ICS/OT Cybersecurity: Common Mistakes Organizations Make
American infrastructure is under attack. Foreign adversaries are using malware to cripple their targets’ operational technologies, disrupt industrial control systems and inflict significant economic damage.
That’s not hyperbole or alarmist. Just look at the evidence.
The Russian cybercriminal group REvil hit JBS, the world’s largest meat processor, with a ransomware attack on June 1, forcing the company to shut down nine of its U.S.-based plants and scale back production at others. JBS paid an $11 million ransom to end the assault.
A month before that, the Russia-based criminal hacking group DarkSide launched a ransomware attack against Colonial Pipeline, which had to shut down operations and freeze its IT systems until paying a $4.4 million ransom.
In February hackers hit a Florida plant and attempted to boost the amount of sodium hydroxide scheduled to go into the water supply to 100 times the normal level. A plant operator caught the change in real time and adjusted the chemical levels before any harm was done.
And then there was the 2020 SolarWinds attack. Here, hackers tied to Russia’s foreign intelligence service added malicious code to the company’s Orion IT monitoring platform – code that allowed hackers to lurk inside the networks of anyone using the Orion software. Thousands of organizations were impacted by the hack, as most Fortune 500 companies, the biggest U.S. telecommunication companies and hundreds of educational institutions as well as the U.S. military, the Pentagon and the State Department use the affected SolarWinds platform. Analysts are still tallying the costs but say the total damages could be upwards of $100 million.
The astronomical costs of such events are just part of the story, as these attacks highlight the hackers’ increasingly sinister goal: to disrupt normal business operations and everyday life by going after the critical infrastructure that runs them.
Worse still, these attacks are expected to become more frequent, more sophisticated and potentially more destructive. Consider the warning FBI director Christopher Wray gave Congress in June: “We think the cyberthreat is increasing almost exponentially.”
Despite such dire predictions, many organizations remain unprepared. They’re failing to adequately address the vulnerabilities and risks within their industrial control systems and operational technology – vulnerabilities and risks that heighten the chances of them becoming cyberattack victims.
Could you be one of these organizations?
Consider this before you respond: There are a multitude of areas that could leave you exposed to cyberthreats. Those vulnerabilities include legacy software, a lack of network segmentation, the use of default configurations, a lack of encryption, weak remote-access procedures, and no threat detection capabilities.
Even more problematic is the fact that you could actually be introducing more risks as you digitally transform. For example, we’re finding that organizations are creating new attack vectors as they collect and use data from production ICS networks to facilitate real-time decision-making and improve business optimization.
In fact, we see many organizations fall short when it comes to their ICS/OT cybersecurity posture in nearly a dozen ways. The most common mistakes involve:
- A nonexistent or incomplete inventory of the assets and applications that need protection.
- A lack of visibility into the assets and applications communicating within networks.
- No network segmentation.
- No integration between and among systems.
- A failure to identify or fully understand the vulnerabilities and attack vectors that exist within the enterprise.
- Security technologies deployed to meet compliance requirements – to check boxes, so to speak – rather than to actually reduce risks.
- No risk strategy or framework to prioritize security-related tasks.
- underestimating the scope of work and resources required to realize returns on security investments.
- ICS/OT vendors through mergers, acquisitions, rebranding, and going out of business create a continuity issue for long term ICS/OT project support for clients.
- Failure to create the integration between IT systems and operational technology needed for robust situational awareness and incident response.
- No or limited details on how an attack could impact operations, how much that would cost the organization, and the likelihood of each scenario. (Risk Management Framework)
As enterprise leaders, you must take action to address the weak spots within your security plans; you must move the risk needle in a positive direction to better protect your critical infrastructure.
Start by developing or reviewing your security strategy. Clearly identify your risks and vulnerabilities as well as the technologies, policies and procedures needed to mitigate them; create a roadmap to implement missing mitigation components and the metrics you’ll use to determine how well they’re working.
As you do this, keep in mind that your security ecosystem should have multidirectional information-sharing between and among your intrusion prevention and intrusion detection systems, the security information and event management system, the asset management system, your privileged access management system as well as any other security technology deployed within your environment.
Your strategic plan should also address staffing requirements to ensure internal resources are properly trained and available to implement security measures and rapidly respond to threats.
And it should identify which external resources, such as benchmarking standards, can be leveraged to allow for continuously reduced risk and improved efficiency so that your security program delivers robust protection to your industrial control systems and operational technology as well as your IT systems.