Blog

Prioritizing Risks to Create an Effective OT/ICS Cybersecurity Strategy

Bartosz Urban | August 19, 2019

The SANS 2019 State of OT/ICS Cybersecurity Survey explores the challenges involved with designing, operating, and managing risk to industrial control systems and their assets. Security professionals active in enterprise information technology (IT) and operational control fields from around the world took part in the survey to answer the question – how can we identify potential risk in time to avoid it?

Because most of today’s industrial control systems (ICS) run their daily operations through the internet, previously sealed and disconnected networks now have multiple newly created access points, broadening the scope of potential threats looming over businesses. Let’s take a look at what the survey respondents have pointed out as areas of concern when it comes to keeping their operations secure.

Getting the Same Treatment as Everybody Else

The survey respondents stated that the number one risk to ICS networks is the fact that most server assets inside these systems are running on a well-known, commercial operating system (OS). While keeping your servers on Windows, Unix, or Linux has many upsides, like ease of use for people who already have familiarity with the OS, it also means that the threats directed at them will be as widespread as they are for everyone else. Since those operating systems effectively run on a majority of machines in the world, attempts to find new vulnerabilities in them happen with increasing frequency.

Additionally, if these server assets are within the operational technology (OT) infrastructure and managed by OT resources, as opposed to IT, there may be a strong likelihood that these devices aren’t routinely patched since patching can hinder the continuity of the process that the OT system is designed to control. A strategically designed network and cybersecurity architecture can mitigate this risk by placing and protecting, server assets at or near the boundaries between the IT and OT domains.

A Building of Revolving Doors

This is especially true when you consider how many entry points there are in a network that’s connected to the internet. Almost a third of respondents claim to be aware of the risks stemming from countless network devices and gateways. Sure, they serve as security measures too, given how much of them do nothing but prevent access, but carelessness and mismanagement of those assets thanks to the ever-present human factor could result in a cybersecurity incident.

Imagine a building of revolving doors, hundreds of them, with only a few people controlling their movement – and, effectively, guarding the entrance – from a tower up above. Sure, you can only leave certain doors open and completely shut down others, but if a wrong button is pressed and one of those closed doors unexpectedly lets a bad guy in, this operation is toast. Firewalls, network switches, and various gateways are just revolving doors with a built-in lock and shouldn’t be the only security measure in place, because once a mistake is made and a malicious actor is in, you won’t know what will happen next.

If an Ant Colony Gets Flooded

What might really wreak havoc on your operations is the combination of the two elements mentioned above. ICS networks may be interwoven with an IT infrastructure to give system access to corporate users. This creates another potential entry point for a hacker to make their way into the OT network.

Many times, incidents happen in a corporate IT environment, not because of explicitly malicious intent, but thoughtless human error, like a successful phishing attack. Once a bad actor takes over a computer connected to the company network that also has access points to the OT network, it’s almost like an ant colony getting flooded. Rain will eventually make its way through the complicated system of corridors and drown the whole society.

How to Stay Afloat

An effective OT/ICS cybersecurity strategy begins with seeing the big picture. There are many blueprints that help companies to build a more comprehensive security strategy, like the NIST Cybersecurity Framework introduced by the US National Institute of Standards and Technology (NIST) in 2014. Over a third of survey respondents claimed to have implemented the NIST guidelines into their operation.

At its core, this and many other frameworks stress the need to understand what is happening inside your network at all times by creating a network baseline, and then implementing anomaly detection capabilities. This goes back to the revolving doors comparison – once you accidentally let someone unauthorized in, you need to closely follow their movements and document the damage. Today, network visibility solutions should not just be an optional add-on to your ICS cybersecurity strategy – they should form the basis of it. Picking up data from network traffic and analyzing it in real time provides valuable information for future reference and can also alert you to unusual activity quickly, so you can respond before it’s too late.

The SANS 2019 State of OT/ICS Cybersecurity Survey offers deep insight into many aspects of protecting your ICS network from the increasingly real risk of both accidents and attacks. For insight into the complete data set and recommendations for the challenges faced by OT cybersecurity stakeholders, download the full survey here.

 

2019 SANS State of OT/ICS Cybersecurity Survey Report