Industrial Operating Technology Faces An Urgent Challenge

Are industrial control systems the new battlefield in the rising geopolitical tensions between nations? In May, ten cybersecurity agencies including the FBI, the NSA and the UK National Cyber Security Centre issued a joint report warning of a wave of pro-Russian attacks against industrial control systems (ICS) that target sectors such as water and wastewater services, energy, dams and food and beverage.

As a result, those working in OT operations need to be a step ahead of the threats. 

This new report confirms a lingering trend: while they remain less common than attacks on the IT side, OT-specific attacks can no longer be ignored. According to a recent report by Palo Alto Networks, 76% of organisations reported cyberattacks against their OT environments in the past twelve months, three-quarters of which said these attacks had become frequent.

Three Basic Actions To Take Today

The report offers three “actions to take today” for organisations looking to address the most common issues.

  • First, the agencies ask industrial organisations to ensure that the default passwords of all Operational Technology (OT) devices, including Programmable Logic Controllers (PLCs) and Human Machine Interfaces (HMIs) are changed to strong, unique passwords.
  • Third, and most importantly, organisations should get a clear picture of which OT devices are connected to the Internet and limit their exposure. In recent years, attackers have commonly exploited remote desktop tools, such as virtual network computing (VNC) software, which gives them access to insecure industrial control systems.

Lack Of OT Visibility As A Major Contributing Factor

While necessary, these three recommendations present one major challenge and one major limitation for organisations attempting to strengthen their OT cybersecurity.

Their main limitation is that they focus solely on preventing outside intrusion. OT cyberattacks, however, are not only the work of “hacktivists” or foreign cyber-criminals. Among attack vectors, insider threats, which originate from an employee, contractor or other person within the organisation, rank as a close third behind malware and ransomware. The challenge, therefore, is not only to prevent unauthorised access but also configuration changes by an individual with legitimate credentials, whether by malice or by mistake, across the company’s vendors.

In addition, many organisations lack the needed levels of visibility into their OT environments to ensure that the agencies’ recommendations are uniformly followed and struggle to map connections between the OT environment and the public-facing Internet. 

In its 2023 “Year in Review,” cybersecurity company Dragos thus found unknown external connections—from OEMs, IT networks, or the Internet—to the OT network in 46% of its service engagements. In addition, 61% of organisations had very little or no visibility into their OT environment, which further complicated the detection and remediation of cyberattacks.

A Three-step Approach To OT Cybersecurity Maturity

Addressing this lack of visibility over entry points and inventory is therefore critical to strengthening a company’s cybersecurity maturity: As the cybersecurity adage goes, you cannot protect what you cannot see.

This first step must help organisations answer some fundamental questions: How do I know what OT assets I have? How are they connected? What are they communicating with? Answering these questions is a prerequisite to developing effective vulnerability and risk management and understanding potential attack vectors.

Crucially, this inventory should not stop at non-proprietary systems, such as Windows machines and routers, but aim to provide a full view of their operations, including heterogeneous, proprietary control systems such as DCSs and PLCs. In addition, organisations should ensure that they take steps to automate this inventory process to keep it evergreen, rather than the common practice of manually maintaining a spreadsheet or database that will lead to stale, erroneous or missing data, leaving them vulnerable to OT threats

With this inventory in place, organisations can take multiple steps listed in the report to “limit the adversarial use of common vulnerabilities”, such as reducing risk exposure by reviewing Internet-accessible assets, cross-referencing the company’s inventory with a database of vulnerabilities, such as the NIST’s National Vulnerability Database, and prioritising steps to mitigate vulnerabilities.

Lastly, once detailed and accurate OT asset inventory and operational vulnerability management processes are in place, the final stage of maturity is to enable capabilities for comprehensive OT security baselines, configuration management, policy management and workflows. These capabilities address both external attacks and insider threats and help with the detection, mitigation and remediation of the breach.

