Jul 08 2023

5 Things CISOs Need to Know About Securing OT Environments

Category: OT/ICSdisc7 @ 10:33 am

For too long the cybersecurity world focused exclusively on information technology (IT), leaving operational technology (OT) to fend for itself. Traditionally, few industrial enterprises had dedicated cybersecurity leaders. Any security decisions that arose fell to the plant and factory managers, who are highly skilled technical experts in other areas but often lack cybersecurity training or knowledge.

In more recent years, an uptick in cyberattacks against industrial facilities and the trend of IT/OT convergence driven by Industry 4.0 have highlighted the vacuum of ownership around OT security. According to a new Fortinet report, most organizations are looking to Chief Information Security Officers (CISOs) to solve the problem.

Fortunately, CISOs are no strangers to change or difficult challenges. The position itself is less than 20 years old, yet in those two decades CISOs have navigated some of the most disruptive cybersecurity events that were truly watershed moments in technology.

Still, most CISOs have made their mark securing IT environments — and IT security strategies and tools rarely translate to an OT context. While the soft skills of collaboration and team-building will certainly help CISOs as they bring the factory floor into their realm of responsibility, they must also make a concentrated effort to understand the OT landscape’s unique topography and distinctive security challenges.

Safety over everything

The CIA triad — Confidentiality, Integrity & Availability — is a key concept in cybersecurity. Critically, IT and OT prioritize the elements of the triad differently — although safety is always the common denominator.

Image 1: The CIA triad of IT security is reversed in the OT world, where availability is the highest priority.
  • In IT, safety means that data is protected through confidentiality. People get hurt when their sensitive, private data is compromised. For the enterprise, securing data saves them from breaches, fines, and reputational damage.
  • In OT, safety means that cyber-physical systems are reliable and responsive. People get hurt when a blast furnace or an industrial boiler does not function properly. For the enterprise, availability keeps systems running on time down to the millisecond, which ensures productivity and profitability.

Somewhat ironically, the AIC triad of the OT world has resulted in systems and tools that prioritize physical safety but often come with few or no cybersecurity features at all. It will be the CISO’s responsibility to identify and implement security solutions that protect OT systems from cyberthreats without disrupting their operations.

Levels of segmentation 

In both OT and IT, segmentation limits the network’s attack surface. In OT, the Purdue Model serves as a framework for how and why systems can and should communicate with each other.

In a highly simplified nutshell, the Purdue Model comprises five layers.

  • Levels 4 and 5 are the outermost layers that include web and email servers, IT infrastructure, and users firewalling in remotely.
  • Levels 2 and 3 are the operational layers that operate the software and applications that run OT environments.
  • Levels 0 and 1 hold the devices, sensors, programmable logic controllers (PLCs), and distributed control systems (DCS) that do the actual work and must be protected from outside interference.

The purpose of these layers is to create both logical and physical separation between process levels. The closer you get to the cyber-physical operation of industrial systems like injectors, robotic arms, and industrial presses, the more checks and balances are in place to protect them.

While the concept of segmentation will not be new to CISOs, they will need to understand that the separation of zones is much stricter in OT environments and must be enforced at all times. Industrial enterprises adhere to the Purdue model or other similar frameworks to ensure safety and security and to meet many regulatory compliance mandates.

Downtime is not an option

In IT, downtime for upgrades and patches is no big deal, especially in a Software-as-a-Service (SaaS) world where new updates are released practically in real time.

Whether for safety or profit, OT systems are always up and running. They cannot be stopped or paused to download a new operating system or apply even a critical patch. Any process that requires downtime is simply a non-starter for the vast majority of OT systems. For this reason, CISOs should not be surprised to discover decades-old systems (likely running on software that reached its end-of-life date long ago) that still serve as a crucial piece of the operation.

The challenge facing CISOs will be to identify security controls that will not interrupt or interfere with delicate OT processes. The right solutions will “wrap” the existing OT infrastructure in a layer of security that protects critical processes without changing, complicating, or crowding them.

All access is “remote” access

Traditionally, OT systems have been protected through isolation. Now that organizations are connecting these environments to capitalize on Industry 4.0 or to allow easier access for contractors, all access must be monitored, controlled, and recorded.

  • The IT environment is a digital place where business happens. Business users conduct their work and systems exchange data all within this space, day in and day out. To put it another way, humans are intended to actively participate in and make changes to the IT environment.
  • OT systems and environments are built to run without human intervention — “set it and forget it.” Humans are meant to set them up and then let them run. Users do not remain logged into an OT environment all day the way business users would in an IT system.

In this context, anyone accessing the OT environment is effectively an outsider. Whether it is a vendor connecting remotely, a business user coming in through the IT network, or even an OT operator accessing the environment on-site, every connection comes from the outside. Recognizing this key point will help CISOs to understand that industrial secure remote access (I-SRA) tools should be used for all access scenarios, not only those that IT would consider to be “remote.”

