Cyberattacks against industrial control systems (ICS) are growing in number and sophistication each year. The potential financial impacts from these attacks are growing in parallel. Major attacks, like the Colonial Pipeline and JBS meat plant incidents, have served as harsh reminders about the necessity of operational technology (OT) cybersecurity solutions. However, companies looking to increase their cyber defenses are often overwhelmed with the landscape of security solutions. There are many different vendors each providing various, and at times, overlapping functionality.
For this reason, matching individual needs with specific OT cybersecurity solutions can be a difficult task. The following seven questions provide a basic checklist to determine whether a solution will deliver adequate protection for an OT environment to better inform your search.
1. Can you monitor the use of removable media? Removable media is a common tool to expedite the movment of information within systems, with USB flash drives being the most popular type. These devices, however, pose significant security risks. Removable media was determined to be the second most common attack vector in cyberattacks against industrial control systems. Furthermore, research from the Ben-Gurion University of the Negev in Israel indexed 29 distinct ways in which USB flash drives can be weaponized to compromise digital systems. Given the prevalence and diversity of such attacks, an OT cybersecurity solution should be able to monitor the use of these devices. Without this functionality, it’s nearly impossible to robustly defend an industrial control system.
2. Can you monitor critical files on your endpoints? Within OT systems, certain file exchanges require heightened security awareness. The movement of build files between DCSs and PLCs pose specific cybersecurity risks, so assuring the integrity of these files is of paramount importance. As an example, the 2014 cyberattacks against Ukrainian utilities included malware that “wipes or overwrites data in essential system files, causing computers to crash. Because it also overwrites the master boot record, infected computers can’t reboot.”
In the case of Ukraine, damage was mitigated using manual controls. However, within many power plants now, there is no manual back up to the SCADA systems, or if there is, many engineers in today’s workforce are not trained on how to use it. If this is true of your environment, then the monitoring of critical files is of even greater importance.
3. Can you determine the exact version of the operating system (OS) and installed patches?
An old, unsupported OS is a major security risk. Unpatched systems are open targets for cyberattacks, and many contain known vulnerabilities that can be easily exploited – even by unsophisticated adversaries. However, these vulnerable and outdated systems can easily be lost within OT architecture – particularly larger ones. Furthermore, OT patch management presents specific challenges not seen in IT security. The severity of risks from outdated operating systems is reflected in a June 2021 report from the Cybersecurity & Infrastructure Security Agency (CISA). In the face of increasing ransomware attacks, they list updating operating systems as a first recommendation for mitigating risk. If you identify an old OS that you can’t update, then you need to figure out what mitigations you’ll put in place to manage that risk.
4. Can you monitor endpoints using multiple methods, including actively and/or passively using native device protocols?
Active and passive monitoring each have tradeoffs. Passive monitoring is unlikely to disrupt or interfere with network traffic and usual functions. Yet, limitations may exist as to what type of traffic can be tapped with passive tools. On the other hand, active monitoring can provide more robust network visibility while risking system malfunction if done incorrectly. Additionally, endpoint monitoring can be frustrated by disparate native device protocols. OT protocols are often based upon propriety design and may be unintelligible to less sophisticated cybersecurity solutions.
5. Can you detect authentication of users on endpoints?
Proper user authentication is a core requirement of OT cybersecurity. Multi-factor authentication (MFA) should be a basic component of cyber hygiene and is listed as a basic recommendation in the previously discussed CISA report. This is particularly important in OT environments where user authentication is often absent. As one security report has highlighted, “Modbus, one of the most commonly used industrial automation protocols, typically lacks any form of device authentication, leaving the integrity of communications in question.” As a result, an OT cybersecurity solution must be equipped to fill this gap.
6. Can you safely determine vulnerability posture on sensitive endpoints?
Industrial control systems operate continuously, so actively identifying vulnerabilities is rarely an option. As a result, OT cybersecurity solutions must find alternative ways of determining vulnerabilities on sensitive endpoints. One approach is to use specialized OT asset data collection methods, including passive, agentless or native agents, to collect all the software and patch data for a particular endpoint and then compare that against vulnerability feeds, such as NIST’s NVD or even private original equipment manufacturer (OEM) feeds. A solution like this will help you discern vulnerabilities in your OT assets without posing operational safety risks.
Most vulnerability management solutions that are IT-focused fail to incorporate these specialized requirements. As a result, it is important to verify that the cybersecurity solution you’re evaluating can handle the sensitivity of OT systems.
7. Do you provide out of the box reporting and dashboards that align with cybersecurity standards?
Security necessitates visibility. That is why all the questions above could be made meaningless if the security information is not communicated in a manner that is quickly discernable for OT cybersecurity teams. The most robust security solution is only as useful as it is actionable. Your chosen solution should be oriented towards particular regulations, standards, or audit requirements that your company anticipates. The importance of user-friendly dashboards and reporting mechanisms should not be discounted.
Cyberthreats facing OT/ICS environments are compounding daily, and these 7 questions should help you figure out where to start. While the above list is not exhaustive, it represents a foundation for some things you should look for in a cybersecurity solution. The modern OT environment is complex and requires intentional planning to provide strong cybersecurity.