Organizations Must Understand Their Environments and React Immediately When Something is Amiss
The risk created by the proliferation of industrial IoT (IIoT) is rising, thanks to the continued mismanagement of third-party involvement in sensitive industrial environments. New third-party smart sensors and devices, not to mention the services that accompany them, are not always under the purview of the hosting organization — opening the door for intentional and unintentional threats.
So how do we address some of the security problems a third-party ecosystem presents?
The Third-Party Risk
To better understand the risks posed by third-party vendors, consider something basic like maintenance and support. Maintaining and supporting operational technology (OT) implies regular software updates and maintenance. This means that third-party service providers may have access to your company’s network diagrams, asset lists, personnel information and more. They likely even have admin credentials, sometimes with remote access, in order to do their job.
But none of this ensures oversight.
Your third-party maintenance and support service provider may sign in remotely, come in and out after hours, and bring in devices like thumb drives — to name just a few security headaches waiting to happen. If you or your service provider don’t have a clear risk management policy, these seemingly innocuous events can quickly turn into operational and business nightmares.
If this sounds hypothetical, it’s not. Target was breached via its HVAC system during routine maintenance, Equifax was compromised after using third-party software. And in terms of critical infrastructures, the control rooms of U.S. electric utilities were breached via third-party credentials.
As the Wall Street Journal reported last summer, “The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, ‘air-gapped’ or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security.”
It took just one careless third-party vendor to compromise a critical utility that could have caused widespread chaos if it were taken down. Fortunately, all it takes is some due diligence to mitigate this risk.
Mitigating the Third-Party Ecosystem Risk
Start by understanding your exposure. What makes your company or organization an attractive target? Do all assets fall under the right standards, governance and monitoring processes? Do you have a view of all your third-party dependencies? If you can’t answer these questions, you already have a problem. If you can, you can move on to taking the right security steps.
When you know the potential risks, you can prioritize which systems to protect based on the potential impact they could incur if compromised. This will also help you map out a plan for how to reach a more secure state down the road.
Beyond asset control and management, focus on permissions and credentials. In OT environments, credentials are often set up without much security protection. There is often an intention to review these permissions, but it almost never happens. Sometimes those credentials remain valid months or years after they’re no longer in use, or even if the vendor is no longer in use.
Also, consider the devices and applications vendors could bring onto your network, and develop a control policy or deny them access entirely. Vendors often need to install applications for testing, or to handle specific problems. In some cases, vendors may perform job functions using unapproved applications and devices, which may call on insecure protocols, or use inadequate security controls.
Ultimately, it all comes down to clear oversight and control. OT assets, particularly in critical infrastructure, can lead to a lot of damage if compromised. No system or process is entirely secure, but you can make sure to understand your environment and react immediately when something is amiss.