Keeping OT Safe, Secure and Online

Cole French:

Operational technology is all around us. In our buildings, our utilities, even in the unseen systems quietly keeping critical infrastructure running. But securing OT isn’t as simple as applying traditional IT controls. In this episode, we explore the hidden world of OT, the unique challenges it brings, and what it really takes to protect systems where a single configuration change can mean millions of dollars or even human lives. Welcome to the Cyber Compliance & Beyond Podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is a leading cybersecurity compliance advisory and assessment organization, providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services, and healthcare. Now, let’s get to today’s episode and help you move cybersecurity forward.

In today’s episode, recorded live at CUI-CON in Orlando, we dive into an in depth discussion on the often misunderstood world of operational technology. We break down what OT is, how it differs from IT and IOT and why securing it requires a completely different mindset. The conversation covers leading OT cybersecurity frameworks like NIST, Special Publication 800-82, and ISA IEC 62443, the complexity of managing legacy systems and the realities of working hand in hand with OT engineers to prioritize safety and reliability. We also discuss practical approaches for risk management, asset inventory, remote access, and network architecture, including the Purdue model and OT specific zoning concepts. Whether you’re new to OT or looking to deepen your expertise, this conversation provides a clear energetic walkthrough of the frameworks and real world considerations that shape secure OT environments. Joining us for today’s conversation is Todd Heflin. Todd is the senior cybersecurity engineer with PCX Engineering, specializing in OT penetration testing and security engineering. With more than a decade supporting the Department of Defense and critical infrastructure environments, Todd has assessed and engineered everything from enterprise IT networks, to facility control systems, weapons platforms, and hardware in the loop labs. Todd brings a red team mindset to real world OT environments, helping organizations identify vulnerabilities, emulate adversaries, and strengthen defenses where cyber and physical systems converge. We hope you enjoy this episode.

Todd, I really appreciate you stopping by to join us here recording on site at CUI-CON here in Orlando. I know today you’re going to talk with us about operational technology, which is something we do see here. This conference obviously is related to CMMC and that’s a lot of what we’re talking about here and operational technology is something we look at from a scoping perspective, but I know really what we’re going to get into is a little bit more of the nitty-gritty of operational technology. So if you could just kick us off, get us started with what is operational technology, what kind of applications do you see out there? What kind of applications are there and what kind of applications are you working with specifically?

Todd Heflin:

Yeah. So thank you for having me. So when we talk about OT or operational technology, that’s any system or any device component that has a physical effect or physical impact to your environment. So think of nuclear power plants that generate electricity or water treatment plants or even gas and oil. Also too, you can lump in building automation systems. So think HVAC or your access badge type systems. So pretty much anything that interacts with your physical surroundings, that would be lumped in as OT.

Cole French:

Now I know there’s another term that you hear a lot of maybe in more the mainstream, I guess, is IOT. Is IOT the same as OT or do they overlap with each other? Are there differences between those two?

Todd Heflin:

So IOT, internet of things is a subset or a category of OT. So you can think of your TV or a fridge or a Samsung fridge that’s calling that to the internet and selling your data and whatever else is in your fridge to all these marketers, that would be a subset.

Cole French:

Got it. I think that’s helpful. So I can imagine operational technology, ton of different applications. You just listed a bunch of them and really ingrained or embedded in a lot of things that maybe we don’t see and are behind the scenes. And I think it can be easy for us to not … Because they’re behind the scenes, maybe we don’t see them or from a security perspective, we don’t think of them. They’re not an end user device necessarily, right? They’re not something that somebody’s using all the time. So when we talk about security and operational technology, what frameworks, guidance, what kind of stuff is out there if you want to dive into some of those things that sort of guide how do we secure OT?

