The White House issued a statement by President Biden urging the critical infrastructure community to immediately strengthen their defenses based on their evolving understanding of Russian intent to use cyber attacks.
Many of our customers are asking what they can reasonably do for their operational technology (OT) environments in a matter of weeks. What is practical to do in the next month and how do they get a jump on the next six months?
Our recently released 2021 ICS/OT Cybersecurity Year In Review is a great primer on where most organizations are, but it’s at a macro level. Start with a fundamental question to better understand where your facilities are today:
Do your facilities teams understand what an attack may look like and what to escalate? Are they partnered with the cybersecurity team?
Incident Response in OT is different. Cybersecurity teams are traditionally accustomed to being in the driver seat for responding to an attack. The security teams are still imperative in detecting and understanding the extent of the incident (scope) but the local engineering team is going to better understand what potential implications to the investigation. Essentially, the local team should be working in tandem with the incident response manager function and be fully briefed and making joint decisions with the cybersecurity team. Without that pairing, the response effort will not understand the implications of their own actions (make a situation worse) or miss key facts that are relevant to the industrial process.
The security teams likely do NOT have visibility into the OT environment. They are blind or extremely impaired and may only be able to focus on the corporate environment of a facility. In these cases the security teams should have:
- Focused monitoring of OT, engineering, operator staff’s email quarantine, and corporate endpoints for targeted malicious activity that is indicative of Stage 1 Industrial Control Systems (ICS) Cyber Kill Chain.
- Focused understanding and scrutiny of communication paths between corporate and OT systems, particularly around remote access solutions, native Windows protocols such as RDP, SMB, or any active directory authentication that may be indicative of Stage 2 ICS Cyber Kill Chain steps progressing from IT.
The OT and engineering teams should understand what the security teams can monitor and be armed with knowledge of what to look for. What should the local teams escalate to security?
- Unidentified configuration changes.
- Unusual activity (resets, reboots, etc) to a device/host repeatedly, or to multiple devices at once.
- Unexpected cursor movements on key engineering or operator stations.
- Downtime with no identified root cause.
Leadership teams play a vital role in coordination. Response teams should be briefing key facility staff of industrial specific threats, particularly those related to their industries. This includes activity groups and ransomware groups, such as Conti, and what their known behaviors are. Additionally, the facility should brief the security teams what key systems they have, key equipment relating to safety or process loss of view or loss of control. Finally, the executive team should understand limitations to what the security teams have visibility to and can or cannot detect within their industrial environments.
Finally, looking past the immediate urgency, what questions can inform your mid-term (2-8 months) strategy?
- Is your asset inventory up-to-date and accurate? Does it include model/make/serial/firmware (or operating system) details?
- Are your security zones based on the Purdue Enterprise Reference Architecture or ISA/IEC 62443-3-2 and which zones are actively monitored across east/west network traffic?
- Do you have an ICS/OT DMZ implemented between the business and OT networks and do you follow a “deny all; allow by exception” access policy across the IT/DMZ/OT trust boundaries?
- Do you segment any Safety Instrumented Systems?
- How do you internally monitor your east/west traffic to identify behaviors such as logic changes on controllers?
- How do you manage logging of network, device, and hosts and can your monitoring map to key behaviors as defined in MITRE ATT&CK for ICS?
Original content can be found at Dragos.