Cybersecurity Across OT/ICS Environments

September 8th, 2020 Cybersecurity Across OT/ICS Environments
Dave Santeramo
Security Architect

 

We have all read the headlines over the last few years. Energy grids, public utilities, transportation systems, and other critical infrastructure are increasingly being targeted for cyber threats by malicious actors. At the same time, today’s world is becoming increasingly interconnected. People have access to vast amounts of goods and services at their fingertips. Using any number of access methods, a person can order food, pay bills, purchase their next automobile; all from the comfort of their living room sofa. This level of access and connectivity has permeated throughout all aspects of industry. Today’s Operational Technology/Industrial Control Systems (OT/ICS) environments are vastly more interconnected than they have ever been. While connectivity has greatly improved efficiency and availability, it comes with a significant increase in cybersecurity risk.

 

Operational Technology/Industrial Control Systems:

 

The New Cybersecurity Attack Surface
Businesses have maintained two computer worlds. There was the traditional IT systems world which consisted of the typical office computers and servers that have become commonplace in today’s business. The other world consisted of shop floors, energy grids, transportation, and building systems. All these environments collectively came under the operational technology and industrial control systems umbrella, or OT/ICS. OT/ICS environments were traditionally self-contained, physically isolated environments. These industrial networks typically revolve around terms such as SCADA and PLCs. This meant that for personnel to work on the equipment they had to physically go to the location to make any changes or respond to alarms. However, as connectivity became more available, companies that had OT/ICS environments wanted to connect them to the outside world. This increased connectivity has led to cyber risks that OT/ICS environments did not have to mitigate in the past.

One of the concerns regarding securing OT/ICS environments is the risk to human life. While a security event in an IT environment may have a serious impact on the business, it is typically not life threatening. In an OT/ICS environment this is not the case. Take a critical asset such as a power grid compromise, for example. Unplanned downtime in such an environment creates a significant risk to human life. This same statement would be true regarding the various robotics that are utilized in a manufacturing setting. Transportation environments, most notably automobiles, could imperil human life if systems are compromised. In July 2020, the NSA and CISA issued an advisory for risk management, recommending immediate action to reduce exposure across Operational Technology environments and increase OT security awareness.

 

Protecting the OT/ICS Environment

 

So, what should organizations that have OT/ICS environments do to protect themselves?

1) Identify all methods of access and assets in the OT/ICS environment.

a. Gain a solid understanding of all the OT devices and OT networks and how they connect to the network. Identify all communications protocols and methods used. The communication between an IT and OT environment should be viewed along the lines of a DMZ. Most security teams do not have clear visibility into what is taking place inside of OT/ICS networks.

b. Perform a risk assessment that includes inbound as well as outbound access. It is critical to have visibility and traceability for connections going into as well as out of the OT environment. Earlier this year, a natural gas company had a disruption in service due to a ransomware attack that crossed from the IT network into the OT environment.

c. Develop a method for tracking all third-party access. Third parties typically maintain remote access for diagnostic purposes, however that diagnostic access needs to be monitored in the event that the third party is compromised. Assessing third party access is critical to maintaining a secure OT environment.

2) Develop an OT/ICS incident response plan.

Having an incident response plan and knowing when and how to use it is critical when it comes to OT/ICS networks. Minutes count when responding to an incident.

a. Know how to safely disconnect a system. As stated previously, having visibility into the communications of an OT environment is critical. Being able to isolate all forms of cyber-attacks ranging from malware to an account compromise to ransomware is critical to organizational survivability.

b. Put the plan into action via a series of tabletop exercises that involve not only the IT personnel, but the workers inside of the OT environment. The input from the personnel in the OT/ICS space is invaluable because they use the equipment on a daily basis and are aware of what is normal and not normal.

c.Incorporate and maintain OT into the organization’s security policies and programs.

3) Account Management

OT/ICS environments are typically difficult to say the least when it comes to account management.

a. Identify the accounts and implement a least privilege access model that isolates while at the same time permits operators to continue to do their jobs.

b. Utilize analytics to trend user behavior to determine if an account has been compromised. Identification and isolation of potential account compromises are critical to protecting an OT environment. Be able to respond to real-time events to close any potential security gaps as quickly as possible.

4) Implement physical access controls

Maintaining control over who has physical access to OT/ICS equipment is critical to security. History has shown that these types of environments are particularly susceptible to compromise. The demands on an OT/ICS environment make it very difficult to perform IT maintenance tasks such as patching. However, in an increasingly connected world it is critical that all aspects of a system, from applications to operating systems to firmware, be patched and incorporated into an ongoing vulnerability management security program.

These security improvements to protect your OT/ICS environment must be inclusive of the best practices that the organization has in the IT space. The good news is that many organizations are starting to take securing their OT assets seriously. Many have implemented architectural changes that segment and isolate their OT/ICS and IT environments in order to reduce risk exposure. Communications that cross the boundary between the two environments are filtered and scrutinized for risk and vulnerabilities. Patching, always a challenge in the IT systems space, is even more difficult for OT systems due to the risk of impacting production.

 

Security Offerings

 

Information Security companies are developing solutions in the OT/ICS network space that provide the same level of security control and visibility that organizations have become familiar with in the IT network space. IBM has security offerings that assist organizations in the identification of risks in an OT/ICS environment. As an IBM Platinum Business Partner, Mainline Information Systems has a deep-rooted, long-term relationship with IBM and together we help our customers solve security challenges and reduce the risk of crippling cyber-attacks to their critical infrastructure. Additionally, Mainline Information Systems has relationships with security providers that are focused on securing OT environments.

Mainline Information Systems has the security skills to help companies develop cybersecurity solutions to protect your OT/ICS space. From analyzing the current architecture to designing and implementing a new solution, Mainline Information Systems has the proficiencies necessary to put your industrial environment on secure footing, protecting it from cyber-attacks. For more information on security solutions, reach out to your Mainline representative directly, or click here to contact us with any questions.

You may be interested in:

BLOG: Cybersecurity in a Remote Work-From-Home World

BLOG: Security Challenges in a Multi-Cloud Environment

BLOG: Improving Resiliency in Cybersecurity

Submit a Comment

Your email address will not be published. Required fields are marked *