Threat Detection for Infrastructure Providers
April 13, 2022
By Mark Cristiano, Global Commercial Director, Lifecycle Services, Rockwell Automation
How do you know that a perfect storm is brewing? If your team is tasked with securing your organization’s operational technology and industrial control systems (OT/ICS), you may have a pretty good idea by now.
In critical infrastructure industries, the warning signs have been hard to miss lately. They include the convergence of business IT and OT systems, now accelerated in the cloud; the proliferation of database-driven Ransomware-as-a-Service (RaaS) and phishing campaigns; and the large-scale targeting of remote workers and remote access vulnerabilities in critical industries since the beginning of the COVID-19 pandemic.
These signs were there before the DarkSide ransomware attack that shut down Colonial Pipeline in May 2021. Yet it took this incident to reinvigorate industry and government efforts to start strengthening the nation’s critical infrastructure protections. Among other things, the TSA now requires pipeline owners and operators to report cybersecurity incidents.
The heat is on for other critical infrastructure areas, too, such as public utilities (oil & gas, water/wastewater, electric) the healthcare sector, chemical manufacturing, or food processing plants. How can your OT security mission benefit from this new momentum?
Where to start with your OT/ICS security initiative?
After all, it’s the IT/OT team that’s now expected to have a plan ready. You’re not alone in this. Many Rockwell Automation® customers have the same question: Where do we start?
Most experts agree: any critical infrastructure protection strategy depends on a robust cyber threat detection program. Here are five prioritized steps that will help expose hidden threats and help prevent cybersecurity incidents from impacting your OT/ICS environment.
1. Assess the physical security and asset inventory of your OT/ICS infrastructure
From malware-spiked USB thumb drives dropped in the parking lot for gullible employees to find and plug into one of your OT endpoints – 48% don’t resist the temptation, research found – to IP-network cameras on the factory floor or in entrance areas, physical devices are a frequent security gap and can be an easy entry point for threat actors. Attackers who scan the internet for webcam ports unintentionally left open may be watching, too.
What’s more, criminal cartels and online saboteurs are serious about automation. RaaS and phishing campaigns zero in on their targets leveraging complex data-driven tools and exploit kits.
You may already be host to unauthorized assets or devices today. It’s very important to perform installed-base asset inventories regularly. In fact, some critical infrastructure organizations run asset inventory scans as often as hourly.
However, many IT/OT teams in critical areas are understaffed, overworked, and delay critical OS and application updates and patches, as well as inventory assessments – or miss them altogether. What’s more, there are non-clear lines of demarcation in roles and responsibilities of IT and OT teams, leaving ambiguity to who owns the ever present workforce skills gap problem. Patches on the OT side of the business can also be especially complex and are often neglected.
Time to automate your defenses. Artificial Intelligence-backed IT/OT tools that perform asset inventories and automated threat detection let you stay on top of additions to your network, including Industrial Internet of Things (IIoT) devices. Modern cybersecurity tools and services offer a great deal of automation, protecting critical operations better and freeing up teams for critical tasks.
2. Strengthen access policies
Deploying modern identity and access approaches is often a relatively quick win in terms of improving cybersecurity. It’s also a cornerstone of the Zero Trust approach, in which identity is never assumed but is attached to specific access rights and policies, time of use and more.
Many OT organizations in critical infrastructure industries do not have the latest standards applied, such as multi-factor authentication (MFA). Other breach-friendly security gaps include password sharing and remote access without the right controls – a problem clearly exacerbated by the pandemic.
Efficient plant floor operations can co-exist with stronger identity and access controls, so don’t let this question slow down your march toward a stronger program. Get the information you need and take action. As experts often say, most serious attacks are not from some great new hacking invention, though hackers are always innovating. Attacks are usually caused by security flaws with known remedies available.
3. Monitor 24/7/365
Continuous monitoring is key to detecting threats to your industrial network. Threat detection, compute infrastructure, firewall, network and even software application real-time monitoring services optimized for IT/OT environments first identify baseline network behavior, and then alert you to anomalous activities that don’t conform to expected patterns – supporting application restoration upon resolving threat alerts.
Industrial cybersecurity monitoring tools allow visibility across all levels of the OT environment in real-time. Your security team can correlate alarms and events for deeper insight into the detected suspicious behavior to mount adequate responses.
Not enough staff or expertise to run cybersecurity operations in-house? Turn to an established managed services provider. The right partner here can deploy quickly on a global scale; leverage security insights from many client engagements to keep ahead of threat actors and new exploits; and bring much needed hands-on experience in detecting, blocking and when needed, recovering from threat incidents.
4. Leverage Cyber Threat Intelligence (CTI)
Let’s face it. Most IT/OT security teams aren’t ready to pick up the early warning signs of a possible attack. A sudden increase in chatter mentioning your plant on a darknet forum comes to mind, or an underground market auction for a zero-day exploit that affects parts of your industrial control system.
CTI enables OT security professionals to stay ahead of the curve and be prepared. Luckily, you don’t need to build expensive internal threat hunting capabilities to get there. Rockwell Automation customers benefit from threat intelligence services backed by its global network of Cybersecurity Operation Centers, threat hunters, and Open Source Intelligence (OSINT) researchers and analysts.
CISA alerts, Information Sharing and Analysis Centers (ISACs), and CISO networks share additional insights and perspectives from fellow ICS/OT security practitioners and leaders.
5. Develop a security state of mind
People, process and technology play a critical role in cyber hygiene. During a podcast series on Manufacturing Happy Hour, when speaking about the NIST framework and cyber maturity, Rockwell Automation’s Global Cybersecurity Commercial Manager Kamil Karmali shared his thoughts on teams and people:
“In an enterprise or your facility, it’s all about people, process and technology and you have to balance those priorities against cost and risk. Cybersecurity is a team sport, it’s an operational group of stakeholders from engineering to IT to our OT stakeholders, also finance and health and safety, because all of these people – all of these functions can be impacted by any threat vector.”
Karmali stressed the importance of a security-first culture to executives, while providing the guidance that clients should “get together as a team and make sure that the roles and responsibilities are clear. Everyone knows what role they play when it comes to security. Even the lines of demarcation between the enterprise IT teams and our OT teams must be clear. There’s no one size fits all, there’s no single solution.”
Ensuring lines of demarcation, with defined ownership of roles and responsibilities, is imperative. Tactics such as tabletop exercises or IR (Incident Response) planning can be executed to determine which critical steps, and what sequence of human decision-making, will be executed in the event of a ransomware attack, for example.
These types of exercises can be trained. It’s incumbent upon IT/OT teams to plan for and prioritize incident response training regularly and frequently for adequate defense. Many services exist to support security awareness and implementation training, which are also frequently part of a managed services program.
Any step is a good step
After the Colonial Pipeline attack, TV and social media clips showed gas stations overrun by long lines of irate motorists in panic-buying mode. Talk about the power of images.
With this fallout on public display, as well as the potential for serious operational damage and even litigation, the threat is taken seriously in the C-Suite. The cyber threat detection steps on this shortlist can make the hidden threats to your OT visible before they can harm your organization.