Defending Against Cyberattacks in the Increasingly Vulnerable Manufacturing Industry

Defending Against Cyberattacks in the Increasingly Vulnerable Manufacturing Industry

As manufacturing relies more and more on remote access and automation, cyber hygiene continues to be one of the top challenges in securing manufacturers across the nation.

In light of several major supply chain disruptions across manufacturing sectors, the Biden Administration recently announced the creation of a Supply Chain Disruptions Task Force to strengthen critical supply chains and address cyber vulnerabilities. When a supply chain breaks down, the consequences can be devastating and far-reaching, as experienced with the Colonial Pipeline ransomware attack. Despite this, critical infrastructure systems often aren’t afforded cyber protection commensurate with their importance.

Industries like manufacturing are primary targets for these attacks due to their vital importance, including being embedded within the supply chains of multiple critical infrastructure sectors like healthcare, energy and transportation. As a result, manufacturers are an attractive target for bad actors motivated by a desire to cause harm, steal intellectual property and seek financial gain. The potential consequences of a manufacturing industrial control system being compromised are severe. They include damage to IT and OT systems, physical damage to plants, danger to employee health and safety, environmental impacts, downtime, harm to those downstream in the supply chain and loss of product reliability and integrity.

As manufacturing relies more and more on remote access and automation, cyber hygiene continues to be one of the top challenges in securing manufacturers across the nation. So, what should manufacturers consider when it comes to securing remote access in today’s world?

The expanded OT attack surface

Consolidating operational technology (OT) environments with information technology (IT) networks expand the OT attack surface and makes these integrated ecosystems considerably more challenging to secure. The rise of smart manufacturing, Industry 4.0 technologies and direct communication channels to cloud services has also exponentially accelerated the connectivity between IT and OT systems. Many factories are deploying IoT technologies that support production but are not immediately embedded within processes. These include building and facility management controls (such as smart lighting and thermostats) and worker health and safety monitoring systems. Many manufacturers are now challenged to maintain visibility into technology environments that include a heterogeneous mix of IT, OT and IoT systems. This large attack surface creates a more attractive target for cybercriminals.

The flawed use of IT security programs in OT environments

The OT ecosystem was previously thought of as a “walled garden” isolated from the rest of an organization’s computing systems and networks. This belief was really a fallacy, as the interconnection of OT systems to production management systems, maintenance systems and operations support have existed for over a decade. However, the convergence of IT and OT environments introduced new risks into the OT ecosystem. Many companies have been tempted to import their more mature IT cybersecurity infrastructures, processes and resources into OT environments as a solution rather than those built explicitly for OT use.

Unfortunately, the use of IT-based security infrastructures and processes in OT environments has proven less than ideal. IT technologies are often incompatible with OT hardware and equipment. OT system lifecycles may also be several times longer than those of IT hardware solutions, with industrial control systems (ICS) sometimes remaining in use within a production environment for 20-25 years. In addition, IT security strategies have tended to prioritize detection and rapid mitigation, but this approach is inappropriate in OT environments, where safety and reliability are of the utmost importance. Further, IT security strategies have focused on the ranked prioritization of confidentiality, integrity and availability of systems, whereas OT systems are prioritized around safety, integrity, and the availability of systems.

How to protect the unique OT environment

Traditionally, air gapping was considered the best security measure to protect OT environments, but the isolation of industrial networks is no longer proving to be an effective measure. Securing OT systems against modern threats requires well-planned and well-implemented strategies that will provide defense teams the chance to quickly and effectively detect, counter and expel adversaries.

Industrial organizations that are currently asking their existing IT security teams to protect their OT assets should consider supplementing these resources with additional dedicated OT specialists. Technologies such as IP ranges, virtual local area networks (VLANs), or micro-segmentation of IT and OT network traffic are becoming more popular to protect against OT-focused attacks.

Physically separate corporate IT and OT domains, logically segment networks, and isolate critical parts of the network from untrusted networks, especially the internet. Strategies such as establishing “industrial-demilitarized zones” (I-DMZs) and data warehousing can help facilitate a secure buffer zone where services and data can be shared and transferred between SCADA systems and business networks.