Todd Heflin:

So coming from the federal, from the DOD world, I first got introduced to NIST 800, so NIST 800-82, which is now on revision three. And what that does is it provides a standard or a nice framework to ensure that OT cyber security is being implemented within a federal system. And it also helps with RMF, which is the acronym for risk management framework, which I’m sure a lot of people that’s listening to this podcast may be aware and may be a cuss word as well, but it’s just one of those things where 800-82 NIST and the federal government actually said, “Hey, wait a minute. OT is a specialized case. It’s a specialized category. We really cannot fit a IT circle into a square peg hole.” And so that’s why 800-82 was created to help with the overall risk management for OT systems within the federal space and it also provides a tailoring, a control tailoring based on the 800-53 control set.

The one that I really like and I think a lot of the OT engineers will cheer this on is ISA. It’s 62443. ISA is the International Society of Automation and 62443 is the global best practice for OT cyber security. Not only does ISI 62443 looks at the system level and the architecture for cyber best practices, but they look at the component as well. So you can look at the system, you look at the component level, cyber security posture, and you also look at the processes or the policies that are governing the risk management for the OT.

Cole French:

It’s beyond just an evaluation of that particular operational technology, but also the process documentation, things like that, that go along with it?

Todd Heflin:

Mm-hmm. Yeah. Don’t get me wrong, I’ll give NIST some flowers because they say, “Hey, we need to overlay tailoring.” But 62443 is to say more, I guess, deep dive. A deep dive into saying, “Hey, if you have a gas plant with a historian application server, safety systems, here’s the cyber security controls and the risk management that we recommend from our experience.” Or if you have a building automation system, it’s totally different.

Cole French:

So NIST is more … And I think this is generally true with most things. NIST sits up here and it’s across the board, right? It’s a control set and you said that 882 has controls involved, but they’re a subset of 853 basically, but that’s high level and that applies across the board whereas the ISA publication you’re referring to sounds like it’s tailored. Well, first of all, it comes from an automation. An organization that specializes in automation is closer to the ground with these types of solutions, but also sounds like it’s tailored to the specific type of operational technology. Is that accurate?

Todd Heflin:

I think I said a key word about engineering. ISA, they get with the OT engineers. I’m not saying this doesn’t, but they’re more high level, whereas ISA, they sit with OT engineers and they get the feedback. And that’s one thing about cyber security within OT is we cannot say no to everything. We have to work with OT engineers. We have to work with the asset owners and figure out, okay, what the problem is, what are they trying to solve and how can we help instead of just trying to be a overall impediment and really with the ISA 62443 policies and controls that they list out, they do a really good job of helping the cyber engineer to work with the OT engineer to help solve those complex issues while ensuring our reliability, safety and availability of the system is not adversely impacted.

Cole French:

So that’s a good segue to, I think, the question of … And I’ve worked with OT, like our SCADA systems in the past and it’s always this kid gloves approach, I guess, where it’s like, “Oh, we can’t do anything to those. We can’t do touch them, we can’t scan them, we can’t configure them. They need to stay the way that they are.” So in your experience, have you worked with OT that you could? Like let’s say a STIG or some type of configuration settings that do address security, can you use those with OT or are there other tools out there that work with OT devices specifically to lock them down or to harden them at least so that they’re not just wide open?

Todd Heflin:

Yeah. So that’s a really good question and that’s where a lot of the asset owners and OT engineers get nervous is when you try to say, “Hey, so we did a gap assessment, we did a risk management assessment of your system and this is what we recommend.” And they’re like, “Well, you’re saying that you want to lock down the operating system, you want to take away the shared engineer accounts and things like that.” And so that’s where you have to come in, especially with the legacy systems. So anything that’s running like a really outdated Windows operating system, let’s just say Windows 2000, there’s still Windows XP out there. I know that probably makes some people shake and have trimmers because it does me. But at the same time, those systems haven’t been touched in 10, 15, 20 years and they haven’t been patched and if you try to patch then guess what? The application that’s been running just fine all of a sudden has issues and then you’re to blame for millions of dollars or maybe a live safety issue and you don’t want to be that person.

