The increase in threats to OT environments has pushed the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) to issue warnings about cyber-actors’ willingness to conduct malicious cyber-activity against critical infrastructure by exploiting internet-accessible OT assets.
U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets.
While there has been a string of alerts and buzz around naming the various threats, the recommendations remain the same: Manage your OT systems through core security fundamentals. The recommendations all play the same fundamental tune around CISA’s ICS Best Practices.
They center around areas such as:
Maintain an ICS asset inventory of all hardware and software
Update software using a risk-based assessment approach to determine which assets should participate in the patch management program
Implement allow/white listing on HMIs and workstations
Isolate ICS/SCADA systems from corporate and internet networks using perimeter controls
Disable unused ports and services on devices
Enforce multi-factor authentication for remote access
Change all passwords on regular basis and monitor password status
Maintain known-good backups
Protect systems with strong anti-virus and other endpoint detection capabilities
Implement log collection and retection
Leverage OT monitoring solutions to alert on malicious behaviors
In summary, these are all about what we call “OT Systems Management”. This phrase encompasses these fundamental elements of OT security – from asset inventory, to endpoint management of vulnerabilities, patches, configurations, etc., to managed network segmentation as well as controlled access, and eventually monitoring and recovery.
While these alerts are absolutely valuable in raising awareness of the community, they can cause confusion if not read thoroughly and understood for the recommendations being made. We often receive calls about the latest alert because an organization is chasing down a specific threat or particular threat actor or malware that has recently been seen in an ICS system somewhere. To be clear, it is critical that we as an industry know about these emerging threats, and CISA has contributed greatly to the awareness of these threats.
However, it is key that organizations read down to the bottom of these releases to that section that includes recommended mitigations or actions. That section is what really matters – what can you do as an organization to address these threats. And in that, the message is consistent – OT systems management. The consistent application of fundamental security controls.
While it would be great if every OT operator had advanced beyond these fundamentals, the truth is that most are still working on these core elements. It is there where we believe we must focus as an industry.
As one example, many industrial organizations do not actively manage their OT endpoints. In many cases, they do not have accurate inventories of what those endpoints are. If the inventory exists, there often is a lack of actively managing those devices whether that be patching, hardening configurations, updating passwords, updating firmware, etc.
Some may have OEM vendors that come on some basis to apply OS patches and application patches for that particular OEM application set. But all too often, we who come in after that patching process, find in looking at the output of the Verve Endpoint Management platform that those patches left many critical vulnerabilities either because those patches did not include other application software on that device or OS patches that were not approved but solve critical vulnerabilities.
In our 2002 ICS Advisory Report, we found a 47% increase in CVE’s in ICS-CERT advisories between 2019 and 2020. In our 2021 summary report about to be released, we found another 59% increase in the number of ICS vulnerabilities, but most organizations do not have a comprehensive, vendor-agnostic patch management program.
OT systems management includes the development of an ICS-specific patch management effort.
We are not naïve, however. We have been designing and securing ICS systems for almost 30 years. Patching OT is hard.
The key challenges with patch management:
Tracking what patches are relevant for a specific device
Knowing if the patch is approved by the vendor – as well as end-of-life software or systems no longer supported by the vendor
Challenges of required re-boots to apply patches in ongoing process environments
Operational risks from patches that may disrupt operations if not tested appropriately
Devices requiring firmware updates that may have knock-on effects on other parts of the system require an overall system upgrade to accomplish, etc.
Lack of staff/resources to manage the process
It’s no surprise organizations are always a step (or two or three) behind on software patching and spend valuable time in the weeds manually tracking and managing the patching program.
But just that one example demonstrates the challenges in achieving those fundamental mitigations that CISA lays out.
OT Systems Management requires the “operationalization” of security. The great news for ICS practitioners is that if we can “operationalize” security, operators understand how to execute. Controls engineers and production personnel live every day by improving the operations of their plants. They have metrics, targets, specific quality improvement plans, 6-sigma or other lean principles, balanced scorecards, etc. The world’s base of industrial operators continually improves productivity each and every year through operations improvement programs.
If instead of considering cyber security as a place only for people with advanced cyber expertise, and started to operationalize it into a series of fundamental tasks which can improve each and every day, we can start to apply lean and other principles to improve performance.
But if we let the latest headline and new threat name distract us from those fundamentals at the bottom of those CISA alerts, we can lose the thread of the overall mission.
Each of these alerts should be seen not as “new news”, but as a reminder of what CISA and others have been saying for years – execute on fundamental OT security practices. If we do that we will be addressing old and new security risks at the same time.
OT Systems Management Whitepaper
Achieving a mature level of OTSM is critical to improve overall ROI from increasingly connected industrial systems and to ensure foundational elements of OT cyber security are in place to protect critical infrastructure from targeted and untargeted attacks.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.