It’s also essential to deploy monitoring tools such as intrusion detection/prevention systems (IDS/IPS), network access controls and identity awareness systems and logging on all systems if possible. Locking down all unused ports and services on routers, switches, and network daemons while ensuring default configurations and passwords are not used will harden these devices against adversaries. Monitoring the peer-to-peer nature of communication of OT systems is vital in establishing baselines and detecting deviations.

Designing an effective OT security architecture requires a risk model that maps precisely to the functional requirements of these complex systems and provides a holistic image of the potential real-world consequences of compromise. Look into adopting digital twins to assist in cybersecurity programs. A digital twin is a virtual model of a process, product or service. The pairing of the virtual and physical worlds allows simulation and analysis to head off problems before they occur, prevent downtime and plan for the future.

All manufacturers should also have a comprehensive cyber incident response plan in place that includes proactive and reactive measures to help prevent incidents and better allow the organization to respond when one does occur. This planning should include establishing a supply chain management program to ensure uniform cybersecurity policies and practices with contractors and third-party vendors. Internally, it’s crucial to have training and awareness programs that improve knowledge and vigilance by instilling an awareness of the current threat landscape among all employees. Perhaps even more critical is the establishment of a disaster recovery and business continuity plan, which includes testing backups of critical OT systems and desktop exercises that test your response plan. This can often lead to the best option to defending against ransomware attacks.

The challenge of securing the complex OT environment can seem overwhelming. Still, the good news is that among leaders of industrial organizations, awareness of the severity of OT cybersecurity risks is on the rise and a growing number are willing to commit increased resources to manage these risks. There’s also increased interest in industry-wide initiatives such as knowledge sharing and the use of risk-based frameworks. For these reasons, industrial companies are becoming more confident about their readiness to face an OT cybersecurity attack. Nonetheless, the threats remain far-reaching, and much work remains to be done to improve cyber resilience across the industry.

This article was originally published in SDC Executive.

OT: The Time for Remote Access Security is Now

OT: The Time for Remote Access Security is Now

Critical infrastructure systems are becoming increasingly connected to traditional IT systems, and as a result, are increasingly targeted.

Critical infrastructure systems are becoming increasingly connected to traditional IT systems, and as a result, are being increasingly targeted. A Siemens study found that 56 percent of the world’s gas, wind, water and solar utilities experienced at least one shutdown or operational data loss per year. The potential repercussions of a critical infrastructure breach within an industrial setting go far beyond financial loss or reputational damage.

Attacks in this space have already resulted in large-scale societal consequences. A cyber attack on Colonial Pipeline, the largest pipeline system for refined oil products in the U.S., caused the company to suspend operations and left the East Coast with a temporary gas shortage. In this case, Colonial Pipeline shut down its fuel pipeline operations pre-emptively even though its’ operational technology (OT) systems were not directly impacted. Sources claimed that the shutdown was due to the invoicing and billing systems being encrypted and unavailable, leaving the business with no way to properly track or invoice clients for fuel.

Colonial Pipeline’s hack is an important case study about how critically interdependent IT and OT systems are, even if they’re segregated technically and air gapped appropriately. This incident highlighted the imminent need for cybersecurity and risk management programs for an organization’s operational/industrial control system (ICS) environments, as well as security being at the forefront for all OT engineers and plant managers.

Remote access vulnerabilities

Within the past few years, the convergence of IT and OT systems has expedited the adoption of remote access technologies in critical infrastructure settings. More recently, the COVID-19 pandemic forced organizations to limit the number of people who were physically located within a plant or OT site. This drastically increased the number of ICS management and monitoring systems that are directly connected to the internet, potentially leaving them accessible to remote attackers.

These unprotected remote access systems or solutions essentially act as bait to threat actors wanting to compromise critical infrastructure systems. For example, a security researcher from the University of Tulsa revealed the ability for hackers to control entire networks of U.S. wind farm turbines. The researchers broke into a facility and installed a Raspberry-Pi-based computer through which they were able to access the systems remotely. This experiment shone a light on the simplicity of covertly installing unauthorized remote access systems that provide easy access to OT systems that were through to be fully air gapped from the internet, and the potential damage that can be done.