So once again, that’s where it comes down to communication saying, okay, if you have a more modern system like running Windows 10 or Windows 11, at that point you’re a little bit more easily able to implement STIG or a CIS benchmark. Can’t say the word for some reason, but the CIS or STIG, you can easily roll those out and back off any settings within the Windows or Linux or the network settings that may break functionality. And if you’re able to have the capability of having a test bench, then that’s even better because at that point you can just test the settings in there with a POC or RTU whatever and go from there.

Cole French:

Yeah. I was going to say that’s one of the things in my limited experience with OT is very … It’s like a live system, you don’t have a test bed typically, or at least that’s been my experience. It’s like, well, it’s already been deployed, it’s there, can’t touch it. It isn’t like other systems where it’s like we have a test environment where with software we deploy all this and we can patch the systems and if something breaks, then it’s a test environment we roll it back and we know, okay, we’re not going to push that to production. But with OT, it’s physical technology that’s attached to some function, the ones that you described, building automation, things like that. So testing it is a lot more difficult because you really need the live system, I would think. But you’re saying there is a way to test these things before you actually deploy them or to have maybe them in a different environment where you can … A different set of OT that you can push patches to, push settings to and see what happens.

Todd Heflin:

It varies case by case depending on the customer and what their resources are. Just think of some of the big Fortune 250 gas, talking about Chevron and BP and some of those, they may have the resources available to you for a very small test bench while others think you’re a manufacturer that’s not developing or building a widget, more likely they won’t have a test bench. And so at that point you have to slowly roll out changes and see and also coordinate with the asset owner or the business owner or the OT engineer to make sure that whatever that you’re rolling out, you can quickly back off if needed.

Cole French:

Gotcha. So we’ve talked about the concept of risk, I think, or at least that’s what’s coming through in you talking about like talk to your system owners and really understanding what the application of the particular OT is. So in your experience, how do you work with organizations deploying OT to make sure that they’re adequately documenting risks or at least understanding the risk associated with these OT systems?

Todd Heflin:

I think anyone that’s ever worked with a Army Corps of engineers or any manufacturer or gas plant, wherever that OT system is physically located. I think one of the main issues is what’s out there? What’s actually there from an inventory standpoint? Because I think you stated earlier about scanning. Well, for the longest you couldn’t scan. Well, you can safely scan. It’s called very slow scans or doing passive wire shark captures, things like that. And there’s some really good vendors out there now that help with that. Of course, it’s going to cost you some money to play with nice toys, but they do help with capturing the overall inventory within the system. So once you … And usually this is my methodology and other people may differ a little bit, but I always try to capture the inventory, see what’s out there, what software version is being used, what’s the operating system, firmware, on the POCs, or to use whatever devices out there and then from there you can build out your overall attack deck and risk management based on the hardware software.

And then most importantly, besides asset, asset inventory is the network architecture. So are you allowing a remote access to the network? How’s that being handled? Do you have multifactor authentication for that external access? Do you have a firewall between your IT corporate network and OT network? These are a lot of different questions that have to be answered in order for you to then say, “Okay, this is where our gaps are really at. Here’s what we need to prioritize.” And then at that point you can create a really solid risk register or what we call a POAM, but we call it … So risk register, POAM, whatever the terminology you want to use and then submit that to the customer and say, “Okay, here’s what I recommend that we hit. This bring the most value for your money and time and also have the less impact to your operations.”

Cole French:

Yeah. We talk a lot about on this podcast about the concept of risk and actually we recorded an episode earlier today where we really delved into risk, not as it relates to OT, but just risk in general. That risk is … And you’ve touched on this, I feel like. Each organization, each implementation is different and introduces different risks, right? So it’s important that you do all of the stuff you just mentioned, but also be able to work with the particular organization you’re working with to understand what’s important to them, what are the things that we need to be worried about? What type of information are they working with? What type of system? Is it one like you mentioned earlier where if something happens we could be talking about like health and safety or is it not that? And that changes like your risk profile, that changes what’s going to be important to what you do and that’s beyond security.

