Published on November 10th, 2022 📆 | 2292 Views ⚑
05 security musts for industrial control systems
Information and operational technology are unlike in many ways, but the biggest difference stems from their purpose, not their design, Robert M. Lee, CEO and co-founder at Dragos, said Tuesday at Forresterâs Security & Risk 2022 conference.
âItâs not about the convergence of technologies, itâs the fact that an operations environment has to deal with physics at the end of the day,â he said.
Industrial control systems can treat wastewater, generate electrical power or run a manufacturing plant, and this creates distinct requirements for each from a security perspective.
While IT security is largely focused on data and systems, OT security involves systems of systems and physics, Lee said. â When you have different impact, different risks, different threats, and different manifestations of that risk, then your security answer is probably going to be a little bit different.â
He and his colleagues studied previous industrial control system attacks, and here is what they found.
While each industrial sector is unique and control systems for that infrastructure have specialized security requirements, there are five critical controls that, broadly applied, create the best value for organizations to confront threats that are common throughout OT, Lee said.
These are the five security musts for every OT operator, according to Dragos.
1. Establish an OT incident response plan
Start with the end in mind. Too many organizations donât think about response until an incident has already occurred, leaving architecture, logs and detections misaligned, according to Lee.
Consider the details that need to be disclosed in Securities and Exchange Commission filings or shared with members of the operations team. This will inform how architecture should be built, the type of data that needs to be collected and whatâs required of your organizationâs security tools.
2. Maintain defensible architecture
Organizations must ensure critical control systems can be defended. âThere is no such thing as a secure product, thereâs no such thing as a secure architecture, but I like stuff thatâs defensible,â Lee said.
âYouâre not going to be defended until you add a human operator or human defender into that environment,â he said. âTech isnât going to be the answer ⌠I need good humans to go against human adversaries.â
3. Use network security visibility monitoring
Architecture that was good at one point can atrophy, and organizations can consistently validate their architecture by using security visibility monitoring and identifying tactics that need to be detected.
A collection of dedicated systems requires cybersecurity professionals to understand whatâs occurring in industrial control system protocols. This insight, Lee said, can help an organization determine if an insider or adversary used one system to manipulate another.
4. Secure remote access
Multifactor authentication is the most common way to secure remote access today, but not every system supports it and MFA might eventually be replaced with something better.
Secure remote access is critical, Lee said.
âMost of the compromises we see in operations comes from that third-party access, whether itâs the third party themselves getting compromised or just the access that was setup is now facilitating access to that environment,â Lee said.
5. Implement a key vulnerability management program
âYou as a CISO cannot get away with saying âI donât care about vulnerabilities,â even if itâs true,â Lee said.
âThere are some vulnerabilities that matter, but less than you think. In the world of industrial, all we care about is those vulnerabilities that can actually add net new functionality into the environment or help us get access into the environment,â Lee said.
That amounts to 4% of all known vulnerabilities per year, according to Lee.
Through its work tracking vulnerabilities, Dragos found the percentage that could impact industrial control systems holds steady on an annual basis at 4%.
Put another way, operations staff can ignore 96% of all known vulnerabilities.
Gloss