How do you know when a perfect storm is brewing? If your team is tasked with securing your organization’s operational technology and industrial control systems (OT/ICS), you may have a pretty good idea by now.
In critical infrastructure industries, the warning signs have been hard to miss lately. They include the convergence of business IT and OT systems, now accelerated in the cloud; proliferation of database-driven ransomware-as-a-service (RaaS) and phishing campaigns; and large-scale targeting of remote workers and remote access vulnerabilities in critical industries since the beginning of the COVID-19 pandemic.
These signs were there before the DarkSide ransomware attack that shut down the Colonial Pipeline in May 2021. Yet, it took this incident to reinvigorate industry and government efforts to strengthen the nation’s critical infrastructure protections. Among other things, the Transportation Security Administration (TSA) now requires pipeline owners and operators to report cybersecurity incidents.
The heat is on for other critical infrastructure areas, too, such as public utilities (oil and gas, water/wastewater, and electric) health care, chemical manufacturing facilities, and food processing plants. How can your OT security mission benefit from this new momentum?
Where to start with your OT/ICS security initiative?
After all, it’s the IT/OT team that’s now expected to have a plan ready. You’re not alone in this.
Most experts agree that critical infrastructure protection strategies depend on a robust cyberthreat detection program. Here are five prioritized steps that will help expose hidden threats and help prevent cybersecurity incidents from impacting your OT/ICS environment.
1. Assess the physical security and asset inventory of your OT/ICS infrastructure
From malware-spiked USB thumb drives dropped in the parking lot for employees to find and plug into one of your OT endpoints to IP-network cameras on the factory floor or in entrance areas, physical devices are a frequent security gap and can be an easy entry point for threat actors. Attackers who scan the internet for open webcam ports may be watching too.
What’s more, criminal cartels and online saboteurs are serious about automation. RaaS and phishing campaigns zero in on their targets, leveraging complex data-driven tools and exploit kits.
You may already bea host to unauthorized assets or devices today. It’s very important to perform installed-base asset inventories regularly. In fact, some critical infrastructure organizations run asset inventory scans as often as hourly.
However, many IT/OT teams in critical areas are understaffed, overworked, and either delay or miss critical OS/application updates and patches as well as inventory assessments. What’s more, there's often ambiguity when it comes to roles and responsibilities of IT and OT teams.
Time to automate your defenses. AI-backed IT/OT tools that perform asset inventories and automated threat detection let you stay on top of additions to your network, including industrial IoT (IIoT) devices. Modern cybersecurity tools and services offer a great deal of automation, protecting critical operations better and freeing up teams for critical tasks.
2. Strengthen access policies
Deploying modern identity and access approaches is often a relatively quick win in terms of improving cybersecurity. It’s also a cornerstone of the "zero trust" approach in which identity is never assumed but is attached to specific access rights, policies, time of use, and more.
Many OT organizations in critical infrastructure industries do not support the latest standards, such as multifactor authentication (MFA). Other breach-friendly security gaps include password sharing and remote access without the right controls — a problem exacerbated by the pandemic.
Efficient plant floor operations can coexist with stronger identity and access controls, so don’t let this slow down your march toward a stronger program. Get the information you need and take action. As experts often say, most serious attacks are not from some great new hacking invention, though hackers are always innovating. Attacks are usually caused by security flaws with known remedies available.
3. Monitor 24/7/365
Continuous monitoring is key to detecting threats to your industrial network. Threat detection, compute infrastructure, firewall, network, and even software application real-time monitoring services optimized for IT/OT environments first identify baseline network behavior. They then alert you to anomalous activities that don’t conform to expected patterns, supporting application restoration upon resolving threat alerts.
Industrial cybersecurity monitoring tools allow visibility across all levels of the OT environment in real time. Your security team can correlate alarms and events for deeper insight into the detected suspicious behavior to mount adequate responses.
Not enough staff or expertise to run cybersecurity operations in-house? Turn to an established managed services provider. The right partner can deploy quickly on a global scale; leverage security insights from many client engagements to keep ahead of threat actors and new exploits; and bring much needed hands-on experience in detecting, blocking, and recovering from threat incidents.
4. Leverage cyberthreat intelligence (CTI)
Let’s face it — most IT/OT security teams aren’t ready to pick up the early warning signs of a possible attack. A sudden increase in chatter mentioning your plant on a darknet forum comes to mind, or an underground market auction for a zero-day exploit that affects parts of your industrial control system.
CTI enables OT security professionals to stay ahead of the curve and be prepared. Luckily, you don’t need to build expensive internal threat-hunting capabilities to get there.
Cybersecurity and Infrastructure Security Agency (CISA) alerts, information sharing and analysis centers (ISACs), and CISO networks share additional insights and perspectives from fellow ICS/OT security practitioners and leaders.
5. Develop a security state of mind
People, processes, and technology play a critical role in cyber hygiene. Ensuring lines of demarcation, with defined ownership of roles and responsibilities, is imperative. Tactics, such as tabletop exercises or incident response planning can be executed to determine which critical steps and what sequence of human decision-making will be executed in the event of a ransomware attack, for example.
These types of exercises can be trained. It’s incumbent upon IT/OT teams to plan for and prioritize incident response training regularly and frequently for adequate defense. Many services exist to support security awareness and implementation training, which are also frequently part of a managed services program.
Any step is a good step
After the Colonial Pipeline attack, TV and social media clips showed gas stations overrun by long lines of irate motorists in panic-buying mode. Talk about the power of images.
With this fallout on public display, as well as the potential for serious operational damage and even litigation, the threat is taken seriously in the C-suite. The cyberthreat detection steps on this short list can make hidden threats to your OT visible before they harm your organization.