Operational technology (OT) and critical infrastructure are becoming increasingly connected to the Internet, leaving them vulnerable to cyberattacks. As a result, there is a pressing need to improve OT security to safeguard the operations of critical infrastructure such as energy, manufacturing, and water systems. At the same time, these systems operate in strict performance environments with limited budgets. You have to keep the water flowing for pennies. Facing two competing challenges—spend more on cybersecurity, save more on efficiency—a new solution has gained traction in recent years: Moving Target Defense (MTD) networks.
MTD networks are a modern next-generation form of zero trust that protect OT systems by dynamically changing not only network configurations but also the underlying virtual infrastructure connecting the OT system to the public Internet. By destroying and replacing the bridging infrastructure on a regular basis, MTD networks make it harder for attackers to exploit vulnerabilities and gain access to sensitive information. Moreover specifically, this additional layer of MTD protection prevents attackers from using intelligence about network node locations—something just changing a configuration cannot do because the attacker still targets the same box.
Making the Other Party Pay
Zero trust is a security concept that requires every user, device, and application to be authenticated and authorized before being granted access to a network. This means that remote access to critical systems is limited, and all activity is continuously monitored for any suspicious behavior. MTD networks are a modern next-generation form of zero trust because they use a similar approach to security, but with an added layer of dynamic infrastructure protection.
MTD networks significantly increase the cost of targeting and attacking OT systems by rendering reconnaissance intelligence obsolete and useless in an hourly or daily basis. In traditional networks, attackers spend significant amounts of time and resources gathering intelligence on the target's vulnerabilities, weaknesses, and entry points. However, with MTD networks, the constantly changing infrastructure makes it difficult for attackers to gather accurate intelligence, reducing their effectiveness and significantly increasing the cost of an attack.
Another advantage of MTD networks is the minimized attacker dwell time inside a network. When attackers gain access to a network, they aim to remain undetected for as long as possible to exfiltrate sensitive data or cause damage to the system. However, with MTD networks, the constantly changing infrastructure makes it difficult for attackers to remain undetected for extended periods, significantly reducing the damage they can cause.
Adoption by NIST
The National Institute of Standards and Technology (NIST) has developed several guidelines for OT security, including NIST 800-53, 800-82, and 800-160 Volume 2. These guidelines provide recommendations for securing OT systems and networks against cyberattacks. Additionally, the International Electrotechnical Commission (IEC) has also developed standards such as IEC 62443 for securing industrial automation and control systems.
How to Implement MTD at Your Facilities
-
Step 1: Choose the factories you need to stream data (machine and human remote access) to and from
-
Step 2: Using the Purdue Model, decide where in the factory you want to segment the IT and OT networks.
-
Step 3: Install a MTD egress node. MTD egress nodes are virtual appliances that provide uplinks from factories to the MTD network. Dispel's are called Wicket ESIs.
-
Step 4: Assign what device IP addresses, ports, and protocols you want individual users to be able to connect to. With MTD zero trust, it's possible to assign specific IP addresses, ports, and protocols to individual users to limit access even in 30 year old factories.
-
Step 5: Connect and collect activity for ongoing security monitoring: MTD networks provide ongoing security monitoring, allowing administrators to identify and respond to potential security threats in real-time. By collecting activity data, MTD solutions can provide valuable insights into network behavior, which can be used to improve security policies and protocols.
Outcomes & Measures
Adopted across energy, oil & gas, food & beverage, irrigation, water & wastewater, discrete manufacturing, and in government since 2015; MTD networks with dynamic infrastructure protection are an effective solution for protecting OT systems and critical infrastructure against cyberattacks. By dynamically changing both network configurations and underlying virtual infrastructure, MTD networks make it harder for attackers to exploit vulnerabilities, gain access to sensitive information, and use intelligence about network node locations. MTD networks are also a modern form of zero trust, constantly verifying users and devices' identities and limiting the possibility of unauthorized access. As organizations continue to modernize their OT systems and networks, MTD networks with dynamic infrastructure protection will play an increasingly critical role in safeguarding critical infrastructure against cyber threats.
