UTC Journal Q2 2014 : Page 19

TECHNOLOGY SPOTLIGHT IT/OT Integration Done Right and Done Wrong I nformation technology/op-erations technology (IT/OT) integration is a trend that has been long predicted and long followed by the Gartner Group and technology integration. If a busi-ness deploys a software license man-agement system, does it make sense for OT equipment to communicate with the IT license management servers? Or should a parallel set of servers for OT licenses be deployed instead? to introduce some cryptic problem on the affected computer and wait. The comput-er’s user logs a support request, and a domain administra-tor from the corporate helpdesk logs into the compromised computer to diagnose and repair the problem. The attacker uses this oppor-tunity to capture the domain adminis-trator’s password hash credentials, use them to log into the AD controller, and create new accounts for him or herself. These accounts have permission to log into any computer companywide, including VPN servers, OT servers, and interactive remote access servers. In this way, the compromise of the AD controller leads directly to the com-promise of critical control systems and operations assets. Anecdotal reports have penetration testers using this attack technique to breach otherwise NERC CIP-compliant security perime-ters at electric utilities in mere minutes. and other industry analysts. The term is generally defi ned as the integra-tion of people and business processes but in common usage is synonymous with thorough network and technol-ogy integration, as well. The problem is that indiscriminate integration of IT and OT networks results in safety and reliability risks due to cybersecurity vulnerabilities. These risks are often poorly understood. The Problem with Active Directory Integration Perhaps the biggest problem with indis-criminate IT/OT network and systems integration is active directory (AD) integration. Security best practices and standards, including NERC CIP require-ments, demand that secure businesses revoke all access companywide within 24 to 48 hours for any employee termi-nated with cause and within two to 10 days for normal terminations. Win-dows AD servers provide an attractive value proposition for this very common requirement; with one mouse-click, ac-cess can be revoked companywide for a terminated employee, even from all OT systems that are connected to and trust the corporate AD system. The problem is that well-document-ed and extremely effective attack pat-terns target AD controllers specifi cally. An attacker with remote control of mal-ware on any corporate computer can harvest password hashes from recently used accounts and use pass-the-hash technology to make use of any domain administrator credentials found on a machine. These attacks are well-known and defeat even advanced two-factor authentication schemes. When no suffi ciently powerful cre-dentials are found on a compromised machine, the usual attack pattern is By Andrew Ginter IT/OT Integration Done Wrong The fundamental premise of IT/OT integration is sound; as IT and OT tech-nologies continue to converge, it makes sense that IT and OT practitioner skill sets are also converging and that IT and OT business practices should, as well. For example, if a business purchases an enterprise-wide license to deploy a particular vendor’s relational database products, it makes little sense for control system sites to purchase, de-ploy, and maintain any other relational database vendor’s products. Similarly, if the business deploys technologies and business processes to effi ciently and comprehensively manage software licenses, it makes little sense for each operations site to track its software purchases and license usage any other way. The problem with IT/OT integration is not with people, technology, or pro-cess standardization; it is with network By Lior Frenkel NERC CIP Implications IT/OT network integration issues are in fact addressed by all versions of the NERC CIP standards, from V1 through Continued on page 20 UTC Journal | 2 nd Quarter 2014 19

Previous Page  Next Page


Publication List
Using a screen reader? Click Here