Compensating Controls in ICS Security
How and when to apply OT/ICS compensating controls when software patching is not an option in industrial cyber security.Read the Story
If you’ve heard the statement, “A hacker only has to be right one time and a defender has to be right all the time,” you might find it to be trite, but it also bears some semblance of truth to it. What it means is that any security risk is a possible foothold into a full-blown exploitation of your environment.
In reality, the job of the operational technology (OT) security defender is to minimize disruptions in frequency, duration and impact, and the only way to do that is to minimize the attack surface across all your assets. Simply stated, you need to lock down your OT systems to least privilege, patch as often as possible, add best-in-class cyber security tools like anti-virus and whitelisting and, of course, include a backup plan.
These actions should be accompanied by other standard security processes such as user/account management, monitoring, and detection. And until these cumulative security measures are in place and maintained then all the perimeter detection or passive monitoring technology in the world won’t do much at all if/when someone or something gets inside your perimeter.
While this might seem like a no-brainer to some, many organizations have not taken this robust cyber security approach to manage endpoints in OT. Instead, they opt to focus on perimeter or network-based security tactics, which focuses on transactions, and completely neglects endpoint configuration.
The fixation on networking used to be called the M&M approach where your network is hard and crunchy on the outside but soft and chewy on the inside. This means if an attack were to occur, there is little-to-no resistance in its way to wreak havoc. This opens up an operating environment to a lengthy, messy outage as opposed to containing an incident to the smallest, least impactful consequences possible.
While many rush to embrace passive anomaly detection tools as a silver bullet for OT security because of its ability to monitor inside the network by listening to the day to day traffic between operational assets, this approach relies on seeing and hearing endpoint behaviors that are a result of risk. In other words, passive tools only alert, and by that time it’s usually too late because something dangerous is already happening on your network. Monitoring tools do not reduce risk on endpoints where security needs the most improvement.
The good news is that there are OT-safe, endpoint management solutions that significantly reduce your attack surface and protect the very targets of malware, hackers and other cyber-related risks. But to benefit from them, we need to change our mindset.
Too many OT owners and operators shy away from using agents on endpoints, but by connecting directly to those endpoints to patch, tune (where patching can’t be done) and generally track and manage those endpoints, we significantly reduce our risk profile.
By adopting this type of robust endpoint management solution, OT security practitioners not only significantly reduce risk, but they save considerable time and money as well. In fact, a recent post-project analysis showed a large pharmaceutical corporation was on track to save over $600K in labor on their security efforts while doubling the efficacy of their security maturity.
The promise of this approach lies in the willingness to stretch our status quo to include agents and agentless profiling on the target assets. We need to embrace automation of asset inventory, creatively apply compensating controls in the absence of patching and we need to leverage corporate HQ or even leased cloud visibility to extend scarce skilled resources to a wider scope of industrial assets. By taking this asset-centric approach, OT context is driven into our day-to -day decisions and accurately direct our risk reduction efforts to those assets that need it most.
The proof of endpoint focus lies in very real success stories in a number of industries. One example is of a large pharmaceutical company that deployed an endpoint management focus to their OT security. They deployed a host of technology to connect directly to the endpoints and added OT context like system criticality, location, owner, etc. Then they overlaid the National Vulnerability Database on their inventory and appended antivirus, backup and whitelisting status to the asset record. It was this asset-specific view and interactive profiling that lead to astonishing insights.
They quickly discovered:
While these discoveries are shocking, it turned into a happy ending because they immediately worked on reducing these risks in a prioritized way. The team took a measured approach to which risk they wanted to reduce (patching where possible, applying compensating controls where they couldn’t) and within two weeks, reduced their raw risk in half. Their real risk, the impact of critical risk on high impact assets, was reduced by almost two thirds.
By performing both analysis and remediation, this pharma company significantly improved their cyber security maturity almost overnight. Once they adjusted their mindset from only securing the perimeter or monitoring to managing endpoints, they made the gains in security and risk reduction they had long sought.
If they continued to neglect endpoint management, they would have been just one malware or phishing attempt away from a significant cyber event which would have immediately perpetuated itself far and wide within this environment.
New technology is exciting and intriguing, but we have to be realistic in knowing the OT cyber world has significant technical debt from many years of failing to patch and harden endpoints.
The only way to properly protect our assets is to address them directly. Managing endpoints directly provides report system-level details about least privilege to lock it down and remove unwanted or unnecessary software so your weakest link gets considerably stronger. The more you protect OT assets this way, the less likely you will be to have a significant outage or impact.
To learn more about our approach to endpoint management download the on-demand webinar: “Securing Industrial Environments with OT Endpoint Management”
Following the SolarWinds software incident, what lessons can asset owners learn from published causation and guidance - and how can product owners for more to help secure their customers?Read the Story