As manufacturing relies more and more on remote access and automation, cyber hygiene continues to be one of the top challenges in securing manufacturers across the nation.
In light of several major supply chain disruptions across manufacturing sectors, the Biden Administration recently announced the creation of a Supply Chain Disruptions Task Force to strengthen critical supply chains and address cyber vulnerabilities. When a supply chain breaks down, the consequences can be devastating and far-reaching, as experienced with the Colonial Pipeline ransomware attack. Despite this, critical infrastructure systems often aren’t afforded cyber protection commensurate with their importance.
Industries like manufacturing are primary targets for these attacks due to their vital importance, including being embedded within the supply chains of multiple critical infrastructure sectors like healthcare, energy and transportation. As a result, manufacturers are an attractive target for bad actors motivated by a desire to cause harm, steal intellectual property and seek financial gain. The potential consequences of a manufacturing industrial control system being compromised are severe. They include damage to IT and OT systems, physical damage to plants, danger to employee health and safety, environmental impacts, downtime, harm to those downstream in the supply chain and loss of product reliability and integrity.
As manufacturing relies more and more on remote access and automation, cyber hygiene continues to be one of the top challenges in securing manufacturers across the nation. So, what should manufacturers consider when it comes to securing remote access in today’s world?
The expanded OT attack surface
Consolidating operational technology (OT) environments with information technology (IT) networks expand the OT attack surface and makes these integrated ecosystems considerably more challenging to secure. The rise of smart manufacturing, Industry 4.0 technologies and direct communication channels to cloud services has also exponentially accelerated the connectivity between IT and OT systems. Many factories are deploying IoT technologies that support production but are not immediately embedded within processes. These include building and facility management controls (such as smart lighting and thermostats) and worker health and safety monitoring systems. Many manufacturers are now challenged to maintain visibility into technology environments that include a heterogeneous mix of IT, OT and IoT systems. This large attack surface creates a more attractive target for cybercriminals.
The flawed use of IT security programs in OT environments
The OT ecosystem was previously thought of as a “walled garden” isolated from the rest of an organization’s computing systems and networks. This belief was really a fallacy, as the interconnection of OT systems to production management systems, maintenance systems and operations support have existed for over a decade. However, the convergence of IT and OT environments introduced new risks into the OT ecosystem. Many companies have been tempted to import their more mature IT cybersecurity infrastructures, processes and resources into OT environments as a solution rather than those built explicitly for OT use.
Unfortunately, the use of IT-based security infrastructures and processes in OT environments has proven less than ideal. IT technologies are often incompatible with OT hardware and equipment. OT system lifecycles may also be several times longer than those of IT hardware solutions, with industrial control systems (ICS) sometimes remaining in use within a production environment for 20-25 years. In addition, IT security strategies have tended to prioritize detection and rapid mitigation, but this approach is inappropriate in OT environments, where safety and reliability are of the utmost importance. Further, IT security strategies have focused on the ranked prioritization of confidentiality, integrity and availability of systems, whereas OT systems are prioritized around safety, integrity, and the availability of systems.
How to protect the unique OT environment
Traditionally, air gapping was considered the best security measure to protect OT environments, but the isolation of industrial networks is no longer proving to be an effective measure. Securing OT systems against modern threats requires well-planned and well-implemented strategies that will provide defense teams the chance to quickly and effectively detect, counter and expel adversaries.
Industrial organizations that are currently asking their existing IT security teams to protect their OT assets should consider supplementing these resources with additional dedicated OT specialists. Technologies such as IP ranges, virtual local area networks (VLANs), or micro-segmentation of IT and OT network traffic are becoming more popular to protect against OT-focused attacks.
Physically separate corporate IT and OT domains, logically segment networks, and isolate critical parts of the network from untrusted networks, especially the internet. Strategies such as establishing “industrial-demilitarized zones” (I-DMZs) and data warehousing can help facilitate a secure buffer zone where services and data can be shared and transferred between SCADA systems and business networks.
It’s also essential to deploy monitoring tools such as intrusion detection/prevention systems (IDS/IPS), network access controls and identity awareness systems and logging on all systems if possible. Locking down all unused ports and services on routers, switches, and network daemons while ensuring default configurations and passwords are not used will harden these devices against adversaries. Monitoring the peer-to-peer nature of communication of OT systems is vital in establishing baselines and detecting deviations.
