Security Experts:

You Know You're at Risk, Now What?

Last month, in The War Few are Talking About, I described industrial cyberattacks as a form of “economic warfare” designed to advance geopolitical agendas. Just as the world came to recognize IT cyberattacks as a new form of profit-driven crime, we must now recognize our global industrial and critical infrastructures are potential targets (either intended or collateral) in a 21st-century war being waged by very motivated and capable adversaries.

The Storm is Building, What Are You Going to Do About It?

I and many others have previously discussed the state-sponsored Triton and NotPetya attacks, the Russian infiltration of U.S. energy facilities outlined in FBI/DHS Alert TA18-074A, and other such incidents, and evidence of the war is continuing to build. Last month, Symantec reported a sophisticated (and successful) infiltration of control systems at satellite operators, defense contractors, and telecommunications companies from computers in China. Based on the report, the attacks were a coordinated espionage campaign designed to intercept military and civilian communications. With control of the compromised systems, the actors could also change the position of orbiting satellites and disrupt data traffic.

I share this with you not to spread fear, but to illustrate the points that the world’s industrial apparatus is a target, its security has been neglected, and we must move more quickly in protecting it. Securing these complex environments is not as easy as ABC; it takes time, investment, and a commitment from executive management. So, this begs the question: what can you do immediately to reduce your risk?

Every Journey Begins with the First Step

I’ll outline 7 steps you can take starting today to put your organization on the path toward better situational awareness and risk reduction. 

1. Acknowledge the reality. You already understand that your OT environment is essential to your operations, but you must also recognize those networks carry strategic importance to the adversary – they are critical to your operation, their failure could create widespread disruption, and they are therefore an attractive target. With that recognition, you must make an honest assessment if the security posture of your ICS networks is proportionate to their value as a target. For decades, the security agenda and investment within most enterprises has been driven by protecting the data stored in IT systems, and OT environments have been comparatively neglected. IT cybersecurity solutions don’t work in OT networks, and those networks are likely invisible to your security team and more exposed than you realize.

2. Ask the tough questions. Driving change in your organization starts with asking some hard questions, and may very well lead to some uncomfortable answers. Who has the responsibility and accountability to monitor and protect the ICS networks? Are the right security and operational teams collaborating? Have those teams even met to discuss the ICS cyber strategy? Have you done a risk assessment of those networks to understand and prioritize your security gaps? Is the organization’s leadership aware of the exposure?

3. Identify your blind spots. The absence of evidence is not the same as evidence of absence of malicious actors in your networks. Don’t assume that because systems are operating, there are no underlying security issues. Any adversary trying to infiltrate your network will want to maintain the perception of normal operations. Be honest about what you know (not what you believe, but what you know) and what you don’t know about your OT environment. Discover where your blind spots are and quantify the implications.

4. Cover the basics, again. Start improving the organization's visibility and understanding of risks to the OT environment – even if you cannot address them all in the short term. Audit your network segmentation. I believe really solid segmentation is one of the most important things asset owners can do to protect their OT environment. And when I say segmentation, I’m speaking not just about segmentation between the IT and OT networks, but also segmentation within the OT network environment. The former can make it harder for attackers to get into the OT network and greatly reduces the chance of “spillover” damage from an attack on the IT network. The latter can make it much more difficult for an attacker to “move laterally” if they do happen to establish a footprint on the OT network. 

5. Make your OT networks visible. One of the most fundamental issues preventing many companies from effectively securing their OT environments is a lack of visibility into the structure of their ICS networks. As the handful of organizations that are at the forefront of providing visibility into those networks can attest, deploying purpose-built network monitoring routinely finds connected endpoints that nobody on the security team knew about, or they were not expected to be connected to a particular network, or they are communicating in unexpected ways, etc. Obviously, it’s impossible to protect what you can’t see. So, adopt technologies that provide visibility into all levels of your OT networks, down to serial / fieldbus connectivity, and incorporate that visibility and OT-specific threat detection into your IT SOC.

6. Expand your IR and governance. You must manage cyber risk holistically and that means applying the same monitoring, managing, and reporting rigor to both your OT and IT environments. The first priority is to ensure there is an individual accountable for the security of OT systems. It can’t be just anyone, it has to be someone who already has, or can engender the respect of the operations teams, and someone who can push things forward. Cybersecurity has always been “a journey, not a destination,” and having a strong leader that is accountable for moving the needle in the right direction is a must. Who this person reports to is a question that is often asked. I believe the reporting structure matters less than their leadership and ability to move the agenda forward. Thus, I’ve seen successful organizations with the OT security lead (whatever the title) reporting to the CISO and a dotted line to the operations executive, and vice versa. 

7. Educate your executives and board on the impact of a potential breach. Related to step 6, as the leaders of the company, your board and executive staff have a legal responsibility to manage risk to the business. But, while visibility of industrial cyber risk is increasing every day, many business leaders still don’t know what they don’t know. You understand the technical risk; by giving your leadership visibility into that risk and how it translates into business impact, you can help to drive change. Visibility drives understanding, understanding drives urgency, and urgency drives action.

It’s Okay If You Don’t Have All the Answers

Winston Churchill said, “perfection is the enemy of progress.” In assessing industrial cyber risk and prioritizing your remediation steps, it can be difficult to even determine where to begin. Starting with the immediate steps above will result in the best ratio of risk reduction to effort invested and get your organization moving on the path. Don’t wait for the complete or perfect solution; begin with this and iterate from there. The most important thing is to get started now.

view counter
Galina Antova is the Co-founder and Chief Business Development Officer at Claroty. Prior to that, she was the Global Head of Industrial Security Services at Siemens, overseeing development of its services that protect industrial customers against cyber-attacks. She was also responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services for industrial control systems operators. Previously, Ms. Antova was with IBM Canada, with roles in the Provisioning and Cloud Solutions business. She holds a BS in Computer Science from York University in Toronto, and an MBA from the International Institute of Management and Development (IMD) in Lausanne, Switzerland.