Almost daily, we hear of a new cyber-related breach or ransomware attack, and new technologies promising to solve all the world’s cybersecurity ailments. Some of this is reality, some is the result of various decisions and some is fiction. The truth of the matter is most industrial organizations struggle to grasp their cyber risk exposure and improve their cybersecurity maturity. Cyber incidents often occur due to misconfigurations or credential compromise. And as new vulnerabilities are continuously disclosed, there needs to be some positive news.
Fortunately, most organizations possess many of the basic building blocks necessary to improve their resiliency and security. Further investment is unavoidable, but the hope is that many companies can utilize current capabilities to make an effective improvement to their ICS cybersecurity posture.
Nine Capability Areas of Investment to Leverage:
1. Detailed asset inventories – You cannot properly defend against the unknown nor make adequate risk management decisions without accurate information or complete asset visibility. This includes laptops, servers, routers, switches, protocol gateways, PLCs, relays, sensors, valves and logical assets like software and configurations.
Therefore, it’s important to record and track new assets across their entire lifecycle (including user accounts, firmware, logic and settings/configuration). It may be fair to assume that all assets have vulnerabilities, but asset visibility and informed touch are critical when managing risk exposure and making controlled changes.
2. Centralized system, user and policy management – Windows systems can be managed and hardened through many native OS features such as Active Directory (AD) and Group Policy Objects (GPO). Adhoc user accounts and standalone systems may be feasible for small numbers of systems, but they fail to scale. Administrator accounts with default passwords, removable media allowed by default, and insecure SMB/RDP are unacceptable. Centralized management platforms should instead be treated as crown jewels.
3. Endpoint management – Using endpoint security strategies that include native OS security features, enforcing anti-malware, automating backup and recovery, implementing policy enforcement agents and leveraging application whitelisting can increase the odds in the defender’s favor and slow security degradation. Endpoint management technologies are usually centrally managed and aim to improve overall security management, compliance and administration. Transient laptops such as technician laptops, remote systems and contractor systems should also be among the managed systems.
4. Virtualization and backups – Virtualizing systems and applications is a step towards managing legacy assets and improving backups, testing and recovery. Instead of having dedicated assets everywhere, systems can be centralized and recovered quickly, and hardware maintenance can be reduced.
5. Network segmentation and perimeter security – Properly implementing network segmentation for “zones” and “conduits,” limiting network access, and using modern networking infrastructure can significantly reduce network-born attack vectors. Firewalls are not a cure-all (like patching or leveraging VPNs by themselves for that matter), but they are a critical component in a holistic security strategy. Passive anomaly detection and air gaps are generally red herring, feel-good security strategies, but connectivity is here to stay.
6. Converged reporting and log/alert management – All the aforementioned items require onboarding, connectivity, and incident/analysis playbooks, but they also need enablement. For example, anti-virus alerts cannot be generated with active, up-to-date software or without log forwarding to a system that digests them. Agents are needed to report risky software such as TeamViewer, VNC, and unauthorized wireless USB dongle software. You should also focus on the alerts and dashboards that highlight relevant areas requiring investigation and remediation.
7. Secure remote access – It is critical to limit network access between zones, conduits, devices, and even business units/functions to reduce intrusion. One approach for secure, remote access could be to create barriers, like implementing a VPN with two-factor authentication to gain initial access, then a secure remote access terminal server internally (also called a jump box) that uses a second set of credentials and deploys multiple firewalls for inter-zone access.
8. Policies and procedures – Cybersecurity must be adequately covered by governance, process, and procedure perspectives. Use these policies and combine them with technology to monitor and enforce user account hygiene, electronic asset management, patching, authorized applications, removable media and secure remote access. And above all, have recovery processes ready.
9. Training and preparedness – Processes for traditional IT, or even the physical aspects of OT, are usually well-defined, but not tested. You should ensure your organization and teams regularly validate end-to-end processes to identify gaps and guarantee effective escalation or recovery. Training for wholesale incident response and recovery can also go a long way.
By pulling all these elements together into an integrated solution driven by a well-oiled security program, cybersecurity can be an enabler instead of a burden.