Security Experts:

Protect: The Second Pillar in Your Journey to Improve Industrial Cybersecurity Posture

In the last year, the National Security Agency (NSA) had ramped up its warnings on the risks of connecting industrial networks to IT networks issuing two cybersecurity advisories, the most recent just 10 days prior to the Colonial Pipeline disruption. Now, with the stakes raised and proof that our critical infrastructure is an easy target, the U.S. government is taking immediate action. The White House issued an Executive Order specifically focused on protecting IT and operational technology (OT) networks. And the Transportation Security Administration (TSA) is mandating incident-reporting procedures and hardened cybersecurity practices from pipeline owners and operators, many of whom operate privately within this critical infrastructure sector. 

The disruptions to critical infrastructure in the last few months – including Colonial Pipeline, JBS, and others – further solidify that the risk of ransomware is real for everyone. No industrial operation is immune. Wherever you are on your industrial cybersecurity journey, the important thing is to start strengthening cyber defenses and resilience now.

Previously, I wrote about visibility into industrial environments as the starting point – what it encompasses, why it is often challenging, and how you can overcome these challenges. With visibility you have a springboard to comprehensive security, beginning with protection. With an always up-to-date asset inventory, you can tackle inherent critical risk factors, from vulnerabilities and misconfigurations to poor security hygiene and untrustworthy remote access mechanisms. This requires understanding risk so you can prioritize and reduce it. 

Understanding risk

Some risks are more straightforward to deal with, such as providing remote workers with access to your organization’s industrial environment for asset maintenance or process management and optimization. Without OT-specific remote access controls in place, you’re exposing your organization to risk unnecessarily. But other risks need to be analyzed within the context of your unique environment to determine the right actions to take to reduce industrial cyber risk. 

Actions: Every industrial environment has more vulnerabilities than could ever be mitigated, which is why you need to map your asset inventory against a comprehensive database of security flaws present in specific asset models. Next, you need to assess how feasible it is for an adversary to exploit that flaw and further infiltrate your network to damage or disrupt operations. With asset risk scoring capabilities that provide nuanced risk assessments for individual assets, zones, and even across industrial sites, you can gain a deep understanding of risk and the tradeoffs involved as you determine your risk mitigation strategy.

Prioritizing risk

No organization has the resources, bandwidth or permissible downtime required to fully mitigate every risk it faces. And even if they did, it wouldn’t be a wise way to spend these precious resources. This is especially true for industrial environments, where availability or uptime is directly tied to the bottom line. The risk of disruption and downtime to implement a new security control, patch or system upgrade is often a non-starter. Not to mention that making changes to the multimillion-dollar systems that run production environments usually voids warranties. 

Actions: You need to be able to prioritize the vulnerabilities and other security weaknesses that need to be addressed immediately, as well as those that can be managed using a compensating control, either indefinitely or until a maintenance window allows for patching. With the ability to map how a potential attack could play out against your industrial environment, including every possible type of communication and pathway, you can prioritize and identify best next steps for remediation.

Reducing risk

The Executive Order unequivocally states that now is the time for bold changes – not incremental improvements – to defend the institutions that underpin our way of life. Once you have understood and prioritized risks, you are ready to take the appropriate actions to protect your industrial operations.

Actions: Until a patch can be administered, focus on vulnerable communication flows and apply additional verification or other compensating controls to network traffic. A growing number of industrial cybersecurity professionals are applying the Zero Trust model in an OT context. This entails continuously verifying and authenticating all users, internal or external, their location, and other data to determine whether to trust the user, machine, or application seeking access. The ability to implement and enforce authentication policies along these lines can drastically reduce the risk of actions, unintentional or malicious, that could threaten the safety, reliability, and/or availability of industrial environments. Additionally, secure remote access solutions with strict controls over sessions provide offsite access to OT environments while minimizing the substantial risks introduced by remote workers. 

The NSA acknowledges, “While there are very real needs for connectivity and automating processes, operational technologies and control systems are inherently at risk when connected to enterprise IT systems.” Fortunately, with the ability to create and maintain a current asset inventory, and to understand and prioritize the risks to those assets, you can proactively take steps to protect your industrial environment.

Protect is the second of four essential pillars of industrial cybersecurity. In subsequent articles, I’ll discuss the two remaining pillars – detect and connect.

view counter
Yaniv Vardi is CEO of Claroty, an operational technology (OT) security company. Prior to Claroty, he served as the Global Managing Director of Centrica Business Solutions, International, managing eight countries and expanding the company’s proposition mainly in Europe, South America, and Asia Pacific into a significant business. Before Centrica, he was CEO of Panoramic Power, a global pioneer in energy management solutions for global C&I customers, which was acquired by Centrica. Previously, he was Co-founder and Managing Director of Sparta Systems EMEA, where he successfully drove its operations to be the leading provider of QMS in the Life Science industry, resulting in a successful acquisition. Based on his wealth of experience, Vardi brings vital knowledge of operational direction and strategies as a board director and chairman in different companies in Israel, Europe, and the United States. He graduated Magna Cum Laude from the New Jersey Institute of Technology, majoring in Industrial and Management Engineering and Management of Information Systems, and served in the Israeli Air Force for five years.