. For centralized authentication and authorization, manufacturers can use Identity and Access Management (IAM) or Privileged Access Management (PAM) solutions. While many existing OT systems were not designed with security in mind, implementing ZTA and using IAM or PAM solutions can help manufacturers build robust authentication and authorization mechanisms into their OT networks.

The “Cloud” and Safe Operation

IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards (ISA, May 2024) points out four example use cases for IIoT-based cloud services and industrial control:

1. Cloud-based data analytics – non-operational (view data only)
2. Cloud-based data analytics – operational (operator could make a change influenced by data and trends stored in the cloud
3. Cloud-based operator view and manipulation (operator can view and manually manipulate the physical state of the equipment under control from the cloud zone)
4. Cloud-based non-essential control (cloud can automatically send a setpoint to a controller in the edge zone, which can change/relay the setpoint to a controller, asking a physical change to equipment under control.

While ISA doesn’t make the case for or against the cloud/control applications cases 1-4 shown above, based on bad actors obtaining valid logins/passwords for cloud or plant-based equipment, what practical methods can be applied to keep these bad actors out of control loops and systems without causing negative consequences to those (e.g., staff engineers, system integrator) who should be connected?

Organizations should adopt and observe OT and manufacturing IT philosophies analogous to asset plans, says Jason Pennington, Endress+Hauser USA director of digital solutions. “Our most mature digital customers are promoting the idea that digital assets require a maintenance plan and set of policies that are regularly reviewed, included in onboarding/offboarding procedures, and administered via central services rather than ad hoc at a departmental or divisional level.”

Regarding cloud-based services, which are run by experts, a user can generally be confident that the cybersecurity provided by the cloud vendor is better than the cybersecurity that processors could implement themselves, says Emerson’s Ward. Cloud vendors implement secure protocols that protect information in transit, including user details and passwords. However, user account management remains the responsibility of the user, and they must ensure that user accounts are maintained along with a suitable password policy—and that departing users are deleted.

While ISA does not make cases for or against cloud-based integrations in industrial environments, individual enterprises and OT departments should consider the inherent risks associated with cloud-based deployments and evaluate the impact on the business if there were a breach, says TM Process and Controls’ Vang. In general, proper architecture and network segmentation can allow inherently low-risk, cloud-based platform integrations that reside mainly in the data analytics or data feeding up into the cloud category.

For cloud-based operator viewing and manipulation, an organization should question the need since there should already be onsite viewing and manipulation on the plant floor or operator room, Vang adds. If there is a valid justification, the next question should be what data must be viewed and manipulated from the cloud platform. The data sets should be reviewed along with how a cloud data breach could impact operations.

Once vetted, Vang says, intermediary industrial software/hardware must be put in place to act as a middleman to get the data from OT to the cloud platform and vice-versa. One key component of the intermediary software/hardware is that there must be manual data mapping to ensure the entire OT dataset is not exposed to the cloud. Lastly, there must be code put in place at the PLC/DCS level to disregard manipulations exceeding the system’s safe and allowable range.

Cloud or Not: It’s All About User Access Control

Atlas-OT’s Dunlap points to the basics — once a system has gone through FAT and is up and running in production, all those who had a role in setting up the system no longer need to be kept on a logon list. “Remove back doors, and that means removing all back doors,” Dunlap says. “Hacks have occurred as third-party suppliers are compromised and the attacker gains access to new parts of the supply chain. I have seen control systems for which the process licensor, the licensor’s partners, the systems integrator, terminated employees and various service providers were still provisioned. Set up configurations and/administrative actions to remove these accounts quickly.”

Dunlap suggests other steps that can be taken to keep unneeded people out of the system:

• Set up implicit deny to all users and services, including non-human users.
• There are still control systems being built that use insecure protocols. One popular vendor has systems that use a potentially compromised hash algorithm.
• Understand how network and session keys are generated and update the algorithms if possible.
• Find bad certificates and update them.
• Update older equipment to ensure that the newer is not forced into using older standards to maintain compatibility.
• If a device has a hard-coded, unchanging network key, upgrade as soon as possible.