Designing an effective OT security architecture requires a risk model that maps precisely to the functional requirements of these complex systems and provides a holistic image of the potential real-world consequences of compromise. Look into adopting digital twins to assist in cybersecurity programs. A digital twin is a virtual model of a process, product or service. The pairing of the virtual and physical worlds allows simulation and analysis to head off problems before they occur, prevent downtime and plan for the future.
All manufacturers should also have a comprehensive cyber incident response plan in place that includes proactive and reactive measures to help prevent incidents and better allow the organization to respond when one does occur. This planning should include establishing a supply chain management program to ensure uniform cybersecurity policies and practices with contractors and third-party vendors. Internally, it’s crucial to have training and awareness programs that improve knowledge and vigilance by instilling an awareness of the current threat landscape among all employees. Perhaps even more critical is the establishment of a disaster recovery and business continuity plan, which includes testing backups of critical OT systems and desktop exercises that test your response plan. This can often lead to the best option to defending against ransomware attacks.
The challenge of securing the complex OT environment can seem overwhelming. Still, the good news is that among leaders of industrial organizations, awareness of the severity of OT cybersecurity risks is on the rise and a growing number are willing to commit increased resources to manage these risks. There’s also increased interest in industry-wide initiatives such as knowledge sharing and the use of risk-based frameworks. For these reasons, industrial companies are becoming more confident about their readiness to face an OT cybersecurity attack. Nonetheless, the threats remain far-reaching, and much work remains to be done to improve cyber resilience across the industry.
This article was originally featured in SDC Executive.
The recent cyber-attacks against Florida Water Plant and Colonial Pipeline are part of a growing trend. IT and OT are converging, rendering these environments more vulnerable than ever. As cyber-attacks increase against critical infrastructure and Scada systems, the focus on regulatory compliance grows. All well and good – we need to have standards to make sure our cybersecurity and data privacy system are built on a solid foundation. When organizations meet regulations, it can build a positive reputation with customers, vendors, and prospective clients. However, if regulatory compliance is not met and a data breach ensues, the organization can suffer a number of consequences ranging from financial penalties and reputational loss to sanctions and even potential jail time for executives.
Because regulatory compliance is always evolving and new standards introduced, implementation can be daunting. Managing compliance requires well-defined policies and action plans, which should include the following 5 steps.
Step 1: Designate a person or team to take charge of compliance.
Most organizations must comply with multiple yet disparate regulatory requirements pertaining to data security and privacy. The type of compliance may depend on the business function or it needs to be applied across the entire company. By designating a compliance administrator or team, there will be singular oversight of compliance management across the organization.
The administrator or team is responsible for coordinating the compliance program for business operations and each department, as well as handling any compliance issues as they arise. They are charged with on staying on top of any changes to current regulations and implementing any new laws. Having someone responsible for compliance management is a proactive measure that ensures the organization is able to address threats and risks in a timely and effective manner.
Step 2: Have departments work together on compliance and cybersecurity.
Meeting compliance requirements requires cooperation between the different departments across the organization. These departments often have competing priorities, so they operate in their silos, resulting in duplicated efforts and loss of productivity. The compliance administrator or team serves as bridge between the different departments and builds a unified front to handle compliance requirements. They can establish a communication channel that would enhance productivity and overall efficacy of the departments and the compliance program.
Step 3: Embed agility into your compliance program.
Organizations can enforce regulatory compliance mandates through a compliance program that ensures all requirements are continuously and comprehensively met. To be most effective, the compliance program must be built for agile and streamlined compliance. Flexibility can be embedded through a framework that help merge diverse and divergent regulatory requirements to common control groups. At the same time, the program must be robust enough to instill the enforce the same security regulations all third-party vendors and contractors.
Step 4: Ensure your employees understand the importance of compliance and security.
No matter their job function in the organization, every employee has a role to play in the organization’s regulatory compliance efforts. Project and product owners must accommodate regulatory changes and adapt requirements appropriately without impact to project timelines and cost. Security and compliance awareness training should be required for everyone in the organization. Training ensures all employees understand the importance of regulatory compliance and how it impacts their day-to-day jobs. Regular updates and trainings also prepare them to accept changes and adapt continuously to evolving risks.