Understanding OT vulnerabilities to mitigate the risks

Despite these glaring vulnerabilities, there is a widespread lack of knowledge about asset protection across the manufacturing, energy, and oil and gas industries. Many OT operators and engineers, unfortunately, are not yet aware of the severity of the potential risks that insecure remote access points can bring. There is a significant disconnect between risk perception and actively implementing processes and procedures to mitigate those risks, with little incentive to replace or improve equipment that still functions but does not meet security requirements. Industry professionals must be educated on the risks of vulnerable remote access points.

The reality of OT systems is that plants and manufacturing sites are often designed and built to last and to remain “stable” for decades to come. This means that there are often no plans to keep software updated by installing security patches, changing configurations to make the systems more secure, or reducing risk by turning off unnecessary features on Programmable Logic Controllers (PLCs). Consequently, the most common risks in critical infrastructure OT systems include the following: outdated operating systems, unencrypted passwords used to connect to systems over unsecured networks, remotely accessible devices, lack of passive network monitoring, weak access control systems, and the failure to keep antivirus signatures updated to track new malware strains.

It’s not uncommon for security providers to deploy passive network monitoring systems in OT environments and immediately see years old malware running rampant (such as slammer or conflicker) with the OT engineers being none the wiser. The attacks against these systems typically don’t require sophisticated zero-day vulnerabilities in the software used on engineering workstations or in PLCs but instead rely on abusing poor security hygiene and differing priorities.

Preventing future hacks

Poor cyber hygiene remains the top challenge in securing these systems. Thankfully, some steps can be taken to reduce risk. One key priority is to focus on protecting IT / OT network boundaries. More specifically, focus on remote access systems and software that may allow direct access to critical OT networks to enable engineers to monitor systems remotely.

Perhaps most importantly, proper education and increased awareness remains the most effective way to prevent incidents. If detection and risk mitigation is to be a priority, education must come first. Site managers and OT engineers must be aware of these risks and work closely and collaboratively with corporate information security teams to appropriately defend these environments in a non-disruptive way.

One of the simplest ways to deploy risk mitigation measures is deploying an approved set of remote access tools designed specifically for OT environments and ensuring these systems are appropriately configured to record a user’s activity and limit their access based on least privilege.

Implementing security practices and procedures is not a choice for most business-critical OT systems. Security must be at the forefront of all new critical infrastructure systems to protect against a growing number of vulnerabilities due to the convergence of IT and OT systems and the increasing number of access points. Companies must mitigate the risk of OT breaches and ensure their risk management and information security programs also help protect these environments.

This article was originally featured in Industry Today.

The Anatomy of an IT/OT Cyber Attack

The Anatomy of an IT/OT Cyber Attack

The convergence of IT/OT is upon us, bringing new challenges for both the IT and OT units to navigate. Traditionally, operational technology has been managed by site engineers with a focus on reliability and safety. But now, as OT systems are becoming more connected, it’s imperative that these two worlds begin to operate as one.

Threats to the Combined IT/OT Environment

More and more, we’re seeing attackers begin to exploit vulnerabilities across the IT/OT infrastructures, often with devastating results. This combined cyber-physical world represents a high-risk, high-reward scenario for attackers, and their targets often have no choice but to comply with attacker demands to prevent a catastrophic hit to finances or worse, endangering the lives of plant workers and the communities they serve.

We saw this play out most recently with the Colonial Pipeline attack. The Colonial Pipeline provides nearly half of the fuel for the east coast of the United States, transporting 100 million gallons of fuel a day. A ransomware attack in their IT environment put their OT security at risk. The company proactively shut down operations to prevent further spread, resulting in fuel shortages and disruption of fuel markets. The company ultimately paid the equivalent of a $5 million ransom in bitcoin to regain control of their systems, and we also know now that attackers were able to steal 100 gigabytes of company data while inside the network.

In the case of the Colonial Pipeline, the impacts were primarily financial. However, it’s important to understand the physical impacts that can occur when IT/OT systems are attacked. Take for example the attack on a German steel mill in 2014, where a spearphishing attack resulted in the compromise of industrial components that prevented a blast furnace from properly shutting down. These furnaces contain molten metal heated to thousands of degrees, and any malfunctions pose a serious risk to workers. Luckily, the only damage was to the mill itself. And while at the time the recommended prevention mechanism was to keep IT and OT networks completely separated, we know that given all the benefits of connected OT systems, that is just not practical. Therefore, it’s imperative to understand how IT and OT systems interact and how to balance secure operation of both.

