Promoted by Claroty
3 questions to guide the evaluation of your industrial network.
For years now, the U.S. government has been warning openly and clearly of targeted attacks against government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. However, in the months following the COVID-19 crisis, threat activity surged and the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued a new alert stating: “We are in a state of heightened tensions and additional risk and exposure.” The broad warnings of an imminent and serious threat across all 16 critical infrastructure sectors included lengthy, detailed sets of recommendations for how to protect operational technology (OT) environments, beginning with “create an accurate, as operated, OT network map immediately.”
For security professionals, this recommended first step should come as no surprise. We’re all familiar with the adage, you can’t protect what you can’t see. That’s why reveal is the first pillar of industrial cybersecurity. With a centralized and always current inventory of all OT, Internet of Things (IoT), and Industrial IoT (IIoT) assets, processes, connectivity paths, and user activity, as well as an understanding of what normal looks like, you know what needs to be secured.
Unfortunately, when it comes to OT networks, security teams are often in the dark for the following reasons:
- Lack of standardization. OT networks typically consist of OT assets that have been in place for decades, working alongside a mix of modern assets. Adding to the complexity, it isn’t unusual for operations to be geographically dispersed across multiple sites, some in remote locations as in energy or mining sectors.
- Low tolerance for downtime. The teams that run these networks prioritize availability over confidentiality. The risk of disruption and downtime that traditional, IT-centric asset discovery tools introduce by trying to communicate with OT assets, sending traffic they were not designed to be able to handle, is a non-starter.
- Proprietary protocols. OT assets use a wide array of proprietary, vendor-specific protocols to communicate. Given the sheer number, compatibility and coverage across OT protocols, asset discovery requires significant investment and effort.
- Remote user activity. Well before the pandemic, companies in critical infrastructure and manufacturing sectors had some type of remote access solution in place so that third parties could conduct maintenance. However, remote access has accelerated and become much more widespread over the last year. Many traditional solutions for remote access, such as VPNs, offer limited visibility into the actions of remote users, which makes them ill-suited for dealing with industrial environments.
To effectively manage, monitor, and protect your environment, you need to shine a light on these areas so you can establish a behavioral baseline against which to measure and understand the vulnerabilities, threats, and risks that may be present. Whether your company is assessing your existing capability to gain the industrial visibility you need, or considering new solutions, these three questions can help guide your evaluation:
- What breadth and depth of asset visibility is possible?
The ability to capture granular attributes such as model, firmware version, and configuration information is a prerequisite for determining which vulnerabilities are present within your industrial environment. Given the challenges described above, you’ll need a solution that supports a large library of industrial protocols and employs different asset-discovery techniques to create and maintain a comprehensive and enriched asset database. For example, passive monitoring provides a safe and simple way to copy and send information in a passive, one-way data transfer that has little to no impact on operations. Active discovery targets parts of the network that are ill-suited to passive monitoring and communicates directly with the asset in the protocol they were designed to accept to request data. Additional techniques are available to gain visibility into disconnected or air-gapped assets.
- Can you monitor network activity, including user activity whether on-site or remote?
Full visibility into your OT network, including user activity, allows you to understand what normal looks like so you can identify misconfigurations, traffic overloads, and other issues that pose risks to reliability, availability, and safety. This must include visibility into third-party and employee remote access activity in real time so you can terminate the session if needed, as well as view recordings in retrospect for auditing and forensic purposes.
- Do you have process visibility?
Visibility into process values such as temperatures, chemical composition, and product formulas, can help ensure the quality and consistency of outputs. This type of visibility can also help teams quickly identify anomalies that may indicate an early-stage attack, reliability issues. or other potential risks so you can take pre-emptive actions.
Companies in the industrial space face unique challenges when it comes to revealing what needs to be secured. Fortunately, by knowing what questions to ask and what’s possible, you can gain the full visibility you need for effective industrial cybersecurity.
Reveal is the first of four essential pillars of industrial cybersecurity. In subsequent articles, I’ll discuss the other pillars – protect, detect, and connect.