Step 5: Automating regulatory compliance monitoring.
Without an integrated view of activities, tracking compliance across multiple business departments, functions and locations is nearly impossible. The compliance program should include automation designed to monitor for security and compliance across a variety of network infrastructures, devices and applications. Monitoring should be under the purview of the compliance administrator or team.
Implementing and managing regulatory compliance is a challenge. As organizations continue to adopt a digital transformation, meeting compliance regulations becomes both more difficult and more urgent. Putting together a solid compliance program, led by a designated administrator or team, goes a long way to improve the organization’s security posture. You can find out more about how Kudelski Security helps leaders protect their OT/ICS environments on our website.
Colonial Pipeline, Oldsmar incidents highlight the challenge of securing older operational technology systems
Critical infrastructure is vital to the functioning of modern societies and economies, yet often these systems are not properly protected or are easily accessed and exploited, and thus remain a key target for threat actors. Although awareness around the severity of operational technology (OT) cyber risks is on the rise, the fact is, OT environments remain vulnerable.
In the first few months of the year, we’ve already seen news of several vulnerabilities in the sector exploited, such as the Florida water plant breach and most recently, the ransomware attack on Colonial Pipeline, one of the United States’ most critical fuel pipelines.
Given the longevity of the systems and technology implemented in industrial settings, security has historically been relegated to a second tier of priorities compared to uptime, reliability and stability. It comes as no surprise that 56 percent of the world’s gas, wind, water and solar utilities experience at least one shutdown or operational data loss per year, according to a Ponemon Institute report. That number has likely grown because of the pandemic, as many organizations weren’t prepared for remote management of critical systems. In fact, although leaders agree on the importance of remote access, Claroty reported last year that 26 percent of organizations struggled with the newly dispersed workforce and 22 percent did not have a pre-existing secure remote access solution that is secure enough for OT.
As OT environments continue to evolve in the face of new potential disruptions, it is time for leaders to prioritize security and understand implications so they can act to protect their organizations and nations’ critical infrastructure.
Learn more about the importance for OT cybersecurity in the Energy, Oil and Gas Industry by downloading our eBook
Understanding the New OT landscape
In the past few years, we have seen a convergence between OT and IT-based security infrastructures and processes. However, as we saw in the Colonial Pipeline attack, these integrated ecosystems have become considerably more difficult to secure, from misconfiguration, vulnerable hardware/software components and poor cybersecurity practices to the lack of visibility into connected assets and poor network segmentation.
Beyond the OT-IT environment convergence, the pandemic pushed many organizations to alter their cybersecurity processes to accommodate the new needs of remote work. However, adversaries quickly realized that targeting workers at home provided a viable path into OT networks, and turned to exploiting work from home, leveraging unpatched virtual private network (VPN) systems, interconnected IT and OT environments, and exploiting vulnerabilities in legacy Windows and OT systems.
OT has fast become a prime target for motivated and well-resourced threat actors who continue to redesign their tactics to penetrate new and enhanced security measures. In fact, 2020 saw a significant increase in exploitable vulnerabilities in OT. ICS-CERT advisories increased by more than 32 percent last year compared to 2019, and more than 75 percent of advisories were about “high” or “critical” severity vulnerabilities. Threat actors are also using ransomware campaigns to target OT environments because they understand how mission-critical these environments are. For example, if a pipeline carrying 45 percent of the United States’ East Coast’s fuel is shut down, it costs the pipeline operator millions of dollars per day.
The specialized and mission-critical nature of OT infrastructure technologies means that most security and threat intelligence solutions don’t have visibility into potential vulnerabilities, let alone the ability to defend against attacks.
Preventing and Mitigating Risks
So, what can be done to enhance security in today’s OT landscape? To protect, prevent and mitigate risks, there are several important steps organizations can take to improve their security posture.
- Implement a risk management program: OT is built around complex systems that oftentimes are not properly tracked in traditional asset management systems. Designing an effective OT security program requires a risk model that specifically maps the functional requirements of these systems while providing a holistic image of the potential real-world consequences of compromise. As part of the program, organizations that leverage the Purdue Model should ensure they’re documenting the number of traffic flows between levels, especially if the flow is across more than one Purdue level.