IT tools do not (always) work for OT

Tools designed for IT hardly ever translate to OT.

  • Basic functions like vulnerability scanning can interrupt OT processes and knock systems completely offline, and most devices do not have enough CPU/RAM to support endpoint security, anti-virus, or other agents.
  • Most IT tools route traffic through the cloud. In OT, this can compromise availability and cannot support the numerous unconnected components common to OT environments.
  • The life cycles of IT tools are typically much shorter than the life cycles of OT devices. Due to the always-up nature of OT environments, any tool that needs frequent patching, updates, or downtime is not applicable.

Forcing IT-designed tools into OT environments only adds complexity without addressing the fundamental security requirements and priorities of these environments. The sooner a CISO realizes that OT systems deserve security solutions designed for their distinctive needs, the faster they will be on their way to implementing the best tools and policies.

Soft skills are the keys to CISO success

Given that most cybersecurity leaders currently tend to come from IT security roles, it makes sense that many CISOs will have a (perhaps unconscious) bias toward IT philosophies, tools, and practices. To effectively secure OT environments, CISOs will need to become students again and lean on others to learn what they do not yet know.

The good news is that CISOs generally have a propensity to ask the right questions and seek support from the right experts while still pushing the envelope and demanding positive outcomes. At the end of the day, a CISO’s job is to lead people and teams of experts to accomplish the greater goal of securing the enterprise and enabling the business. Those willing to bridge the OT security divide through strong leadership and a willingness to learn should quickly find themselves on the road to success.

https://thehackernews.com/2023/06/5-things-cisos-need-to-know-about.html

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: ICS, OT Environments, SCADA


Oct 15 2021

Three more ransomware attacks hit Water and Wastewater systems in 2021

Category: RansomwareDISC @ 9:17 am

A joint cybersecurity advisory published by US agencies revealed that three ransomware attacks on wastewater systems this year.

A joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA revealed three more attacks launched by Ransomware gangs against US water and wastewater treatment facilities (WWS) this year.

This is the first time that these attacks are publicly disclosed, they took place in March, July, and August respectively. The three facilities hit by ransomware operators are located in the states of Nevada, Maine, and California. In all the attacks the ransomware encrypting files on the infected systems and in one of the security incidents threat actors compromised a system used to control the SCADA industrial equipment.

The advisory reports common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks of WWS facilities, they include:

  • Spearphishing campaign aimed at the personnel to deliver malicious payloads such as ransomware and RAT;
  • Exploitation of services and applications exposed online that enable remote access to WWS networks (i.e. RDP accesses);
  • Exploitation of vulnerabilities affecting control systems running vulnerable firmware versions.

The three new incidents included in the advisory

What’s the Difference Between OT, ICS, SCADA and DCS?

Tags: ICS, OT, SCADA, wastewater system


Jan 14 2009

Cyber warfare and possibility of cybergeddon

Category: Information WarfareDISC @ 1:56 am

 

Background and Risks Associated with Various SCADA Systems | Envista  Forensics

Cyber warfare poses a serious threat to critical infrastructure of a country. It has been a major challenge for DoD officials, cyber attackers have already stolen tera byte of data from their infrastructure.

 

Most of the security expert and FBI agree that cyber attacks pose biggest threat to US vital infrastructure. “Cybergeddon” our daily economy which depend on inter connected vital network infrastructure is hacked by cyber attacker.

SCADA (Supervisory Control and Data Acquisition – control power grids in all the utilities) “systems are used in industry to monitor and control plant status and provide logging facilities and are highly configurable“. SCADA system is a connection between control systems and the switches.

Cyber attackers have already led to multicity power outage outside of US. Recent attacks show that cyber attackers are getting more knowledgeable about SCADA system. In the past SCADA use to be exclusive system but now slowly getting integrated with the rest of the infrastructure and utilizing IP addressing scheme. Both introduce new threats and raise the risk of cyber attack.

Utilities are the most critical infrastructure in a sense because of other vital infrastructure dependency on power supply. Cyber attack on SCADA system has a potential of cybergeddon and should be protected as a very critical asset by both public and private sectors. Security through obscurity is not the answer for SCADA anymore.

 

In SCADA system, reasonable security can be achieved by embracing ISO 27k standard as a policy and eventually acquiring ISO 27001 (ISMS) certification. Organizations may start the certification process with limited scope (of critical processes) in the beginning, and increment the scope in each recertification attempt based on the resources available and management risk appetite. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of SCADA. ISMS as a process in-place provides reasonable security safeguard to zero day attacks.

 

How do I prepare for a power outage?

 


 

“SCADA system has been poorly managed for decades”

Tags: Cyber-warfare, cybergeddon, Information Security Management System, Information Warfare, International Organization for Standardization, ira winkler, iso 27001, SCADA, Security