Automating & Prioritising To Make The Most Of Scarce Resources

This journey may seem daunting to many organisations, given their lack of resources and expertise in OT cybersecurity. 

Last year, a report by the ENISA, the EU’s cybersecurity agency, found that 76 % of the organisations running important and critical infrastructure did not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity, and less than half had an allocated budget for it. So, how can organisations square the OT cybersecurity circle with such limited resources? 

The first step is sourcing the right expertise - internally or from partners- and leveraging the tools that cybersecurity agencies provide to help organisations develop their maturity. A second area of focus is adopting tools that support automation and prioritisation to help organisations make the most of their limited resources and get a clear sense of where they should place their efforts. 

These tools should help the organisation phase out manual approaches for risk identification, prioritisation and remediation. With cyberattacks growing in numbers and sophistication, relying on manual processes, often carried out by overstretched resources, puts industrial organisations at risk. 

Edgardo Moreno is Executive Industry Consultant, Asset Lifecycle Intelligence Division with Hexagon

Image: Andrey Popov

You Might Also Read:

Cyber Insurance For Industrial Companies - Its Complex:

DIRECTORY OF SUPPLIERS - Cyber-Physical Systems Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Navigating cloud security: The importance of posture management tools
Artificial Intelligence Is Changing Education  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

RedTeam Security

RedTeam Security

RedTeam Security is a provider of Penetration Testing, Social Engineering, Red Teaming and Red Team Training services.

Gamma

Gamma

Gamma is a leading provider of Unified Communications as a Service (UCaaS) into the UK, Dutch, Spanish and German business markets.

Cysec Resource Co (CRC)

Cysec Resource Co (CRC)

We offer expertise in information and cyber security, sourcing individuals and teams who provide information security expertise to the public and private sector.

Global Digital Forensics (GDF)

Global Digital Forensics (GDF)

GDF specialise in Digital Forensics and e-Discovery. Other services include Data Breach Response and Cyber Security.

Vysk Communications

Vysk Communications

Vysk is an award-winning mobile security firm that has developed the world’s most secure system for voice communication.

NSEIT

NSEIT

NSEIT offers end-to-end Information Technology products, solutions and services including cybersecurity to organizations in the financial sector.

Lineal Services

Lineal Services

Lineal supports clients in meeting their digital forensics, cyber security and eDiscovery needs by providing bespoke solutions to complex problems.

C11 Cyber Security & Digital Innovation Centre

C11 Cyber Security & Digital Innovation Centre

C11 is working with local and national partners to develop talent and bring brilliant minds and brilliant businesses together.

Fortress Information Security

Fortress Information Security

Fortress Information Security is one of the largest cyber security providers of supply chain risk management and vulnerability risk management in the US.

Avertium

Avertium

Avertium is the managed security and consulting provider that companies turn to when they want more than check-the-box cybersecurity.

Urbane Security

Urbane Security

Urbane Security is a premier information security consultancy empowering the Fortune 500, small and medium enterprise, and high-tech startups.

Data Privacy Office (DPO)

Data Privacy Office (DPO)

Data Privacy Office is a company that specializes in privacy and personal data protection, following the highest standards in its sector.

KryptoKloud

KryptoKloud

KryptoKloud offer a suite of Managed Services including Security Monitoring and Incident Response as well as a full portfolio of Compliance, Governance and Audit solutions.

gener8tor

gener8tor

The gener8tor Cybersecurity Accelerator offers a cutting-edge program in San Antonio, home to the second-largest concentration of cybersecurity experts in the United States.

ClearSky Cyber Security

ClearSky Cyber Security

ClearSky cyber security provides cyber solutions, focused on threat intelligence services, mainly for the financial sector, critical infrastructure, public sector and the pharma sector.

Staley Technologies

Staley Technologies

Staley Technologies is a US nationwide structured cabling, technology integrator, and Managed IT & Cyber Security provider.