- Build a cyber incident response plan: If there was something we should have learned from the COVID-19 pandemic, it is that we need to be ready for anything. A comprehensive cyber incident response plan that includes both proactive and reactive measures is required to help prevent incidents and better allow the organization to respond if one does occur. Make sure to print the response plan and have it handy. What happens if the systems that store your incident response plan are encrypted or unavailable due to an attack?
- Protect third-party remote access: Organizations regularly rely on third-party vendors to complement their business; however, many do not have uniform cybersecurity policies and practices. Many OT sites even have third party vendors regularly conduct maintenance via remote access technology, which creates exploitable weaknesses in the operations chain. Establishing a supply chain management program that vets external vendors’ security standards and provides better control of third-party access is critical to reducing the risks third parties introduce.
- Enhance system monitoring procedures: It is no longer enough to simply build a network with a hardened perimeter. Securing OT systems against modern threats requires well-planned and well-implemented strategies that will allow defense teams to quickly and effectively detect, counter and respond to adversaries. At a minimum, corporate IT and OT domains should be physically and logically separated, networks must be segmented, and critical parts of the network isolated from untrusted networks, especially the internet. It is also important to deploy monitoring tools such as passive intrusion detection systems (IDS) specifically designed for OT environments. Passive systems are key because proactive systems may present false positive detection that could lead to downtime of critical systems.
- Develop informed security controls: To establish the required controls, we have to start with an asset inventory. Once the assets have been identified, organizations at a minimum need to implement the security features provided by device and system vendors. However, to deal with some critical vulnerabilities, we recommend turning on security features that apply Common Industrial Protocol (CIP) security controls, a fairly universal standard. Many PLC vendors also have physical switches on their appliances that prevent the changing of the PLC’ configurations, which should be used appropriately. We see many plants and OT sites with these switches always set to “config mode,” which allows for the PLC configuration to be changed (potentially by an attacker). These should be complemented with secure and hardened configurations (read/write protections, memory protection, etc.). Managing controls over time can be daunting and time intervals between OT system upgrades can be years long, so organizations need an effective change management program. The program should be able to identify compensatory controls that can be applied to remediate critical vulnerabilities that cannot be patched immediately. These controls can include a host monitoring system that detects and alerts when unauthorized changes are made to Human Machine Interfaces (HMIs), engineering workstations or to PLCs.
- Establish audits and security assessments: Finally, numerous factors affect the security of a system throughout its life cycle, so periodic testing and verification of the system are essential. Timely audits and assessments help eliminate the “path of least resistance” that an attacker could exploit.
This article was originally featured in Security Infowatch.
Hyperconnectivity of OT, ICS and SCADA environments has created an overlap between IT and OT environments, exposing formerly segmented systems to much wider attack surfaces. CISOs operating in newly or soon-to-be converged IT/OT environments, therefore, have a new charge — to integrate OT security into their existing security programs.
It’s critical, however, that security leaders think of this as one, holistic security program. Attackers have already begun to exploit the overlap between IT and OT systems , leveraging vulnerabilities in IT systems to reach critical OT systems and OT vulnerabilities to reach IT systems. The impact of such an attack has significant ramifications beyond exposure of sensitive information and customer data. It could result in financial losses due to production stopping and, even more damaging, could put the public at risk if, for example, water or energy supplies are compromised.
This post, which summarizes the session “Overcoming Industrial Security Challenges” from the 2021 European Cyber Summit , will provide CISOs with a roadmap for developing a holistic IT/OT security strategy that addresses the needs of each environment without negatively impacting processes and productivity.
The Impact of IT/OT Convergence on the Security Strategy
In the IT world, we’re already very familiar with the idea of hyperconnectivity and the protections required to enable business processes without compromising security. Because of this, it may be tempting to simply port these IT security practices into OT environments . This would be misguided, however, because OT environments are fundamentally different than IT environments and therefore require a much different approach to security.
OT environments are complex and specific. In other words, no two power plants, manufacturing plants, water treatment facilities, etc. are going to be the same. These environments will use proprietary hardware and software that is designed to enable very specific functions. This is somewhat of a double-edged sword when it comes to security. The more complex and specific the environment, the harder it is to attack. But it also makes it more difficult to secure. There will not be a one-size-fits all approach to OT security.
