Ensuring the safety and security of grain elevator operations is of paramount importance. With advancements in technology, the role of a robust network has become increasingly crucial in maintaining the integrity and efficiency of grain facilites. David Smit, OT architect operational technology: Infrastructure and security for Interstates, delivered an educational session exploring the significance of Operational Technology (OT) networks and steps that can be taken to secure them at GEAPS Exchange 2024.
The importance of OT networks
Smit emphasized that OT networks are distinct from traditional Information Technology (IT) networks and play a major role in the functioning of grain elevators. While IT networks primarily deal with administrative tasks such as email communication and file sharing, OT networks are responsible for managing the operational aspects of the elevator, including manufacturing processes and controls.
The risks associated with OT networks are significantly different from those of IT networks. In an IT network, the loss of a printer or the inability to access email may cause inconvenience, but it does not pose a direct threat to life or safety.
However, in an OT network, a loss of control over crucial systems can have severe consequences. For instance, in a paper-making industry, the loss of control over a hydraulic press moving a 50-ton roll of paper can result in accidents or injuries. Similarly, in the automotive industry, losing control over systems testing a 10-ton axle spinning at 10,000 rpms can lead to catastrophic failures. In a grain elevator, a loss of control over the elevator leg or a lift can have life-threatening implications.
Traditionally, OT networks were directly wired, with PLCs (Programmable Logic Controllers) connected through physical cables. However, with the advent of IP-based technologies, most OT networks now rely on network protocols for communication. This transition has blurred the boundaries between OT and IT networks and increased connectivity.
Today, OT networks are no longer isolated or disconnected from the corporate zone. Organizations seek more visibility and data from their networks to enable predictive maintenance and performance metrics. OT networks are now connected or are planned to be connected, Smit said, either internally within the company or externally with vendors and support personnel.
While increased connectivity offers numerous benefits, it also introduces new risks. bridging connections between personal devices and company systems can create vulnerabilities that expose the entire network to external threats.
For example, the use of laptops and mobile devices by plant operators and vendors can potentially compromise the security of OT networks by unknowingly carrying malware or unauthorized software, making them potential entry points for cyberattacks.
Mitigating risks in OT networks
To mitigate the risks associated with OT networks, Smit said it is essential to implement appropriate security measures. The following strategies can help secure grain elevator networks:
1. Implement firewalls
Firewalls act as a first line of defense in network security. They regulate incoming and outgoing network traffic based on predefined security rules.
“I have a couple of nonnegotiables, and having an OT firewall is a nonnegotiable,” Smit said. “You won’t convince me otherwise — you absolutely need to have an OT firewall.”
Every OT network should have at least one firewall to control access and protect against unauthorized connections. By deploying firewalls at different levels, such as the first firewall on the network, a perimeter firewall for external connections and a firewall at the top of the corporate zone, organizations can strengthen their security position.
2. Establish network segmentation
Network segmentation is a fundamental step in securing OT networks. It involves creating separate zones within the network to isolate critical systems from less secure areas.
By implementing a demilitarized zone (DMZ), manufacturing zones can be isolated from corporate zones, preventing direct communication between IT and OT networks. Critical assets such as Active Directory (AD) servers and historians should be placed within the DMZ to ensure secure access.
3. Embrace software-defined networking (SDN)
Software-Defined Networking (SDN) offers a new approach to network management and security that utilizes software-based controllers to direct traffic and control network infrastructure.
SDN provides enhanced visibility into the network, allowing for a more comprehensive understanding of security threats. It also enables the creation of separate zones and the immediate quarantine of compromised devices, reducing the risk of widespread infections.
4. Educate employees on cybersecurity
One of the often-overlooked aspects of network security is employee education. Many cyber-attacks result from compromised accounts, often initiated through phishing campaigns.
Smit said this will become even more important as bad actors take advantage of advances in AI LLM (large language models).
“AI or ChatGPT is changing this threat landscape,” he said. “I envision three years from now, the percentage of compromised accounts will be much higher due to growing AI capabilities. Phishing emails are no longer from somebody crafting messages claiming the police must collect your overdue parking tickets. AI is now making language models that will look incredibly real and can act like an email from your supervisor. They can learn what tools and systems your company uses and expertly craft phishing emails with that information.”
Educating employees about the risks of phishing emails and suspicious activities can significantly reduce the likelihood of a successful attack. Training programs and regular phishing simulations can help employees recognize and report potential threats.
5. Monitor network traffic
Smit said continuous monitoring of network traffic is vital for detecting and responding to potential security incidents. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can help identify suspicious activities and prevent unauthorized access.
By collecting and analyzing data on network traffic, organizations can proactively detect and mitigate potential threats.
“I encourage you to go Shodan.io and search for your company's IP ranges. This site shows all the devices and network infrastructure that are publicly exposed, including PLCs. If you have assets on Shodan.io, get rid of them immediately or unplug them until you have a migration plan to get them off the network. They are sitting ducks waiting for someone to find your information that’s available on the internet now.” – David Smit, senior systems analyst, Interstates.
External audits by independent security experts can also provide valuable insights and recommendations for enhancing network security.
Layering security is key
Securing OT networks in grain elevators is a critical task to ensure the safety and integrity of operations. By implementing network segmentation, firewalls, SDN, and educating employees about cybersecurity risks, organizations can significantly reduce the likelihood of breaches and cyber-attacks. Regular monitoring, patch management, and access controls further enhance the security posture of OT networks.
“Don’t just do one of them — do all of them,” Smit said. “Because if you just put SDN on your network, you just put a controls firewall on your network, just run antivirus on your system, or are just patching, it does not mean you will be all right. Defense in depth is about layering all those together.”
Conducting security audits and staying updated on emerging threats are also essential for maintaining a robust and secure network environment. By prioritizing network security, grain elevator operators can protect their assets, employees and overall integrity of their operations.
