It’s been a tough year for cybersecurity teams. Critical infrastructure has faced an onslaught of cyberattacks, including high profile incidents like the Colonial Pipeline and JBS ransomware attacks and the Florida water treatment plant hack, and the situation doesn’t look to be improving anytime soon. With the increasing geo-political tensions in Eastern Europe, CISA has issued a “Shields Up” alert, encouraging every organization to adopt a heightened cybersecurity posture. If Western countries do decide to launch cyberattacks designed to disrupt Russia’s ability to sustain its military operations in Ukraine, private companies in the US and Europe must ensure they have robust defenses in place now to prevent or detect any potential retaliatory attack.
When it comes to operational technology (OT), there are frequently missed elements of a strong security program that could leave companies exposed. These six actions can be taken now to strengthen a company’s OT security posture.
1. Audit user account management and access control
Many companies are not periodically auditing their user account base or access control settings. This can cause them to overlook things such as unnecessary administrative permissions, weak or old password credentials and open accounts for employees who have left the company. For example, we recently identified active login accounts for employees who had left over one year ago, as well as excessive failed logins from service accounts that should have been eliminated due to sunsetted applications. We recommend auditing all user accounts for industrial control systems (ICSs) to ensure hygiene, password strength and appropriate levels of access for each account.
2. Audit software inventory
An often-overlooked issue in ICSs is software installed that is not relevant to a company’s operations. Security teams should also check for open vulnerabilities in their software and create a prioritized patching list for anything critical. If a company has an old, unsupported OS that can’t be updated, the company needs to figure out what mitigations will be put in place to manage the risk vector. Not having a complete picture of what software is in the operating environment makes companies vulnerable to potential cyberattacks.
3. Audit firewall rules
Ensure all firewall rules are up to date to reflect any recent changes such as the removal of operational sub-system devices or software. Also be vigilant about “Any/Any” rules that would allow wide open access to anyone inside the system. This can potentially result in unauthorized communication attempts to the internet from an attacker who has made it into a company’s network. For example, Industrial Defender discovered a server trying to phone “home” that was reaching out to a vendor for updates which were not approved by the security team. We recommend auditing and continuously monitoring your firewall rules now to ensure they are properly segmenting your OT networks.
4. Update anti-virus/anti-malware signatures
We often see customers overlooking or deprioritizing signature updates in endpoint and/or network intrusion detection systems. Having outdated AV and malware protection may leave companies open to the latest cyberthreats. It’s a good idea to monitor these applications and ensuring all the latest signatures have been installed.
5. Monitor removable media
Removable media is the second-most common attack vector in cyberattacks against ICSs. Not regularly monitoring things like USB ports for suspicious activity is a very common mistake we see. For example, one of our engineers recently ran into an employee attempting to use a USB port in a control room to charge their cell phone. While convenient, this should be an unacceptable practice since it opens the system up to whatever threats may be hiding in those devices. Another potential issue could happen if the phone is setup as a new network interface to the system. This could open up the workstation to the internet from what used to be a completely air-gapped environment.
6. Monitor logs
Device configurations can change daily, so it’s important for security teams to keep a close on this and analyze whether these changes are legitimate or not. This isn’t as sexy as AI or ML, but most attacks are logged and were never reviewed/noticed. Unfortunately, in OT environments, daily log reviews are not a common practice. Visibility is critical in times like these, and we recommend these and other important actions during this challenging period.
– This originally appeared on Industrial Defender’s website. Industrial Defender is a CFE Media and Technology content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.