Understanding the IT/OT Overlap

These IT/OT attacks are possible because IT and OT environments have begun to overlap as we trend toward OT hyperconnectivity. Hyperconnectivity comes with numerous benefits, especially when it comes to efficiency improvements and cost reductions. But the introduction of IT systems into the OT environment exposes once isolated systems and equipment to new threats. Now, a vulnerability in the IT environment could be exploited to attack an OT environment and vice versa.

Let’s take a closer look at where this overlap occurs. I like to think of the converged IT/OT environment in terms of four layers.

Layer 1 – The Control Level

Starting at the bottom, Layer 1, you have the Control Level for the OT environment. These are the in-the-field machines, the process sensors, engine controls, etc. Supported protocols at this level are extremely diverse and often proprietary making it difficult to standardize any kind of security.

Layer 2 – The Process Management Level

Layer 2 is where the IT/OT overlap begins. The Process Management Level is what allows OT engineers to manage productivity and operations in the OT environment, including SCADA supervisory control and data acquisition. This is the level that benefits from OT hyperconnectivity, leveraging new software and applications for cost and efficiency improvements.

Layer 3 – The Operations Management Level

Layer 3 is responsible for how the company as a whole is managed through the manufacturing execution system. Typically, this system is owned by the IT department.

Layer 4 – The Enterprise Level

Finally, at Layer 4, the Enterprise Level, is where company software, like ERPs that handle shipping and invoicing, as well as employee devices, email access, and cloud apps and storage all live. The protocols at Levels 3 and 4 are much more standardized and are designed with both interoperability and security in mind.

Exploiting the IT/OT Overlap – Two Real-World Examples

There are numerous attacks that have successfully exploited vulnerabilities in IT/OT systems—the 2017 attack on Ukraine’s power grid, the 2020 ransomware attack on U.S. pipeline operations, and the repeated attacks on Israeli water facilities in 2020 just to name a few. Because of the nature of OT environments, these attacks can have severe impacts on productivity, revenue, and, in some cases, the safety of employees and the communities they serve.

To better understand how an attacker can exploit the IT/OT overlap, let’s take a closer look at two such attacks—one that moved from the top-down and one from the bottom-up.

Dragonfly 2.0 – IT to OT Attack on the Energy Sector

Between 2015 and 2017, the Dragonfly group levied a series of attacks targeting the energy sector in the United States, Switzerland, and Turkey. This attack leveraged vulnerabilities across the layers of the IT and OT environments, beginning with spearshiphing and watering hole attacks at the Layer 4 – The Enterprise Level. These are traditional IT attack vectors that could have been prevented with traditional IT security measures.

Then, the attack introduced Trojan software in the form of OT software at Layer 2 – The Process Management Level, which provided access to the OT environment. At this point, Dragonfly was able to perform intelligence gathering in the OT environment in order to sabotage Layer 1 – The Control Level.

Stuxnet – OT to IT Attack on Iran’s Uranium Enrichment Program

In this second example, the IT/OT attack entered through the OT environment. Stuxnet, a malicious computer worm discovered in 2010, began as a pure OT attack with an infected USB device being installed on a computer at the Process Management Level (Layer 2). The worm was able to spread through that computer to two, three and ultimately thousands of other machines (Layer 4) until it reached the systems responsible for controlling the centrifuges to ultimately disrupt the centrifuge equipment at the uranium enrichment facilities (Layer 1).

Overcoming the Challenges of IT/OT Security

As demonstrated in the examples above, the convergence of IT/OT security has lagged behind the convergence of IT/OT infrastructures. This lag can be attributed to key differences in how OT systems operate compared to IT systems, including:

  • Legacy assets and processes are difficult to update to account for today’s connectivity.
  • Prioritization of availability and safety over security keeps maintenance windows small or non-existent.
  • Geographically dispersed environments make it difficult to centrally manage security.