OT environments prioritize productivity and availability. Everything in the OT environment has been done in a way to enable process and assure productivity. Plants will run 24×7, which results in small and infrequent maintenance windows and limits the ability to apply updates or patch vulnerabilities. The security strategy will therefore have to account for the change-averse nature of the OT environment.
Devices in the OT environment have weak intrinsic protection levels. Until recently, devices in the OT environment were completely isolated and segmented from the outside world. Therefore, they had no need to be designed with network security in mind, and in many cases they cannot be updated without re-validating the entire system. Replacing OT infrastructure with IT systems or implementing IIoT connectivity and remote vendor access have broadened the attack surface, and because the platforms are not well protected, an attacker could take advantage of those intrinsic vulnerabilities.
How to Start the IT/OT Security Journey
Define the strategy.
During this initial step, the goal is to define how to run this joint effort between IT and OT. You will want to work with your OT stakeholders to establish what assets the security program will need to protect and who will be responsible for each aspect of the program.
It’s important to note that there is no one single strategy that will work for every IT/OT environment. It will depend on the business you are in, the current level of security maturity for processes and personnel, your risk appetite, your governance model, and your available resources (e.g. budget, staffing, 3rd party vendors).
Some of the ways we have seen customers implement their OT security strategies include:
- Delegate – Centrally define the OT security policy and goals and then delegate to the plants, including resource delegation.
- Improve Onwards – Define the OT security policy and choose a site for a proof of concept to test out security controls. Then apply that standard to every new site rather than retrofitting existing sites right away. That could perhaps be a second step.
- Big Plan – Define the OT security policy and develop a migration program for all sites. This is a huge undertaking, and the plan may need to be adapted for each site depending on the current maturity of the site.
The next step is performing an assessment of OT security risks. Run through scenarios to understand what the impact of certain risks to the OT environment might be. What would happen if your systems were hit by a ransomware attack? If an attacker steals data from your OT systems or if they were able to modify your OT processes in some way?
Identifying the real threats to your business will help you narrow in on what you need to protect against as well as inform your threat monitoring, detection, and hunting activities.
Establish communication channels between OT/IT.
Traditionally IT and OT teams have not worked together because they have different objectives, reporting structures, and operational models. OT prioritizes productivity and availability where IT prioritizes the secure transmission of data. OT will report into the CTO where IT will typically report into the CIO. IT often operates using a service desk model with frequent hardware and software updates. OT is resistant to system changes because of the potential impacts to validated processes.
All of this can make it difficult to translate the importance of managing IT security risks, but there are ways to establish a common language between the two teams. Host a joint workshop or offsite for stakeholders to share their experiences and get to know each other. Facilitate knowledge sharing around the OT terminology and priorities, and find ways to connect risks such as malware — which may not inherently mean much to an OT leader — to their operational impact (e.g. interruption of a process).
Turn it into a win-win.
Finally, express the IT/OT security strategy in a way that demonstrates how OT will benefit. This is not dissimilar to early conversations security leaders had to have (and still have) with their C-suite. Better security often results in higher reliability and availability of systems. It can improve control and visibility for the environment, and it can enable OT processes.
For CISOs impacted by Industry 4.0 and the digitization of OT environments, the time to embark on the OT security journey is now. OT environments are actively targeted by direct and indirect attacks, but the good news is there are many OT security solution providers out there, including Kudelski Security, who can help you protect your converged IT/OT environment.
Learn more about the increasing importance for OT cybersecurity across all industries in our e-Book. Click here.
Recent high-profile ransomware attacks on hospitals have once again demonstrated the vital importance of securing healthcare IT infrastructures. When cyberattacks have the potential to cause morbidity and even loss of life, it’s absolutely imperative to understand and mitigate vulnerabilities in the technology environment and cultivate the strongest cybersecurity posture possible.
Medical campus environments present a complex set of challenges and rapid digital transformation is pushing the boundaries. IT infrastructure is converging with operational technology (OT), which supports building management and operations, and also with IoT, which supports cameras, thermal cameras, biomedical engineering clinical devices and much more. With the expansion of the digital landscape, a rise in BYOD, and a growth in the number of workers moving outside the corporate network, the security perimeter has dissolved and the attack surface rapidly increased.
