Years back people loved the idea of getting Operational Technology (OT) equipment with a web interface on the network. More data seen is a GREAT idea. Turns out, not a great idea. If an ethernet cable connects to it, it’s seen as an issue by IT/Cybersecurity. Risk Management will always be an organic process with field devices, as they are not the same as IT devices.
Ways to reduce your cyber security threats with Operational Technology (OT) devices
I have listed below steps to how to reduce cyber risks with Operational Technology devices. Firmware is the common way OT devices work and pose less risk than IT devices.
Change the default username and password
- Whenever they can see a devices webpage, they can search for the default credentials used
- When using uppercase, lowercase, add a number or two, and the AWESOME non-standard character
- With this in mind, the longer the password, the safer you are
Keep the information secured for OT devices
- Keep the username and passwords secured, and un-common knowledge with your vendors
- Changing the password regularly helps keep the equipment safe
- Use a secured vault program for your password repository
Ports to disable
- A large number of field devices use firmware, so there are fewer ports susceptible
- FTP (port 21,22), telnet (port 23), HTTP (Port 80), and even HTTPS (port 443) can be a target
- In the event that SNMP V1 (port 161) needs to stay, change the public and private community strings (If defaulted)
- Likewise, SNMPv3 uses encryption and is the safest method, for SNMP data
Limit the TCP connections allowed
- Modbus (502), BACnet (47808), and SNMP (161) are the common ethernet protocols used for field devices
- Whenever possible, add an IP filter for allowed connections to these devices
- Change the known port number, to an uncommon port number
Keep the firmware up-to-date
- Given that most manufacturers realize times are changing, they are updating when they can
- Firmware was released to help harden the device with new security measures
- Always consult the manufacturer on the process involved when updating
- Such as downtime, config changes, effects on data being polled during the effort
Reduce the # of threats on your network (Plan B)
- If there is no ethernet cable, the device is not a prime target for bad actors
- Modbus and BACnet hardware, stop using the ethernet side and use the serial port
- Great approach for new construction if the devices web interface is weak
- Fewer devices on the network become one less concern for the IT Department
Where to start to reduce OT Cybersecurity risks on IT networks? Risk Management with IoT devices may seem tricky but does not have to be.
In summary, do your devices reside on a common network monitored by IT? If not, you are not a scanned threat. If yes, continue.
Next, get the list of devices from IT and see what changes you can make organically to help reduce the issues.
Otherwise, if the device has too many issues, firmware and configuration changes will not correct the issue, it is time to cut the cord (Ethernet Cable), Plan B.
If you have questions about your application, we are glad to talk to you, email and phone calls are free.