A new year has arrived, and with it comes the opportunity to make all kinds of transformations to help your business. No matter how you navigated the dangerous threat landscape during the past years, it’s time for all of us in operational technology (OT) security to make firm decisions to do or not do something for the safety of our business and environment.
This year, we will see more breaches where bad actors target OT due to the rise of Internet of Things (IoT) devices being deployed in industrial environments and critical infrastructures. That’s because many OT networks were either designed without any security or without adequate protections in place. Plus, the overall attack surface is getting broader each day as organizations continue to converge their IT and OT environments.
I spend a lot of time on factory floors and in Security Operation Centers (SOCs), and you’d be surprised how many shared challenges these practitioners have in common. Here is what they should focus on in 2019:
1. Understand that Operational Technology Security Risks Are Business Risks. Understand and communicate risks. They can damage an organization’s reputation and can cause significant operational problems, such as production downtime, compliance penalties and environment safety. Business-level oversight and executive leadership can help to establish a culture of collaboration between IT and OT for the common good of the business. Improving an organization’s security posture depends on how effectively both sides can work with each other to improve mutual understanding and increase reliability and security of critical infrastructure.
2. Monitor User Activities. It’s important to detect both successful and unsuccessful authentication attempts to the Industrial Control System (ICS) network from users or systems in the corporate IT network. If an attacker gains access to your network through a compromised system, they will attempt to cross over to the ICS network to target the critical infrastructure. By monitoring both successful and unsuccessful login attempts, you can identity anomalies, taking things such as time of day, frequency and other suspicious behaviors into account.
It’s also important to monitor remote connections from users, vendors, or system integrators. Anyone using Remote Desktop Protocol (RDP) has access to all the capabilities a device allows. Likewise, VPNs provide remote access to ICS networks. If remote access capabilities are not adequately monitored and controlled, unauthorized users can gain access to a system or the entire ICS network.
Lastly, look for credentials stored in logs and configuration files. Unprotected passwords and other credentials means giving hackers complete control of your systems and allowing them to move through the interconnected networks and expose more systems to the attack. To protect against this, files should either be modified to store credentials securely, or when not possible, access should be restricted (least privilege) and/or monitored.
3. Check for Changes in Firewalls, Routers and Switches. Properly configured firewalls can be used to protect control systems from unauthorized access, but rule sets need to be monitored and reviewed to provide continuous, adequate protection. Protecting control systems from unwanted access and possible attacks requires real-time monitoring of firewalls to rapidly detect and initiate response to cyber incidents.
Network devices such as routers and switches on the ICS network should not be overlooked. These devices serve as the first line of defense because they permit or deny communications between the ICS network and the corporate network. With proper and accurate logs from routers and switches, unwanted network access can be detected quickly in order to mitigate a security incident.
Look at new devices to understand their role and impact on the entire environment. Having visibility into each device or equipment in your environment will help you understand if a system is infected with malware and using the network to propagate from system to system. Flag unsecure protocols used for exchanging critical information.
4. Flag Unsecure Protocols Used for Exchanging Critical Information. Protocols such as Telnet, HTTP, FTP or Windows File Sharing are not secure by default, meaning they don’t protect corporate data and can have damaging business consequences that are difficult and expensive to amend. For example, content often lives on FTP servers for years, making it relatively easy for unauthorized individuals to access sensitive information undetected.
5. Consider Adopting Machine Learning. There’s a growing concern among security professionals that bad actors could use machine learning technologies to cause unprecedented security challenges. Given the growing amount of data, an increase in the number of cyber threats and the rapid pace of technological change, security analysts could benefit from using machine learning to work through the overwhelming amount of data they need to sort through. The future of cybersecurity will require human and machine collaboration – fusing proper human judgement with machine learning capabilities.
With the new year underway, it’s time for CISOs to see their security resolutions through from the factory floor, SOCs and across the entire enterprise.