Extending Effective Cybersecurity To Industrial and Operational Control System Environments

Information Technology organizations face a variety of constantly evolving cybersecurity threats. Those threat vectors are ever-changing and difficult, if not impossible, to prevent, including social engineering attacks (phishing),  IT misconfigurations, exploitation of known or unknown vulnerabilities, supply chain attacks, and even threats that rely on stolen or escalation of default credentials. However, ICS and OT environment operators are even more vulnerable to cybersecurity challenges and have potential consequences that can be much worse than simple financial loss.

Consider your traditional attack on an organization’s IT infrastructure; those attacks are typically financially motivated, and while financial consequences can be severe, life safety isn’t an issue in IT environments. The problem with control system environments is that threat actors carry out cyber warfare.  Sponsored by nation-states, they are bent on destruction and have unlimited resources and sophisticated tradecraft. Malware targeting industrial controls can cause explosions, poisoned water, releases of toxic gas, and cause great bodily injury or death. The cyber attack on Ukrainian power infrastructure demonstrates nation-state capability – power outages, disrupted communications, destroyed switch and phone gear, and remote access to Human Machine Interfaces.  Unlimited cyber warfare causes devastating consequences.

Why are ICS operations so vulnerable to cyber attacks?

Industrial control protocols are generally insecure and highly vulnerable. Traditional IT security priorities such as confidentiality, integrity, and availability don’t apply in OT / ICS environments, focused on life safety and availability. And tools such as encryption don’t make sense for real-time operating systems.

Proprietary protocols are largely unhelpful when trying to understand and defend against vulnerabilities. Many ICS systems have operating systems that are never updated. Keeping these systems patched and up-to-date is difficult when patches aren’t available.  ICS engineers generally hesitate to update as they are concerned that patches will adversely affect the downtime of life safety systems. And traditional vulnerability scans can actually destroy sensitive equipment, making vulnerability management even more challenging.

One approach to address the aforementioned vulnerabilities is to air-gap the network. However, this approach is impractical when people work remotely or require remote access to data due to regulatory requirements.  Further, remote access requirements create further problems relative to external attack services. Public-facing applications must be monitored and constantly updated to make bot attacks more challenging. Public-facing infrastructure may experience tens of thousands of exploit attempts per day. Conclusion: leave any externally-facing service vulnerable, and it will be breached.

Finally, weak credentials, even factory-default credentials, are all too common in ICS environments. This bad practice is often compounded by sharing these weak or default credentials, raising the risk of unauthorized administrative password access. Such access is all an attacker needs to launch a successful attack. Failure to protect passwords in ICS environments is frequent, with disastrous outcomes for these organizations.

How to thwart these attacks?

No magic box solves every cybersecurity woe; there is no silver bullet.   Effective cybersecurity requires multiple layers of cyber defense coupled with policy and cultural change where needed.  Effective cybersecurity is not just IT’s responsibility; it requires attention from the board level on down.  

To put adversaries back on the defensive, start by addressing the basics. That entails deploying anti-virus, EDR, or application whitelisting on PCs and servers, creating firm firewall rules, using encryption wherever possible, reducing the attack surface, implementing 2-factor authentication and strong password policy, properly segmenting the network, and restricting physical access to the ICS network. Skimp on these basics, and the most sophisticated protective solutions will be far less effective.

However, organizations that rely on the abovementioned prevention-only approaches to cybersecurity still have the cybersecurity odds stacked against them. Firewalls, EDR, VPNs, email security, and the like are all excellent preventative technologies. Nonetheless, every newsworthy cyber-attack of the last decade bypassed one or more of these protections: every single attack without exception. With a prevention-only approach, the attacker only needs to be correct once, while the defender must get everything right 100% of the time across the entire infrastructure.  Since perfection is unlikely, if not impossible, this explains why organizations relying on prevention-only approaches such as EDR and a firewall often end up on the losing end.

Use Dwell Time To Your Advantage

How do we tip the scales back in favor of the organization? The answer is to invest in defensive cybersecurity. Defensive cybersecurity, generally layered on top of the aforementioned preventative technologies, puts adversaries at a severe disadvantage. At the point of initial compromise, defensive cybersecurity gains an immediate tactical advantage over the attacker: they do not know what Indicators of Compromise (IOC) we are monitoring.  If an intruder trips an IOC or artifact monitored by automation or the SOC, we respond by raising the cost of the attack until they move on to another target. With remote attacks, attribution is a waste of money.  The optimal approach is to reduce an adversary’s dwell time, block them, kick them off the network, plug the hole, and move on. Just because something is vulnerable doesn’t guarantee an attacker’s success. Sometimes there is no choice but to operate vulnerable systems.  Using a defensive approach to cybersecurity allows vulnerable systems to run securely. 

Defensive cybersecurity is essentially a big data problem.   It is vital to understand that visibility is your friend; you can’t defend what you can’t see. Therefore, you must incorporate ways to log, monitor, and audit everything in your IT infrastructure,  including SIEM logs, violations of policy, cloud alerts, anomalies, remote workers, vulnerabilities, and more…events you won’t see with EDR and Firewalls.  The same approach holds with monitoring and deep inspection of network data packets.  Continuous network security allows you to monitor all devices, not just devices that can host an agent. Combined with SIEM & SOAR capabilities, you can see anomalies that Firewalls or EDR usually miss.  MNDR is also effective in detecting boundary crossings for protocols in a business network or vice versa, a major indicator of compromise in ICS environments.

In cybersecurity, capabilities, intent, and opportunities determine the level of threat that you have. You can only control opportunities given to an adversary to wreak havoc; that’s where you need to focus. Realize that automation can’t solve everything, but minimizing alert fatigue in the SOC is useful. Automation can map and alert to things like the Mitre Attack Framework for ICS networks so that the SOC can detect, investigate, and respond to advanced threats early on in the cyber kill chain. 

Good defenders think like attackers. The best defenders can flip their evil bit and think like a criminal. How would you exploit your own corporate network? What would happen if you got access to a specific machine on that network with ill intent? The best defense cybersecurity requires thinking like a bad guy, then planning defense accordingly.