Introducing IT technologies in OT: Virtualisation
IoT Security Blog Series
Traditional Information Technology (IT) tooling in Industrial Control Systems can improve security and availability of industrial and production facilities. More knowledge exchange between office (IT) and production (OT) network administrators is required to fully use its potential.
By Dima van de Wouw
In the past few years we have seen Industrial Control Systems (ICS) mature gradually. Information Technology (IT) technologies such as virtualisation and the use of Active Directory are now also being used in Operational Technology (OT) or production networks.
In this first release of the blog we will discuss how organisations can profit from virtualisation and explain the security implications of the new virtualisation approaches for the OT environment, especially for the ”site manufacturing and control” layer (L3) in the Purdue model.
Look out for the second release of the blog, about Active Directory (AD) in OT.
All major ICS vendors have now included virtualisation in their portfolio. By implementing virtualisation in an OT environment, various benefits can be obtained if implemented correctly. Let’s take a look at the impact virtualisation has on the OT domain with regards to availability, physical access, redundancy, patching and malware mitigation.
First of all, virtualisation provides centralization of the physical hardware. Switching from physical to virtual machines requires some changes in the setup. The physical machines can be replaced by a few powerful servers in a server room that run the virtual machines. Computers in production areas and control rooms can be replaced by hardened thin-clients that connect to the virtualised machines and will only serve as an interface. The centralization will make it easier to secure physical access to the machines and thus decrease the risk of USB misuse, assuming server room access is restricted.
Importance of redundant hardware
However, there are not only advantages: If all virtual machines are running on the same physical hardware, the impact of hardware failure or local power failure would be even larger. Therefore it is important to mitigate these risks by having redundant hardware, possibly in different locations with different power sources.
Once the virtual machines are running on redundant hardware, they will provide a big advantage: it enables the decoupling of hardware and software. This increases availability because hardware can be replaced independently of software/OS.
Virtualisation can also be used to improve redundancy and capacity management; by spinning up redundant virtual machines it is easier to create hot standby servers. In doing so, if the main virtual machine were to crash, the hot standby (virtual) server can take over, so continuity is better guaranteed. Hardware failures can be mitigated by running the hot standby servers on an alternative hardware cluster. Backups of virtual machines can be made using snapshots (full disk backup) and make it is easier/faster to return to a previous trusted version.
A patch strategy
Using hot standby servers and backups, it becomes easier to roll out patches since availability can be better guaranteed using the hot standby servers, or “worst case”, snapshot restore. A possible patch strategy would be to:
- patch the hot standby servers;
- perform a failover to the hot standby servers;
- verify availability and functional compatibility with the applied patch over a predefined timeframe;
- patch primary servers, and finally;
- create new snapshots.
This procedure would have the additional benefit of also testing the failover process. Having a workable patch procedure will eventually create less patch level diversity and a more manageable and secure plant.
Something we might see in the future is the use of read-only virtual machines. A lot of control rooms only process real-time data and/or data available on the historian, which is a large database of current and previous production values. Since no data needs to be stored for future use, it would be possible to create read-only virtual machines for operators to work on. On these machines disk writes to the hard drive can be limited, which can make it harder for malware to infect a target. At the same time it will be easier to clean up malware by rebooting the machine, especially if a hot standby server can be used to maintain availability.
The use of virtualisation can lead to many benefits if implemented correctly. Your industrial sites can increase availability, improve redundancy, and ensure continuity in the event of a hardware or power failure. For more benefits, stay tuned for the next blog, which will highlight both benefits and the risks of using domains in OT environments.
For more information about IoT, please contact Dana Spataru or Dima van de Wouw via the contact details below.