Learn more about the increasing importance for OT cybersecurity in the Healthcare Industry by downloading the ebook
Given the complexity of the cybersecurity challenges that hospitals and healthcare organizations face as IT and OT infrastructures converge, this is no easy task. Rapid digital transformation is collapsing the boundaries between IT networks and devices and technologies that were formerly separated by air gaps. These include OT underpinning building management and operations, Internet of Things (IoT) devices including thermal cameras, patient monitors and equipment trackers, as well as biomedical engineering systems supporting clinical devices. The global COVID-19 pandemic has further complicated the situation, coupling the recent expansion of the digital landscape with a great increase in work-from-home for non-essential workers and corresponding uptick in BYOD. The end result has been a swift expansion of the attack surface.
The convergence of IT and OT infrastructures is exposing healthcare IT infrastructures to the inherent vulnerabilities in these devices, some of which have little to no integrated security, and many of which are incapable of receiving firmware updates. In these environments, uptime and reliability are critical to patient care delivery models, which can make altering the clinical operational procedures to deal with potential cyberattacks a very disruptive proposition. Not all healthcare cybersecurity programs function at optimal levels of maturity, and not all have access to as many resources –budget and staffing – as they’d like.
Even as digital transformation amplifies the difficulties of securing healthcare IT systems, however, it’s still possible to make meaningful improvements that will reduce real-world risks. The key is to begin with a holistic view of your environment, balance compliance needs with actual operational readiness, and adopt a strategic approach. We’ve put together a list of the five most important tactics to pursue.
Best Practices for Securing Healthcare IT Infrastructures
Tip #1: Inventory Your Assets
Gain visibility into what’s connected to your network, including devices that aren’t considered part of traditional IT.
Understanding the security vulnerabilities that impact medical devices and networks supporting biomedical systems is difficult in and of itself. Healthcare CISOs must also consider the myriad of systems that support hospital operations outside of the clinical environment. These include everything from digital signage to heating, air conditioning and ventilation controls. They also incorporate physical security controls like badge readers and door locks. Ancillary support equipment designed to enhance patient experience, such as smart TVs, noise regulation systems and guest Wi-Fi networks, are usually present as well. Any of these connected devices might potentially have a vulnerability that an attacker could exploit.
A critical first step in improving your hospital cybersecurity posture is gaining visibility into all of these assets. How many systems and devices are connected to your network? Are any misconfigured? Is every device’s firmware up to date? Do any of them have vulnerabilities that appear on MITRE’s Common Vulnerabilities and Exposures (CVEs) list? Taking inventory allows you to recognize what might become a pivot point or threat vector exposing your broader environment.
Tip #2: Ensure Proper Network Segmentation
Operate mission-critical systems in separate network zones from those that are less essential.
Many healthcare organizations still operate relatively flat networks, leaving them vulnerable to attacks that move laterally across the environment after exploiting a vulnerability in a medical device or other operational technology (OT) system that’s inherently insecure. Medical device lifespans are typically much longer than those of IT hardware, so most older devices in use are likely to have been built before current FDA cybersecurity guidance came into force. These systems remain difficult if not impossible to secure with post-market modifications.
Putting network-level controls in place to build segmentation and enforce distinct zones for different device types should be an especially high priority for organizations lacking the budget to replace these types of devices.
Tip #3: Increase Governance
Make sure you have proper policies and procedures in place to deal with the changing threats across the cybersecurity landscape.
Increasing a healthcare organization’s cybersecurity maturity goes beyond implementing best-of-breed tools. It must also take into consideration operational and clinical processes are in line with cybersecurity best practices. It’s also paramount to identify the areas where you face the greatest risks and begin by making changes there first.
Key components of strong cybersecurity governance include:
- Developing incident response procedures. These should include detailed playbooks explaining what stakeholders will do in case of an incident or breach. Conducting tabletop exercises enhances preparedness.
- Employee education. Changes to clinical procedures are far more likely to be successful if employees understand their purpose and importance.
- Integrating compliance with broader risk management strategies. Though regulatory requirements such as GDPR, HIPAA and PCI cannot be ignored, compliance is only one facet of an overall security strategy.
Tip #4: Allocate appropriate resources for security
Without an adequate budget, you’ll encounter endless and near-insurmountable challenges.
