To Encrypt or not to Encrypt in OT Networks

When I transitioned from cybersecurity in IT to Operational Technology (OT), I was initially surprised to discover that encrypting network traffic is not as common as it is in IT. Even more surprising was learning that many cybersecurity software vendors in OT rely on open network communication to monitor risks and threats. This approach seemed akin to suggesting that police can only be effective if everyone leaves their front doors unlocked.

However, after spending more time in the field and engaging with industry experts, I began to understand the rationale behind leaving OT networks unencrypted. But the question remains: do the benefits truly outweigh the risks? Let’s explore this topic further in the article.

History of OT Networks

OT networks have a rich history, evolving significantly over time. Initially, OT was all about mechanical systems and analog devices, such as steam engines and telegraph systems, where control over machines was mostly manual or involved simple mechanical contraptions.

As technology advanced through the 20th century, OT shifted from purely mechanical systems to electronic and digital ones. The introduction of electronic components like transistors and microprocessors revolutionized OT, allowing for more precise and reliable control over industrial processes.

The real transformation began with the integration of computer technology. In the late 20th century, computer-based control systems like Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems became prevalent. These systems enabled more sophisticated automation and control of industrial processes.

Historically, OT networks utilized proprietary protocols optimized for specific functions. Some of these protocols, such as Modbus, Profibus, and DNP3, have become standard industrial communication protocols. These protocols facilitated communication between various hardware components and software systems, often through wired connections like Ethernet.

Availability over Confidentiality

In OT networks, the priorities are indeed different from those in IT networks. The typical priority list in OT networks is:

In the IT realm, the confidentiality, integrity, and availability of data are paramount. While data theft is a concern in OT, the primary focus is on ensuring continuous production uptime. Consider the consequences of shutting down a power grid, turning off traffic lights, or closing a pipeline. Actions like rebooting a computer or disconnecting a suspicious device, which are routine in IT, can pose significant risks to the physical world and lead to substantial revenue losses in OT environments.

OT protocols often lack built-in encryption for several reasons:

1. Historical Context: Many OT protocols, like Modbus and DNP3, were developed decades ago when cybersecurity threats were not as prevalent. These protocols were designed for reliability and simplicity in isolated environments, often referred to as "air-gapped" systems, where security was not a primary concern.
2. Performance and Latency: OT systems prioritize real-time performance and low latency. Adding encryption can introduce delays and computational overhead, which might disrupt the timing and reliability of critical control processes.
3. Compatibility and Interoperability: OT environments often consist of a mix of legacy and modern devices. Implementing encryption across all devices can be challenging due to compatibility issues. Many older devices lack the processing power or capability to support encryption.
4. Resource Constraints: Many OT devices, such as sensors and controllers, have limited processing power and memory. These constraints make it difficult to implement and manage encryption effectively.
5. Perceived Security: Historically, OT networks were considered secure due to their physical isolation from IT networks and the internet. This perception led to less emphasis on built-in security features like encryption.

As the convergence of IT and OT networks continues and cyber threats evolve, there is a growing recognition of the need to enhance security measures, including encryption, in OT environments. However, implementing these changes requires careful consideration to avoid disrupting critical operations.

To Encrypt or Not To Encrypt

While encryption enhances security, it is not a silver bullet. It should be part of a comprehensive security strategy that includes network segmentation, access controls, and continuous monitoring. Below are certain points to consider whether to encrypt or not to encrypt:

Encrypting OT Traffic:

• Enhanced Security: Encryption protects data in transit from being intercepted or tampered with, reducing the risk of man-in-the-middle attacks.
• Compliance and Standards: Helps meet regulatory requirements and industry standards (such as IEC 62443 & NIS2) that mandate encryption for sensitive dat1.
• Data Integrity: Ensures that the data remains unchanged during transmission, maintaining its accuracy and reliability.
• Confidentiality: Protects sensitive information from unauthorized access, ensuring that only intended recipients can read the data.

Not Encrypting OT Traffic::

• Performance Impact: Encryption can introduce latency and require additional processing power, potentially affecting the real-time performance of OT systems.
• Operational Complexity: Managing encryption keys and ensuring consistent implementation across diverse devices and protocols can add operational complexity.
• Challenges with Legacy Systems: Many legacy OT devices may not support modern encryption standards, making it challenging to implement encryption across all systems.
• Simplicity: Easier to implement and manage, especially in environments with legacy systems.

While network encryption can make OT environments more secure by protecting data integrity and confidentiality, it must be carefully implemented to avoid disrupting critical operations. Balancing security with performance and operational requirements is key.

Conclusion

As we advance into Industry 4.0, the integration of OT systems with cloud-based services becomes increasingly prevalent. This shift underscores the critical importance of securing encrypted traffic between OT systems. By leveraging passive monitoring techniques such as Intrusion Detection Systems (IDS), Network Traffic Analysis Tools, and Deep Packet Inspection (DPI), organizations can effectively identify and mitigate potential security threats. Additionally, implementing best practices like strong access controls, data encryption, network segmentation, and regular security audits ensures the protection of sensitive data and critical infrastructure.

--------------------

Author: Vinny Sagar, Solution Architect, swIDch

With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.