A lot of times in security, especially in compliance, we think of security controls and implementing multifactor authentication and some stuff we’ve mentioned here, but it also goes beyond that as well to. What type of data are these tools or environments working with? What type of applications are in play and using that to develop a POAM or develop a risk register that says, “Hey, I’m aware that this particular risk or risks exist in my environment and here’s what I’m doing to either mitigate them, remediate them, or it could even be a case where I’m accepting that risk.” It’s within a reasonable amount that I’m willing to accept that and it just be as it is based on a full understanding of my environment, the systems, the information, people, all that. So briefly, you touched on remote access or you mentioned that as an example And I know in today’s world where more and more work is done remotely and not onsite, how do you handle remote access to OT? Because that’s one that even as a security practitioner myself, the alarm bells go off and I’m going to look at, wait a minute … What I’m used to seeing is, oh, I’m sitting at a laptop, I’m logged into a VPN and that’s just like almost like I’m on the inside, right? Yeah.

Todd Heflin:

But

Cole French:

A OT device that’s different and I got to look at that differently. So just talk to me a little bit about what are some good approaches to external access as it relates to OT?

Todd Heflin:

Yeah. So this could be a touchy topic. I know there’s a lot back and forth, but if you look at 62443 and even 800-82, there’s ways where you can have really good secure remote access methods. And so what I’ve seen is some people would like to use like a cell modem or a Starlink and that cell modem or Starlink allows for that public IP to be used for a remote access either through VPN or you can implement a cyber secure gateway. So think like a keeper connection manager as a gateway that can be used by the operator sitting at his home in his PJs, he can go to keepers to the keeper application, log into the browser using multifactor and only have access to that HMI or the human machine interface. HMI is what is used to help control and manage the PLCs or other devices within the OT network.

So I’ve seen that also there’s a VPN. Some people don’t like VPN. I’m indifferent. Where VPN can be used in a secure manner as long as it’s using multifactor, the device is authorized, using some conditional access policies to authorize the user, authorize the device. But once again, we go back to risk management and what the customer desires. And as the OT cyber engineer, it’s your job to work with the OT engineer and the owner, the asset owner to ensure that you are communicating properly to them, “Hey, here’s the risk. Is the risk worth the trade-off? Is it worth allowing the external remote access to the HMI or to that server?” And there’s other methods, you can use a DMZ, firewall to DMZ, have a jump box, whatever to one machine and that one machine. And the jump box is not connected to the domain, et cetera. So there’s ways, but once again, it goes back to the organization to their risk appetite and also what that system is doing because you may not want to allow a remote access to certain OT environments.

Cole French:

And conversely, I can think that there might be OT environments where you would definitely want to have at least some level of remote access. I’m thinking health and safety systems, if there’s an emergency or there’s something where something needs to be done really quickly, having remote access could allow you to take action much more quickly than if somebody’s got to like go out to a particular location. There could be time in between. Now you mentioned VPN and like some people … What’s the hesitation with VPN and OT?

Todd Heflin:

So with the VPN, you have a firewall or you have a VPN gateway and you connect to that device. Well, most of the time when VPN access is first configured, it’s just allowed to everything on your network. So unlike the Keeper example where you log into Keeper and you only have access to that one device or on whichever devices are assigned to you, VPN is usually just wide open and that’s where you have to go in and lock it down and say, “Hey, you only get access to this piece of the pie, you don’t get access to the whole pie.” And back to your point about a remote access, it could be a life safety issue. For example, a gas plant. So if everyone is home over the weekend and they get notified on their notification app that, “Hey, something’s about to blow up and the nearest person is one hour away,” well, having someone able to remote into that OT system to close the valve or whatever or to flush that gas out will save not only potential lives around that gas plant, but also the company from having their hardware or equipment blowing up

Cole French:

Yeah. That’s a great real life example and yeah, I can see what you’re saying about the VPN is … Yeah it is. VPN is kind of an on off solution if you will and I think if I put like my compliance hat on and I’m evaluating or assessing a system that’s using OT, I can see how having a gateway like Keeper or something that’s dedicated to your OT systems is a good look for compliance and being able to … Because one of the things with compliance isn’t just, oh, is it behind a VPN, but it’s also, do you have like conditional access policies? Do you have stuff that’s like, yeah, people can get in, but is it further access restricted once people are in, right? So it’s like if I have multiple OT devices and I have these users, but user one only needs access to two of these, user two needs access to all of them, right? You don’t want to have everybody having access to everything. So a dedicated system to facilitate that remote access from a compliance standpoint, I think puts you in a good position when you’re working, like if you’re going through an assessment or you’re trying to achieve compliance with a particular framework, I think when an assessor evaluates that,

I think to your point, I can see how a dedicated system or a system that’s more tailored to manage the remote access of OT versus just a VPN, I can see how that’s a wise choice. Todd, as we wrap up our conversation here this afternoon, just wanted to give you an opportunity. Was there anything else you wanted to mention as it relates to security and OT?

Todd Heflin:

I guess the last thing, just talking about the OT network architecture. I failed to mention the Purdue model. So there’s a architecture called the Upper Due Model and it’s based on different layers. So you have the, I think it’s five layers. So layer five is the enterprise IT DMZ, layer four is the IT corporate network and then layer three is where the transition point is between IT and OT and then that’s where you can get into the OT DMZ where you’re allowing VPN or the gateway access. So you’re bypassing the IT corporate network and allowing the DMZ to be at layer three and then either layer three or layer two, you can have the application server, the historian, the engineering workstations and HMIs and then layer one is where your POCs and RTUs, your non-IP devices and then layer zero is your sensors or just what we call dumb devices, but on and off, close, open, whatever.

Cole French:

So do you find that most people use the Purdue model when they’re deploying OT at least like in a … What’s the line, I guess? Do most people use that? Is that relatively new? Is it something that it’s growing in awareness? Where is it at, would you say?

Todd Heflin:

Yeah. So people that’s working with the Army Corps of Engineers or other federal agencies, they may call the A Purdue model, the five layer of cake because it looks like a Neapolitan ice cream because you have a lot of different colors for the layers. But the Purdue model is just really like a defense in depth. If you look at it from that viewpoint, it’s like, okay, if I look at the Purdue model as a defense in depth, then I can say, okay, this is where I want to allow external assets. This is where I want to put my firewall here at layer three and layer two, whatever to help with that network segmentation. Going back to 62443 instead of calling it layers, they have what they call zones, zones and conduits. So the zone is just the physical or logical grouping of those devices and they all have a shared cyber security standard that they have to meet within that zone and then the conduit is just the network of communication between one zone to the other. And that’s how it all meshes up from a 62443 Purdue model or five layer cake if you want to call it.

Cole French:

Okay. Okay. That’s really interesting. I’ve enjoyed this conversation because we’ve delved into something that is an area that I’m familiar with. I know what these things are and stuff like that, but haven’t gotten into what you just described with some of the framework standards, guidance and things like that that are out there that really help with deploying these solutions and deploying them with security and obviously operational things. Operational considerations are top of mind, but also security goes along with that. So it’s good to see that there are standards, there are frameworks, there’s documentation, there’s processes for good and strong ways to deploy OT within your environment.

Well, Todd, again, I really appreciate you taking some time this afternoon to stop by and chat with us about operational technology as I mentioned at the beginning. I work primarily and here at Kratos, we work with cloud systems, but also we work in the CMMC space with a lot of different types of systems that also include operational technologies. And so this was a great educational conversation for me and so I really appreciate you taking the time to share your insights on this important topic.

Todd Heflin:

Yeah. Definitely. It’s been fun. If you want to reach back out for part two, feel free.

Cole French:

All right. Sounds good. Thank you again.

Todd Heflin:

All right. Thank you.

Cole French:

Thank you for joining us on the Cyber Compliance and Beyond Podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss or you just have some feedback for us? Let us know on LinkedIn and Twitter at Kratos Defense or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode and until then keep building security into the fabric of what you do.