These differences mean closing the IT/OT security gap is not as simple as porting over IT security principles into the OT environment. Instead, CISOs must create a holistic security program that addresses IT and OT needs. To begin this journey, we recommend, at a high level, these four important steps.

  1. Define the OT security strategy and governance. Who will be responsible for which parts of the security program? IT or OT?
  2. Assess OT security risks. What is the impact of a ransomware attack? Data theft? Threats to process integrity?
  3. Enable communication between OT and IT units. Hold a joint workshop or offsite to share experiences, get to know each other, and understand terminologies, and priorities.
  4. Turn it into a win-win for IT and OT. How will OT benefit from the security program? What will the impact be to reliability, control, and visibility?

This article summarizes material from a presentation, “Overcoming Industrial Security Challenges,” held during Kudelski Security’s European Cyber Summit held in February 2021. For more information about how you can secure your IT/OT environment, visit https://www.kudelskisecurity.com/secure-ot-ics-networks/.

 

Defending Against Cyberattacks in the Increasingly Vulnerable Manufacturing Industry

Defending Against Cyberattacks in the Increasingly Vulnerable Manufacturing Industry

As manufacturing relies more and more on remote access and automation, cyber hygiene continues to be one of the top challenges in securing manufacturers across the nation.

In light of several major supply chain disruptions across manufacturing sectors, the Biden Administration recently announced the creation of a Supply Chain Disruptions Task Force to strengthen critical supply chains and address cyber vulnerabilities. When a supply chain breaks down, the consequences can be devastating and far-reaching, as experienced with the Colonial Pipeline ransomware attack. Despite this, critical infrastructure systems often aren’t afforded cyber protection commensurate with their importance.

Industries like manufacturing are primary targets for these attacks due to their vital importance, including being embedded within the supply chains of multiple critical infrastructure sectors like healthcare, energy and transportation. As a result, manufacturers are an attractive target for bad actors motivated by a desire to cause harm, steal intellectual property and seek financial gain. The potential consequences of a manufacturing industrial control system being compromised are severe. They include damage to IT and OT systems, physical damage to plants, danger to employee health and safety, environmental impacts, downtime, harm to those downstream in the supply chain and loss of product reliability and integrity.

As manufacturing relies more and more on remote access and automation, cyber hygiene continues to be one of the top challenges in securing manufacturers across the nation. So, what should manufacturers consider when it comes to securing remote access in today’s world?

The expanded OT attack surface

Consolidating operational technology (OT) environments with information technology (IT) networks expand the OT attack surface and makes these integrated ecosystems considerably more challenging to secure. The rise of smart manufacturing, Industry 4.0 technologies and direct communication channels to cloud services has also exponentially accelerated the connectivity between IT and OT systems. Many factories are deploying IoT technologies that support production but are not immediately embedded within processes. These include building and facility management controls (such as smart lighting and thermostats) and worker health and safety monitoring systems. Many manufacturers are now challenged to maintain visibility into technology environments that include a heterogeneous mix of IT, OT and IoT systems. This large attack surface creates a more attractive target for cybercriminals.

The flawed use of IT security programs in OT environments

The OT ecosystem was previously thought of as a “walled garden” isolated from the rest of an organization’s computing systems and networks. This belief was really a fallacy, as the interconnection of OT systems to production management systems, maintenance systems and operations support have existed for over a decade. However, the convergence of IT and OT environments introduced new risks into the OT ecosystem. Many companies have been tempted to import their more mature IT cybersecurity infrastructures, processes and resources into OT environments as a solution rather than those built explicitly for OT use.

Unfortunately, the use of IT-based security infrastructures and processes in OT environments has proven less than ideal. IT technologies are often incompatible with OT hardware and equipment. OT system lifecycles may also be several times longer than those of IT hardware solutions, with industrial control systems (ICS) sometimes remaining in use within a production environment for 20-25 years. In addition, IT security strategies have tended to prioritize detection and rapid mitigation, but this approach is inappropriate in OT environments, where safety and reliability are of the utmost importance. Further, IT security strategies have focused on the ranked prioritization of confidentiality, integrity and availability of systems, whereas OT systems are prioritized around safety, integrity, and the availability of systems.

