Calls to raise standards for securing critical infrastructure have been increasing, emphasized as a priority by the Biden administration in the latest National Cybersecurity Strategy. We’ve also seen the U.S. Environmental Protection Agency (EPA) issue a memorandum to evaluate cybersecurity risks associated with drinking water systems, and efforts driven by the Department of Energy (DOE) to enhance cybersecurity for rural utilities.
Whether you are regulated under NERC-CIP, assessing other frameworks or developing your own policies, the following core practices are consistently found in leading OT cybersecurity standards. Cyber threats against industrial organizations, from ransomware campaigns to nation-state attacks, have never been greater. To protect your operations from these increasing threats, it is essential to implement the following controls.
A complete ICS asset inventory provides the necessary foundation to apply any security controls or best practices. And we’re not talking just hardware and software (although that’s important, obviously). You also need access to data like where a device is physically located, how important it is to an industrial process, and who to call if issues ever come up. Without knowing these details, you won’t be able to do much with security-related information. We all know by now that traditional IT inventory methods were not designed for ICS and could lead to unintended consequences, including impacting a critical process, Denial of Service, and in a worst-case scenario, bricking a device. Additionally, other non-scanning IT tools may require an agent to be installed that won’t have support for old versions of Windows/Linux and boutique operating systems, which are common in ICS environments.
So, what are your options? One inventory method that has recently gained a lot of traction in the ICS security community is passive network monitoring. There’s nothing wrong with using this method, and it should be used as one piece of the asset management puzzle. The challenge is that this method returns limited information about an asset (especially if it has a legacy operating system) and doesn’t include important things like software, patches, executables, registry entries, or open ports and services. Plus, if a device is not actively communicating over the network, it’s usually missed altogether. Using a mixture of agent, agentless, native ICS protocol polling and passive monitoring methods ensures you don’t miss any critical device information and creates the most complete picture of what’s actually in your systems.
Many ICS servers and workstations use a set of standard usernames and passwords, and by default, grant administrator privileges. These systems could include things like domain controllers which if compromised could affect ICS integrity. To prevent this from happening, security teams should centralize the monitoring, management and reporting of access, authentication and account management to protect and validate user accounts.
Having a system that monitors account changes and access events that can share that information with IAMs and SIEMs is critical. If security teams catch unusual account activity early, it will spare everybody a lot of headaches later. You should also create and enforce policies that help prevent the abuse of user accounts in the first place, including complex passwords requirements and limited access based on the need to know.
As we’ve talked about previously, critical vulnerabilities are being discovered with increasing frequency. To minimize the window of opportunity for attackers to exploit new weak points, you need a vulnerability-first approach. CISA also recently released a new program to help critical infrastructure entities protect their information systems from ransomware attacks by notifying them of exposed system vulnerabilities. Not all vulnerabilities have a patch, especially in ICS environments, and it can often be impractical to patch these systems immediately. Therefore, you also want reliable information on mitigation and/or workarounds.
Passively identifying new vulnerabilities on demand is a huge advantage for asset owners. You can accomplish this with a tool that takes your ICS device data and compares it to NIST’s CVE database and ICS-CERT advisories to tell you which assets are affected and if there is an available patch. You can then take this information and use it to prioritize your patching efforts (for those assets that can actually be patched). and mitigation efforts. An important caveat to remember here is that your vulnerability management tool is only as good as your asset inventory, so make sure you follow the advice from #1 first.
A misconfigured device can provide an easy entry point into your ICS for an attacker, so make sure you have a baseline of known good configurations for each endpoint that you’re continuously monitoring for changes. Removable media is another attack vector that has been gaining traction recently, so keep a close eye on that, as well. If any kind of change, including from removable media, is detected in an endpoint, ensure you are getting enough contextual data about the suspicious event to act quickly.
Using a network intrusion detection system, which is also sometimes referred as passive network monitoring, offers an additional layer of threat detection because it identifies communication anomalies using protocols in the network. If you have both endpoint and network monitoring in place, you’ll be able to detect suspicious activity in multiple ways. This can act as a type of fail-safe mechanism so that if you somehow miss an anomaly with one technique, the other will catch it.
First, make sure you have security staff who are not only actively looking at ICS event data, but also have some level of knowledge about and training on how these environments work. Providing cross-training to your SOC teams will help them understand the differences between the IT networks they’ve traditionally monitored and the OT networks that have recently come into the picture, which are far more heterogenous and complex.
Getting the right data to the right people is so critical for ICS security teams. Having a solution that is specialized enough for the complexity of OT systems, yet also scalable enough to fit into the broader corporate security ecosystem, is certainly a challenge. When considering an ICS cybersecurity solution, make sure it provides the actionable data that SOC teams need, like how important an industrial device is, where it’s located, and who to call at the plant if critical anomalies are detected in that asset. Additionally, you should ensure that this data can be shared in an intuitive way for them via API integrations with corporate SIEMs, CMDBs, and ticketing systems. Finally, in case the worst happens, you should always have a stored backup of known secure configurations for all your ICS devices in a place that can be accessed by both IT security and OT operations teams in an emergency situation.
To achieve and maintain critical security practices, it is essential to have reliable and comprehensive data. In order to gain a deeper understanding of their environments, it is highly advantageous to use automated approaches to identify, monitor, and manage every asset, regardless of its connected state, and to document appropriate changes. The alternative would be manual walkdowns and security by spreadsheets – which is prone to human error and outdated information.
It is crucial to adopt an OT-specific approach that aligns with operational goals. While operators have been hesitant to embrace cybersecurity measures due to issues caused by IT processes, the maturation of OT technology now allows for a combination of data collection and monitoring methods that can be safely applied to understand the state of critical assets.
Still it’s important to note that IT and OT are not one size fits all, and the existing IT security tech stack is likely not suitable for the unique security requirements of operational environments. To protect critical infrastructure, IT and OT security must work together under a common mission that addresses the unique requirements of each environment.