OT Personnel Need to be Proactive About Security
October is officially National Cyber Security Awareness month, and this year one of the program’s key messages is working together to secure critical infrastructure from cyber threats.
Clearly, security weaknesses in operational technology (OT) networks are becoming a mainstream concern.
For example, a recent study (PDF) from Kaspersky noted that 77 percent of security professionals in industrial environments believe their organizations are likely to become targets of a cybersecurity incident. At the same time, 48 percent of respondents said they do not have a specific OT/ICS incident response program while 31 percent revealed that their organizations experienced one or more incidents in 2017.
So what better time to discuss the top seven security gaps in industrial environments?
Malware Moves from IT to OT
WannaCry and Petya, the two biggest malware threats in the past few years, did not specifically target industrial networks but they did reach them. These threats proved that weak security defences in and between IT and OT networks make it inevitable that OT will be attacked.
The prime reason WannaCry was so destructive is it targeted organizations running outdated versions of Windows, as old as Windows XP — which are no longer receiving security updates and patches. Making them completely vulnerable.
Best Practice: Protect both the IT and OT networks. That means updating all operating systems and applications, installing robust antivirus software, and monitoring all threats to IT and OT.
The ‘Air Gap’ Myth Persists
Until recently, industrial networks were separated from the rest of the world by air gaps. In theory, an air gap is a great security measure because it separates the industrial network from the business network — and, therefore, protects it. However, in today’s Internet-centric world, air gaps do not exist as IT and OT worlds are increasingly aligned and therefore more vulnerable to attack.
Best Practice: Implement security measures that focus on Internet-based threats, primarily those emanating from Industrial Internet of Things (IIoT) devices which span the IT and OT worlds.
Attacks on Popular OT Tools
In May of this year, Tenable Research issued a warning about vulnerabilities in two Schneider Electric applications widely used in the United States for managing industrial processes in oil and gas, and other industries.
The vulnerabilities shone a stark light on the weaknesses of cyber security vendors and internal security teams, both of which have devoted considerable resources to IT while neglecting industrial environments.
Best Practice: Patches must be made to OT operating systems and all software installed on them. In situations where critical devices cannot be patched, it is vital to deploy monitoring tools that can detect changes in behavior.
Insecure Controllers Are Prevalent
Today, many organizations with OT networks face a massive challenge to maintain operational efficiency and improve network security at the same time. The challenge stems from the fact that organizations have a mix of vulnerable legacy controllers and newer Internet-based ones.
Legacy controllers are vulnerable because they lack critical security functionality that is common in newer technologies. Organizations often choose not to update or patch older systems, preferring operational efficiency over network security.
Best Practice: Organizations need real-time visibility into every facet of the network and every action on every device — being able to see all activity performed by trusted insiders and unknown sources, and being able to determine whether actions are authorized or not.
The Insider Threat
When an accidental or negligent change is made to an OT network, it can have consequences that are just as devastating as an external attack. The source of the change is immaterial. It doesn’t matter whether the change originates from an employee or a third-party contractor.
Best Practice: Maintain real-time visibility into network activity and device integrity supported by a detailed alert system — to detect changes as they happen. In addition, it is imperative to have comprehensive accident insurance.
Whether a disgruntled employee steals code, sabotages a production line, or poisons a recipe, the impact can be catastrophic.
Best Practice: Having real-time visibility into the network will not prevent a disgruntled person from performing malicious activity, but it will rapidly identify threats. Ideally, visibility should include a intrusion-detection system that analyzes network traffic, and active device integrity checks to identify threats.
Waiting for a Reason to Worry
One of the leading CISO concerns today is business risk. To minimize risk, organizations often adopt a top-down approach to securing all technologies as effectively as possible. This solid approach is rarely followed in the OT world because many people believe they should not worry until some event causes them to do so.
Best Practice: OT personnel need to change their thinking and be proactive about security. They should mitigate risk for all devices and applications across their networks.