Manufacturers can use access controls, network segmentation, behavioral analytics and multi-factor authentication (MFA) to keep bad actors out of control loops and systems with legitimate logins and passwords, says E Tech’s Smith. MFA gives the login process an additional layer of security, and network segmentation reduces the harm that a malicious actor could do if they were to get access to the system. Access controls restrict who can access the system and what they can do, while behavioral analytics identify anomalous network activity.

MFA is recommended, but this may be complicated to implement in OT situations, says Emerson’s Ward. For example, operators may not be allowed to take their mobile phones into the production environment and so MFA apps will not be accessible, and other techniques such as keyfobs and access cards may not be available to contractors and temporary workers. A disaffected user could also interfere with operations by “losing” a physical device so that they can’t work until it is replaced.

“One area of concern that is quite pervasive in our industry is the use of common patterns in system and device credentials,” says Egan’s Ternes. This is usually seen on devices that are networked but are not able to utilize systems like Active Directory to manage access. Assuming a default login is changed at all during commissioning of a device, it is often set to a common login used around the plant. Or, if not identical, it is very similar, not complex, and easy to guess. As a result, if one such account is compromised, an attacker might easily access other devices and systems once this pattern is recognized.

ISA/IEC 62443 Standards Define Roles in Cybersecurity

ISA/IEC 62443 differs from other information security and data security standards, focusing on cyber-physical systems that are often found in industrial environments, says Endress+Hauser’s Pennington. This standard is not a mandatory requirement in industry, but it is frequently discussed, highly regarded and regularly observed. Historically, best practices entailed simply isolating plant control networks. However, today’s connected plant environments typically preclude this option. As a result, many manufacturers have reworked products to implement secure-by-design principles, adopted firmware maintenance and patch policies and are protecting bidirectional data transfer between edge devices and central systems.

Achieving compatibility with ISA/IEC 62443 standards requires a holistic approach across hardware and software design, says Rockwell’s Van Vleet. For a controls company, this involves:

Robust product design: Controllers, sensors, and network devices must include secure boot mechanisms, signed firmware, and encrypted communication protocols.

Comprehensive testing: Products undergo rigorous vulnerability assessments to ensure resilience against known exploits.

Lifecycle support: Regular patching and updates must be guaranteed to maintain compliance over time.

OT control system vendors in following the ISA/IEC 62443 standard take several approaches in implementing secure devices, says Emerson’s Ward. Typical approaches include:

• A built-in firewall
• Trusted Platform Module (TPM) to store certificates and security details
• Signed boot (only applications signed by the installed certificates will be run)
• Timed boot (measuring how long it takes to load from boot in case a malicious payload has been added)
• Security logs to store log in attempts and download details
• Implementation of secure protocols
• Capabilities to only enable ports and protocols that are used (i.e. disabled by default)
• Techniques to prevent remote access (by ensuring local presence for certain activities like configuration or firmware updates)
• Access levels restricted by passwords

“Manufacturers can use the Zero Trust Architecture framework to get around insufficient authentication and authorization in OT systems,” says E Tech’s Smith. ZTA places a strong emphasis on securing networks and devices, including device authentication systems.

HMI/SCADA vendors running on Windows or Linux operating systems have a slightly easier life since many of the cybersecurity provisions come from the operating system or hardware layer, but they still have to implement user management and integration with Microsoft’s Active Directory or equivalents, says Ward. HMI/SCADA vendors also have to regularly update their software to deal with any new vulnerabilities, often by updating the underlying components they use (for example Microsoft’s .NET and open-source software), Ward says.

The advantages of ISA/IEC 62443 compliance are clear: improved security posture, regulatory alignment, and customer trust. However, challenges include higher development costs and the complexity of certifying diverse product lines. Ultimately, these standards provide a framework that aligns the food industry with a security-first mindset, Van Vleet says.