How to protect the unique OT environment

Traditionally, air gapping was considered the best security measure to protect OT environments, but the isolation of industrial networks is no longer proving to be an effective measure. Securing OT systems against modern threats requires well-planned and well-implemented strategies that will provide defense teams the chance to quickly and effectively detect, counter and expel adversaries.

Industrial organizations that are currently asking their existing IT security teams to protect their OT assets should consider supplementing these resources with additional dedicated OT specialists. Technologies such as IP ranges, virtual local area networks (VLANs), or micro-segmentation of IT and OT network traffic are becoming more popular to protect against OT-focused attacks.

Physically separate corporate IT and OT domains, logically segment networks, and isolate critical parts of the network from untrusted networks, especially the internet. Strategies such as establishing “industrial-demilitarized zones” (I-DMZs) and data warehousing can help facilitate a secure buffer zone where services and data can be shared and transferred between SCADA systems and business networks.

It’s also essential to deploy monitoring tools such as intrusion detection/prevention systems (IDS/IPS), network access controls and identity awareness systems and logging on all systems if possible. Locking down all unused ports and services on routers, switches, and network daemons while ensuring default configurations and passwords are not used will harden these devices against adversaries. Monitoring the peer-to-peer nature of communication of OT systems is vital in establishing baselines and detecting deviations.

Designing an effective OT security architecture requires a risk model that maps precisely to the functional requirements of these complex systems and provides a holistic image of the potential real-world consequences of compromise. Look into adopting digital twins to assist in cybersecurity programs. A digital twin is a virtual model of a process, product or service. The pairing of the virtual and physical worlds allows simulation and analysis to head off problems before they occur, prevent downtime and plan for the future.

All manufacturers should also have a comprehensive cyber incident response plan in place that includes proactive and reactive measures to help prevent incidents and better allow the organization to respond when one does occur. This planning should include establishing a supply chain management program to ensure uniform cybersecurity policies and practices with contractors and third-party vendors. Internally, it’s crucial to have training and awareness programs that improve knowledge and vigilance by instilling an awareness of the current threat landscape among all employees. Perhaps even more critical is the establishment of a disaster recovery and business continuity plan, which includes testing backups of critical OT systems and desktop exercises that test your response plan. This can often lead to the best option to defending against ransomware attacks.

The challenge of securing the complex OT environment can seem overwhelming. Still, the good news is that among leaders of industrial organizations, awareness of the severity of OT cybersecurity risks is on the rise and a growing number are willing to commit increased resources to manage these risks. There’s also increased interest in industry-wide initiatives such as knowledge sharing and the use of risk-based frameworks. For these reasons, industrial companies are becoming more confident about their readiness to face an OT cybersecurity attack. Nonetheless, the threats remain far-reaching, and much work remains to be done to improve cyber resilience across the industry.

This article was originally featured in SDC Executive.

5 Steps – Regulatory Compliance and Operational Technology

5 Steps – Regulatory Compliance and Operational Technology

The recent cyber-attacks against Florida Water Plant and Colonial Pipeline are part of a growing trend. IT and OT are converging, rendering these environments more vulnerable than ever. As cyber-attacks increase against critical infrastructure and Scada systems, the focus on regulatory compliance grows. All well and good – we need to have standards to make sure our cybersecurity and data privacy system are built on a solid foundation. When organizations meet regulations, it can build a positive reputation with customers, vendors, and prospective clients.  However, if regulatory compliance is not met and a data breach ensues, the organization can suffer a number of consequences ranging from financial penalties and reputational loss to sanctions and even potential jail time for executives.

Because regulatory compliance is always evolving and new standards introduced, implementation can be daunting. Managing compliance requires well-defined policies and action plans, which should include the following 5 steps.

Step 1: Designate a person or team to take charge of compliance.

Most organizations must comply with multiple yet disparate regulatory requirements pertaining to data security and privacy. The type of compliance may depend on the business function or it needs to be applied across the entire company. By designating a compliance administrator or team, there will be singular oversight of compliance management across the organization.

The administrator or team is responsible for coordinating the compliance program for business operations and each department, as well as handling any compliance issues as they arise. They are charged with on staying on top of any changes to current regulations and implementing any new laws. Having someone responsible for compliance management is a proactive measure that ensures the organization is able to address threats and risks in a timely and effective manner.

