Every day, a new slew of vulnerabilities and cyber threats emerges against critical infrastructure. That’s apparent just by looking at CISA's latest weekly summary. Additionally, last week, CISA released a staggering 17 Industrial Control System (ICS) advisories, which included issues specific to ICS security, vulnerabilities, and exploits. Attention and concerns from nation-states are increasingly heightened this year as we head towards the election. CISA is urging the public and industries to enhance their cybersecurity measures as part of their #Protect2024 campaign.
The Issue: Managing OT Risk
Securing vulnerabilities is part of the job. Be informed, patch it out, and improve processes to prevent future risk. That’s all well and good, but the challenge faced by a board of directors, executive management and operations staff is how to most effectively manage the risk of this vulnerability being abused.
This is what risk professionals are supposed to do, right? Take the limited resources of people, money, and in the case of industrial control systems (ICS), operational downtime and balance it against mitigating the potential cybersecurity risk this vulnerability poses.
In OT environments, the risks have notably high stakes. There are real trade-offs and critical decisions impacting safety, productivity, and the bottom line. When an immediate patching directive is issued, it's not feasible to simply shut down the plant until all systems are patched. Operations must continue to deliver essential services and avoid production and revenue losses. It becomes essential to precisely identify how and where vulnerabilities impact your processes and to strategically prioritize patching and mitigation efforts.
OT Management with Zero Visibility: A Domino Effect Waiting to Fall
Let’s pretend you have three major plants owned by a large company. One makes power and steam for the other two, one mixes volatile chemicals, including an ingredient that leverages waste from the power plant to make a key input in the third factory, which makes glass marbles for chaff in military planes.
They all have very different cost and profit structures. Each of these assets will have their own unique operating characteristics. There are things like process cycle times, boilers that need time to ramp up and cool down, and pipes, tubs or filters that need to be flushed and cleaned between every shutdown and startup. They will have their OEMs, support vendors, protocols, IT infrastructure and staff. In short, each plant, even within the same company, has a very different risk profile from the other.
So, when your board member, who is a former general from the armed services, wakes up and reads a dozen emails from their peers about this alert, it starts a chain reaction.
We will give this company the benefit of the doubt and assume their CISO has a direct relationship with the board, especially those on the Risk Committee, like the general. The CISO is awoken by the sound of text with a link to the directive.
This is where our story can really diverge from those who have holistic cyber risk programs with visibility and analytics to support the entire enterprise, including OT, and those who don’t.
We all know the story for the company with no visibility into their OT endpoint risk. It doesn’t go well, and they lose millions in downtime, contractual penalties, vendor callouts at double rates for emergencies, security consultants, etc. But what if they had real visibility into their risk? What does that look like?
It looks a lot like this:
This is what happens when you combine complete visibility into your OT endpoints and networks with a flexible risk framework grounded in a monitored, measured and managed controls framework.
When you know what is really in your OT environments, you can begin to create real risk frameworks, built not around what a vendor thinks is risky, but tailored to the unique needs of your company.
When the call comes in, the CISO and their staff of analysts are not only able to see what systems are missing the patch, but how that fits into the bigger picture. Not all OT systems are created equal, and therefore have completely different risks.
The power plant, because it sells excess power on the grid, has some contractual obligations with the local grid operator. It installed the Industrial Defender a long time ago and has been managing things for the better part of a decade.
Its patches are all up to date, especially compared to its peers. It’s also completely in alignment with its baseline configuration, meaning account policies, installed software, interface configurations and firewall rules are also all as they are supposed to be.
The chemical plant saw some looming legislation a couple years ago and leveraged the benefits the power plant had seen from deploying Industrial Defender. It’s in second place of the three sites in terms of OT risk management maturity. Their annual maintenance is only a month away, however, that means it hasn’t seen a patch in months. There are a couple of devices that should be monitored but haven’t communicated in a while. Otherwise, they are fairly in compliance with their design configurations.
The manufacturing plant is a mess. It’s only recently come into scope. Compared to its peers, it not only has a plethora of vulnerabilities, but the firewalls also all have exceptions. It looks like the monitoring agents aren’t reporting in, probably due to one of those recent unapproved firewall changes, so they would miss any events, including local malware and removable media events that could be used to head-off any foothold in the environment.
So, what does one do? Do you patch the manufacturing environment first because of its higher attack surface? Do you patch the power plant due to its importance to the other plant’s operations? The truth of the matter is, I don’t know. That’s the call that people within an organization have to make based on their unique needs, which is why we allow you as the risk owner to pick the data points that matter most to you, and their weights, to determine what an asset’s risk score is.
A risk-based vulnerability management (RBVM) approach that incorporates additional information can significantly aid in prioritizing remediation efforts. By integrating Threat Intelligence, you gain insights into whether vulnerabilities are actively being exploited in the wild. Furthermore, it is crucial to tailor this strategy to your specific business context, considering the purpose and operational context of OT assets. This focus ensures that you prioritize vulnerabilities that pose the most significant impact on your operations. Industrial Defender's Risk Signal, for instance, is an RBVM solution that enriches generic vulnerability data, going beyond CVSS scores to identify the most critical vulnerabilities for your particular situation. This methodological enhancement allows risk owners like you to make more informed decisions about which assets to prioritize for patching.
Our mission at Industrial Defender is to arm you with the best data possible to make a prudent decision based on your needs, not on a predefined formula. We allow you to account for intangibles like the criticality of the asset, which you can set, or whether that asset is subject to regulatory requirements like NERC CIP, and at what level.
To learn more about how our new we can help you make smarter cybersecurity and risk management decisions, schedule a time to chat with one of our ICS experts.
