As cyberattacks on critical infrastructure continue to rise it is important for operators connected with managing such infrastructure to adopt measures to improve the overall cybersecurity posture and plug gaps.
Presented below are some of the interventions that Sectrio recommends. (We are referencing NIST OT/ICS and Singapore Cybersecurity Act, IEC 62443 for this exercise).
- Segregate devices and networks: Segregate OT/ IoT and IT networks from each other. Discover all devices and their communication patterns. While firewalls can be used to segregate the networks, firewalls themselves can be vulnerable. Hence it suggested to use physical segregation (air gapping), if there is a need to transfer data between the networks, restrict the data IN/OUT points to minimum, monitor it continuously and ensure the data transfer must be one way and should preferably use data diodes. Continuous monitoring of east-west traffic of the payload within network segments are equally important, minimizing the spread of internal attacks
- Vulnerability and Patch Management: Identify all assets on the network (discover rogue and unauthorized devices). Cross reference the device details and services running on the devices with known vulnerabilities and patches available for those vulnerabilities. Proactively patch the systems and assets. If patching is not possible, create mitigation plans and a monitoring framework for these vulnerabilities. Create and implement a Vulnerability Assessment plan in a continual and iterative mode. Even when systems/assets are patched, they may be susceptible to cyberattacks that exploit new attack surfaces that were previously not present.
- Threat detection: The OT and IoT networks should be monitored with systems capable of monitoring Layer 7 (OSI stack) protocol information. OT typically have numerous proprietary protocols with associated vulnerabilities, the ability to decode the protocol and look for the exploitation of the vulnerabilities is a critical functionality of the OT threat detection system. As new threats are identified regularly the vendor of such a system must have rich threat intelligence related to OT and IoT (preferably sourced through local honeypots to provide geo political context). The threat detection system should be able to integrate to SOCs so that information is not siloed and threat evolution and lateral movements across the different networks can be tracked. Threats should ideally map to the Mitre’s ICS ATT&CK framework (KA: to depict real world scenarios and in long run minimize false positives. Threat detection process should be real-time, even when there are limited options to do so within OT networks. relying on logs and post facto analysis may create latency in the system’s effectiveness to identify threats as they appear.
- Data modification restrictions: Securing systems should be able to restrict certain OT and IoT commands (relative to the protocol) that modify the state or data within key infrastructure. These restrictions should be applicable at the user, asset, and network level. A zero trust framework using micro segmentation must be implemented to restrict communication between assets and services to reduce the attack surface and possibilityof lateral movement of threats. It must be started at the the segregation level between IOT/OT and IT networks, and drill down inside OT/IoT as much as feasible from the implementation standpoint.
- Logging: Centralized repository of systems logs and network traffic must be maintained for at least one month with events and alerts being maintained for a period of a year. OT and IoT attacks have very protracted kill chains and this information will be critical for any forensic investigation.
- Redundancy and Business continuity: All systems should be evaluated for their criticality and the need for redundancy should be assessed. If the systems need redundancy, fallbacks must be triggered not just for operational issues but also for cybersecurity issues. It must be possible for OT and IoT cybersecurity systems to automatically trigger fallback if a threat is identified and must be contained.
- Local and Remote Access management: With the advent of the pandemic OT and IoT systems are increasingly being managed remotely. MFA must be established for all remote workers and technicians. Secure VPNs must be established, and restrictions placed on the assets the technician can connect to. If feasible, this should be done through a jump host or VDI to restrict threats arising from unsecured remote endpoints. Least privilege access principle must be enforced by default. The default access to OT systems and underlying assets must always be denied. Accesses to remote technicians, engineers and analysts are only granted with proper approval process and revoked when no longer needed.
- Response and Containment: OT and IoT specific responses tend to differ substantially from IT responses. Playbooks must be devised for threat responses and automated as much as possible. Playbooks must be customizable to cater to the specific OT/IoT deployment. All OT and IoT networks must be further segmented into zones and each zone segregated using industrial firewalls (capable of discerning OT/IoT layer 7 traffic).
- Training: OT and IoT security are quite different from IT security. IT security is focused on data breaches (Confidentiality-Integrity-Availability) whereas in OT/Networks the emphasis is on control breaches (Availability-Integrity-Confidentiality). The difference in paradigm is typically difficult for traditional IT security personnel to comprehend, hence it is of the utmost importance that specific OT/IoT security training is imparted to folks that are monitoring the OT/IoT network. The existing risk management framework used in IT systems may not be feasible for OT networks. Training stakeholders to perform OT-specific risk and threat assessments must be incorporated.
- Intelligence Sharing: Most governments have CERTs that share IT specific threat intelligence. The mandates of these CERTs must be expanded to OT and IoT and a TIPS platform be implemented for agencies, organizations, and sectors to share OT/IoT threat intelligence.
Originally published at https://sectrio.com on October 11, 2021.