Step 2: Have departments work together on compliance and cybersecurity.

Meeting compliance requirements requires cooperation between the different departments across the organization. These departments often have competing priorities, so they operate in their silos, resulting in duplicated efforts and loss of productivity. The compliance administrator or team serves as bridge between the different departments and builds a unified front to handle compliance requirements. They can establish a communication channel that would enhance productivity and overall efficacy of the departments and the compliance program.

Step 3: Embed agility into your compliance program.

Organizations can enforce regulatory compliance mandates through a compliance program that ensures all requirements are continuously and comprehensively met. To be most effective, the compliance program must be built for agile and streamlined compliance. Flexibility can be embedded through a framework that help merge diverse and divergent regulatory requirements to common control groups. At the same time, the program must be robust enough to instill the enforce the same security regulations all third-party vendors and contractors.

Step 4: Ensure your employees understand the importance of compliance and security.

No matter their job function in the organization, every employee has a role to play in the organization’s regulatory compliance efforts. Project and product owners must accommodate regulatory changes and adapt requirements appropriately without impact to project timelines and cost. Security and compliance awareness training should be required for everyone in the organization. Training ensures all employees understand the importance of regulatory compliance and how it impacts their day-to-day jobs. Regular updates and trainings also prepare them to accept changes and adapt continuously to evolving risks.

Step 5: Automating regulatory compliance monitoring.

Without an integrated view of activities, tracking compliance across multiple business departments, functions and locations is nearly impossible. The compliance program should include automation designed to monitor for security and compliance across a variety of network infrastructures, devices and applications. Monitoring should be under the purview of the compliance administrator or team.

Conclusion

Implementing and managing regulatory compliance is a challenge. As organizations continue to adopt a digital transformation, meeting compliance regulations becomes both more difficult and more urgent. Putting together a solid compliance program, led by a designated administrator or team, goes a long way to improve the organization’s security posture.  You can find out more about how Kudelski Security helps leaders protect their OT/ICS environments on our website.

The Critical Infrastructure Cybersecurity Dilemma

The Critical Infrastructure Cybersecurity Dilemma

Colonial Pipeline, Oldsmar incidents highlight the challenge of securing older operational technology systems

Critical infrastructure is vital to the functioning of modern societies and economies, yet often these systems are not properly protected or are easily accessed and exploited, and thus remain a key target for threat actors. Although awareness around the severity of operational technology (OT) cyber risks is on the rise, the fact is, OT environments remain vulnerable.

In the first few months of the year, we’ve already seen news of several vulnerabilities in the sector exploited, such as the Florida water plant breach and most recently, the ransomware attack on Colonial Pipeline, one of the United States’ most critical fuel pipelines.

Given the longevity of the systems and technology implemented in industrial settings, security has historically been relegated to a second tier of priorities compared to uptime, reliability and stability. It comes as no surprise that 56 percent of the world’s gas, wind, water and solar utilities experience at least one shutdown or operational data loss per year, according to a Ponemon Institute report. That number has likely grown because of the pandemic, as many organizations weren’t prepared for remote management of critical systems. In fact, although leaders agree on the importance of remote access, Claroty reported last year that 26 percent of organizations struggled with the newly dispersed workforce and 22 percent did not have a pre-existing secure remote access solution that is secure enough for OT.

As OT environments continue to evolve in the face of new potential disruptions, it is time for leaders to prioritize security and understand implications so they can act to protect their organizations and nations’ critical infrastructure.

 

Learn more about the importance for OT cybersecurity in the Energy, Oil and Gas Industry by downloading our eBook

 

Understanding the New OT landscape

In the past few years, we have seen a convergence between OT and IT-based security infrastructures and processes. However, as we saw in the Colonial Pipeline attack, these integrated ecosystems have become considerably more difficult to secure, from misconfiguration, vulnerable hardware/software components and poor cybersecurity practices to the lack of visibility into connected assets and poor network segmentation.