Take a systematic approach to cybersecurity spending, prioritizing those investments that are likely to yield the best return in terms of risk reduction. Nonetheless, the operating costs involved in keeping your devices and network secure aren’t negligible. A certain minimum outlay — of money as well as effort — is required to make meaningful progress against the major cybersecurity issues in healthcare.
Tip #5: Maintain awareness of supply chains and the security posture of partners and vendors
Every connected device you bring into your environment has the potential to increase vulnerability, as does every vendor who handles your data or network.
Many medical devices, especially legacy systems, simply weren’t designed with security in mind. In addition, firmware updates intended to add features or functionality may inadvertently introduce security flaws. Keeping track of software, embedded microcontrollers and communication protocols can be challenging even for the device manufacturers themselves. For a hospital tasked with managing tens of thousands of devices, it’s a colossal undertaking.
That’s why choosing hardware that’s secure by design can result in a significant cost savings, even if device costs are initially higher. Ensuring that there’s a secure method of firmware update delivery is also important aspect when evaluating a vendor’s products. Cybersecurity needs to be engaged in vetting vendors at the procurement process.
A similar principle holds true if you’ve outsourced the management of a portion or the whole of your network to a third-party provider. If your hospital makes use of managed services, be certain you’re dealing with a quality vendor who relies on best-of-breed tooling and has a strong record for cybersecurity. It’s a good idea to include a security validation check within decision-making processes when ranking prospective providers. Be sure your MSP has the capability to effectively monitor your network in order to detect anomalous behavior quickly.
The convergence of IT/OT means OT environments are no longer “walled off” from the rest of the organization or even the rest of the world. Exposure to cybersecurity threats in these systems is growing, and a successful attack could be extremely damaging to production, safety, and system availability.
Managing security and risk in OT environments isn’t as simple as porting over IT security best practices into the OT system. In IT, we’ve had decades to mature our security practices and minimize exposure. But the need to manage risk is universal, and we must adapt our strategies for the OT environments that we’re charged with securing.
The following article is based on a webinar with Mark Mattei, Director of Kudelski Security’s U.S. MSS Operations and Eric Johansen, Security Operations Practice Lead and guests from Claroty, Grant Geyer, Chief Product Officer, and Justin Woody, Director Alliances.
Common Challenges in OT Security
When thinking about OT security strategies, it’s important to understand some of the fundamental differences between IT and OT systems. There are three key areas that call for a more nuanced approach to OT security.
- Risk management should include security risk, but recognize safety and availability are usually top of mind for the OT side of organizations. This leads to information security oftentimes becoming an afterthought – many simply do not have cybersecurity expertise in-house. Indeed, risk to an OT organization typically refers to business risk — e.g. disruption of production, safety issues, inefficient resource utilization, loss of revenue, etc. In order for security strategies to have traction and widespread adoption therefore, they must include the extra step of connecting security risk to business risk factors. Speak OT when you discuss cybersecurity – how you can increase visibility in a non-disruptive way via passive monitoring, for instance – to help evangelize change.
- OT technology obsolescence periods are much longer than IT. Legacy systems that have sometimes been in place for 20-25 years proliferate in OT environments. Compare that to the IT world where equipment rarely lasts more than five years. This results in outdated, diverse endpoints where patches aren’t available, or updates can’t be made due to low compute power. This results in cybersecurity controls becoming that much more critical for OT.
- Production environments run 24x7x365 – In IT security, maintenance windows are frequent, and systems can be updated with regularity. However, the 24×7 nature of OT environments leaves a very small window available for patching and reboots. Even then, there is hesitancy around making changes to a system that is critical to production.
These factors do not constitute insurmountable problems. If you are responsible for security in OT environments, below are six strategies that you can employ to mitigate risk.
Strategies for Managing Security in OT Environments
Strategy #1 – End User Awareness
Frame end user training in terms of business risk, rather than cybersecurity risk.
The same end user security threats in IT environments exist in OT environments — phishing attacks, weak passwords, lack of physical device security. However, the primary focus for an OT engineer is to keep the system running, which means they are often unaware or possibly unconcerned about cybersecurity threats.
To adapt this strategy, it’s important to frame the conversation in terms of business and operational risk, rather than in terms of cybersecurity. It may also be helpful to give OT engineers and plant managers access to the security tools, so they can visualize all their assets and how a vulnerability in one could impact production of the whole.
