Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Protect: The Second Pillar in Your Journey to Improve Industrial Cybersecurity Posture

In the last year, the National Security Agency (NSA) had ramped up its warnings on the risks of connecting industrial networks to IT networks issuing two cybersecurity advisories, the most recent just 10 days prior to the Colonial Pipeline disruption. Now, with the stakes raised and proof that our critical infrastructure is an easy target, the U.S. government is taking immediate action.

In the last year, the National Security Agency (NSA) had ramped up its warnings on the risks of connecting industrial networks to IT networks issuing two cybersecurity advisories, the most recent just 10 days prior to the Colonial Pipeline disruption. Now, with the stakes raised and proof that our critical infrastructure is an easy target, the U.S. government is taking immediate action. The White House issued an Executive Order specifically focused on protecting IT and operational technology (OT) networks. And the Transportation Security Administration (TSA) is mandating incident-reporting procedures and hardened cybersecurity practices from pipeline owners and operators, many of whom operate privately within this critical infrastructure sector. 

The disruptions to critical infrastructure in the last few months – including Colonial Pipeline, JBS, and others – further solidify that the risk of ransomware is real for everyone. No industrial operation is immune. Wherever you are on your industrial cybersecurity journey, the important thing is to start strengthening cyber defenses and resilience now.

Previously, I wrote about visibility into industrial environments as the starting point – what it encompasses, why it is often challenging, and how you can overcome these challenges. With visibility you have a springboard to comprehensive security, beginning with protection. With an always up-to-date asset inventory, you can tackle inherent critical risk factors, from vulnerabilities and misconfigurations to poor security hygiene and untrustworthy remote access mechanisms. This requires understanding risk so you can prioritize and reduce it. 

Understanding risk

Some risks are more straightforward to deal with, such as providing remote workers with access to your organization’s industrial environment for asset maintenance or process management and optimization. Without OT-specific remote access controls in place, you’re exposing your organization to risk unnecessarily. But other risks need to be analyzed within the context of your unique environment to determine the right actions to take to reduce industrial cyber risk. 

Actions: Every industrial environment has more vulnerabilities than could ever be mitigated, which is why you need to map your asset inventory against a comprehensive database of security flaws present in specific asset models. Next, you need to assess how feasible it is for an adversary to exploit that flaw and further infiltrate your network to damage or disrupt operations. With asset risk scoring capabilities that provide nuanced risk assessments for individual assets, zones, and even across industrial sites, you can gain a deep understanding of risk and the tradeoffs involved as you determine your risk mitigation strategy.

Prioritizing risk

No organization has the resources, bandwidth or permissible downtime required to fully mitigate every risk it faces. And even if they did, it wouldn’t be a wise way to spend these precious resources. This is especially true for industrial environments, where availability or uptime is directly tied to the bottom line. The risk of disruption and downtime to implement a new security control, patch or system upgrade is often a non-starter. Not to mention that making changes to the multimillion-dollar systems that run production environments usually voids warranties. 

Advertisement. Scroll to continue reading.

Actions: You need to be able to prioritize the vulnerabilities and other security weaknesses that need to be addressed immediately, as well as those that can be managed using a compensating control, either indefinitely or until a maintenance window allows for patching. With the ability to map how a potential attack could play out against your industrial environment, including every possible type of communication and pathway, you can prioritize and identify best next steps for remediation.

Reducing risk

The Executive Order unequivocally states that now is the time for bold changes – not incremental improvements – to defend the institutions that underpin our way of life. Once you have understood and prioritized risks, you are ready to take the appropriate actions to protect your industrial operations.

Actions: Until a patch can be administered, focus on vulnerable communication flows and apply additional verification or other compensating controls to network traffic. A growing number of industrial cybersecurity professionals are applying the Zero Trust model in an OT context. This entails continuously verifying and authenticating all users, internal or external, their location, and other data to determine whether to trust the user, machine, or application seeking access. The ability to implement and enforce authentication policies along these lines can drastically reduce the risk of actions, unintentional or malicious, that could threaten the safety, reliability, and/or availability of industrial environments. Additionally, secure remote access solutions with strict controls over sessions provide offsite access to OT environments while minimizing the substantial risks introduced by remote workers. 

The NSA acknowledges, “While there are very real needs for connectivity and automating processes, operational technologies and control systems are inherently at risk when connected to enterprise IT systems.” Fortunately, with the ability to create and maintain a current asset inventory, and to understand and prioritize the risks to those assets, you can proactively take steps to protect your industrial environment.

Protect is the second of four essential pillars of industrial cybersecurity. In subsequent articles, I’ll discuss the two remaining pillars – detect and connect.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...