Beyond the OT-IT environment convergence, the pandemic pushed many organizations to alter their cybersecurity processes to accommodate the new needs of remote work. However, adversaries quickly realized that targeting workers at home provided a viable path into OT networks, and turned to exploiting work from home, leveraging unpatched virtual private network (VPN) systems, interconnected IT and OT environments, and exploiting vulnerabilities in legacy Windows and OT systems.

OT has fast become a prime target for motivated and well-resourced threat actors who continue to redesign their tactics to penetrate new and enhanced security measures. In fact, 2020 saw a significant increase in exploitable vulnerabilities in OT. ICS-CERT advisories increased by more than 32 percent last year compared to 2019, and more than 75 percent of advisories were about “high” or “critical” severity vulnerabilities. Threat actors are also using ransomware campaigns to target OT environments because they understand how mission-critical these environments are. For example, if a pipeline carrying 45 percent of the United States’ East Coast’s fuel is shut down, it costs the pipeline operator millions of dollars per day.

The specialized and mission-critical nature of OT infrastructure technologies means that most security and threat intelligence solutions don’t have visibility into potential vulnerabilities, let alone the ability to defend against attacks.

Preventing and Mitigating Risks

So, what can be done to enhance security in today’s OT landscape? To protect, prevent and mitigate risks, there are several important steps organizations can take to improve their security posture.

  • Implement a risk management program: OT is built around complex systems that oftentimes are not properly tracked in traditional asset management systems. Designing an effective OT security program requires a risk model that specifically maps the functional requirements of these systems while providing a holistic image of the potential real-world consequences of compromise. As part of the program, organizations that leverage the Purdue Model should ensure they’re documenting the number of traffic flows between levels, especially if the flow is across more than one Purdue level.
  • Build a cyber incident response plan: If there was something we should have learned from the COVID-19 pandemic, it is that we need to be ready for anything. A comprehensive cyber incident response plan that includes both proactive and reactive measures is required to help prevent incidents and better allow the organization to respond if one does occur. Make sure to print the response plan and have it handy. What happens if the systems that store your incident response plan are encrypted or unavailable due to an attack?
  • Protect third-party remote access: Organizations regularly rely on third-party vendors to complement their business; however, many do not have uniform cybersecurity policies and practices. Many OT sites even have third party vendors regularly conduct maintenance via remote access technology, which creates exploitable weaknesses in the operations chain. Establishing a supply chain management program that vets external vendors’ security standards and provides better control of third-party access is critical to reducing the risks third parties introduce.
  • Enhance system monitoring procedures: It is no longer enough to simply build a network with a hardened perimeter. Securing OT systems against modern threats requires well-planned and well-implemented strategies that will allow defense teams to quickly and effectively detect, counter and respond to adversaries. At a minimum, corporate IT and OT domains should be physically and logically separated, networks must be segmented, and critical parts of the network isolated from untrusted networks, especially the internet. It is also important to deploy monitoring tools such as passive intrusion detection systems (IDS) specifically designed for OT environments. Passive systems are key because proactive systems may present false positive detection that could lead to downtime of critical systems.
  • Develop informed security controls: To establish the required controls, we have to start with an asset inventory. Once the assets have been identified, organizations at a minimum need to implement the security features provided by device and system vendors. However, to deal with some critical vulnerabilities, we recommend turning on security features that apply Common Industrial Protocol (CIP) security controls, a fairly universal standard. Many PLC vendors also have physical switches on their appliances that prevent the changing of the PLC’ configurations, which should be used appropriately. We see many plants and OT sites with these switches always set to “config mode,” which allows for the PLC configuration to be changed (potentially by an attacker). These should be complemented with secure and hardened configurations (read/write protections, memory protection, etc.). Managing controls over time can be daunting and time intervals between OT system upgrades can be years long, so organizations need an effective change management program. The program should be able to identify compensatory controls that can be applied to remediate critical vulnerabilities that cannot be patched immediately. These controls can include a host monitoring system that detects and alerts when unauthorized changes are made to Human Machine Interfaces (HMIs), engineering workstations or to PLCs.
  • Establish audits and security assessments: Finally, numerous factors affect the security of a system throughout its life cycle, so periodic testing and verification of the system are essential. Timely audits and assessments help eliminate the “path of least resistance” that an attacker could exploit.

This article was originally featured in Security Infowatch.