Strategy #2 – Asset Discovery
Get visibility into processes, assets, sessions, and understand their associated risk.
Asset discovery is a critical security component for IT and OT environments, and yet it is one of the most difficult. OT systems notoriously lack visibility. Many organizations simply don’t know the assets that exist in their environment.
The first step, therefore, is quite simple: Get a detailed understanding of the assets that exist on the OT network. That means documenting the operating systems, the firmware levels, the software installed, the libraries that exist, how each asset communicates with another, and, perhaps most importantly, the criticality of the asset to the overall OT system.
Strategy #3 – Network Segmentation
IT/OT convergence will force OT environments to evolve beyond air-gapped networks.
As more IT elements are introduced into the OT environment, the air-gapped model, which so many OT networks have depended on as a primary security element, is eroding. For example, an OT engineer may want to check his or her email on an HMI on the plant floor, so they add a second NIC. Or, perhaps a vendor wants access to a device to do health and performance metric checks. In an OT environment, operations will trump security every time.
To enable the secure convergence of IT/OT, it’s important to think through network segmentation requirements well before access is requested. Don’t create new connections in an emergency, but rather, take the time to establish system-to-system connectivity through the Purdue Model and set up firewalls and firewall controls to create hierarchy in the network. The Purdue Model of Control of Hierarchy is a framework commonly used by manufacturers across industries and will be helpful to understand how data typically flows through these networks and, correspondingly, how to secure each of the network zones and their various respective elements.
Strategy #4 Threat Monitoring/Hunting and Incident Management
Clearly identify incident management roles and responsibilities throughout the OT organization. Threat monitoring and hunting is useless without it.
Take a crawl, walk, and run approach – knowing that there’s no “easy button” or “switch” you can use to get to stage. Recognize that visibility is the key first step – which leads to knowing what assets are in your environment, how assets connect to each other, how network segmentation is setup (or isn’t setup), and what vulnerabilities exist. Once you’ve established visibility – how will you monitor the network 24x7x365? What will you do when there is an alert? How will you validate it, triage it? What will you do when you have a security incident?
With the security challenges an OT environment presents, an incident can be extremely damaging in a short amount of time. IT security strategies such as threat monitoring, threat hunting, and incident management can help, but they require real-time collaboration and coordination between security and OT teams.
From the SOC or third-party MSSP to the plant manager to the OT engineer, roles and responsibilities must be clearly defined. Who will monitor for threats? Who will sift through the noise? What conditions are you looking for? Who do you notify when they are met?
Strategy #5 – Connectivity and Access Controls
For modern OT organizations, connectivity equals productivity. But many lack the proper access controls to securely connect.
Where well-established identity and access management practices are in place for IT environments, the same cannot be said for OT. Credentials are often shared internally and externally, and access is not limited to specific network devices or segments.
It’s important to assume and plan for “hyperconnectivity” in advance in order to securely enable productivity and operations. The same basic IT IAM principles apply here — identity management, password requirements, multi-factor authentication, syncing access to active directory. Having remote access capabilities can help as well (though avoid having the same remote access solution for both IT and OT in order to reduce attack surface and avoid downtime). In the event of an incident, you can see who had access to the impacted system and terminate connectivity if needed.
Strategy #6 – Vulnerability and Patch Management
Adapt vulnerability and patch management to the systems and maintenance windows of OT and leverage compensating controls in between.
The legacy systems, business criticality, and limited patch windows of OT environments complicate typical vulnerability and patch management strategies. Instead of patching your way through hundreds of vulnerabilities, you need to understand which vulnerable systems are most important to production. Ensure there is a plan in place to remediate during the next scheduled maintenance window – understanding that many OT vulnerabilities don’t have a patch or firmware update fix available at all. This is where leveraging compensating control mechanisms come into their own to limit the impact of the vulnerability of incident. Such mechanisms include the principle of least privilege, network segmentation and isolation (only allowing required traffic for control system operation), password management, and continuous threat monitoring with hunting (deep packet inspection).. Ultimately, it’s all about the balance of revenue and security.
For more information about how you can secure operational technology environments, visit https://www.kudelskisecurity.com/secure-ot-ics-networks/