The OSI Model Fundamentals and Cybersecurity Basics in the Context of OT and CPS

By Cherise Esparza, President & Co-Founder 

In the intertwined worlds of Operational Technology (OT) and Cyber-Physical Systems (CPS), a deep understanding of the OSI Model is not just beneficial; it’s a necessity. The seven-layer OSI Model provides a blueprint for understanding network functionality and identifying potential security vulnerabilities, particularly crucial in the OT and CPS environments where the convergence of IT and physical systems is a reality. Each layer of this model has unique vulnerabilities and requires specific controls to protect against cyberattacks. Here’s an overview of each layer with corresponding controls: 

1. Physical Layer – The Bedrock of OT and CPS

In OT and CPS, the Physical Layer encompasses a wide array of devices, from sensors and actuators to PLCs (Programmable Logic Controllers) and RTUs (Remote Terminal Units). Securing this layer safeguards the physical infrastructure against tampering, unauthorized access, and physical damages. For instance, ensuring controlled access to a manufacturing floor’s PLCs or an electric grid’s RTUs is a fundamental security practice.  

• Controls: Physical access control systems, surveillance cameras, and tamper-evident seals. For example, biometric access controls to sensitive areas like server rooms or areas housing critical OT equipment.

2. Data Link Layer – Ensuring Secure Node Communication

In an OT environment, the Data Link Layer is where industrial control protocols like Modbus and Profibus operate. Security measures at this layer involve safeguarding data transmission between these devices, ensuring that communication within the network is secure and resilient against MAC spoofing or similar attacks. 

• Controls: Network segmentation, MAC filtering, and use of secure industrial protocols. Implementing virtual LANs (Virtual LANs) to separate different parts of an OT network can minimize the impact of a breach at this layer. 

3. Network Layer – Routing Data in OT Networks

In CPS, the Network Layer’s role in managing routing and forwarding becomes critical, especially in complex networks spanning multiple operational sites. Protecting against IP spoofing and routing attacks is essential to maintain data communication integrity across the network. Using industrial-grade firewalls and implementing secure routing protocols are vital practices. 

• Controls: Firewalls, intrusion detection/prevention systems (IDS/IPS), and secure routing protocols. Employing advanced firewall technologies that understand industrial protocols can prevent malicious traffic from propagating through an OT network. 

4. Transport Layer – Reliable Communication in OT Systems

The Transport Layer in OT and CPS ensures reliable and secure data transfer between systems. For instance, a smart grid system might involve securing communication channels between substations and the central control system. Implementing TLS and ensuring the integrity of communication channels are vital security measures. 

• Controls: TLS/SSL for encrypted communications, port security measures, and flow control mechanisms. Implementing TLS for sensitive data transmissions ensures that data cannot be intercepted or tampered with in transit. 

5. Session Layer – Maintaining Secure Connections

In OT environments, the Session Layer manages connections between devices and control systems. Ensuring these sessions are securely established, maintained, and terminated is crucial. For example, this could involve securing the session management between SCADA systems and remote controllers in a water treatment plant. 

• Controls: VPNs (Virtual Private Networks) for secure remote access and session encryption. In remote monitoring scenarios, VPNs can secure the communication between field devices and control centers. 

6. Presentation Layer – Data Translation and Encryption in OT

This layer is where data encryption and decryption for secure communication take place. In OT and CPS, encrypting data transmitted between field devices and control systems is essential. For instance, encrypting data from sensors in a manufacturing plant to the control room is a critical security practice. 

• Controls: Encryption and decryption protocols, data format transformations. Using strong encryption standards for data at rest and in transit, especially when it involves sensitive operational data, is critical. 

7. Application Layer – User Interface Security in OT and CPS

The Application Layer is the interface through which users interact with the network and its devices. In OT and CPS, this involves securing applications that manage physical processes, like HMI (Human-Machine Interface) systems. Protecting these systems against threats like SQL injection and ensuring the secure operation of applications is paramount. 

• Controls: Application firewalls, secure coding practices, regular patch management, and anti-malware solutions. For instance, they ensure that HMI (Human-Machine Interface) systems are regularly updated and protected against malware. 

Incorporating OT-specific considerations into each layer of the OSI Model highlights the unique challenges and requirements of securing OT and CPS environments. Understanding these layers helps cybersecurity professionals in OT sectors effectively identify, assess, and mitigate cybersecurity risks, enhancing the resilience and security of critical infrastructure and industrial operations. 

Applying these controls in the context of the OSI Model ensures a comprehensive and layered approach to cybersecurity in OT and CPS. This approach addresses specific vulnerabilities at each layer and contributes to critical infrastructure and industrial systems’ overall resilience and security posture.