How a few basic principles can help protect critical IIoT systems
When it comes to making an industrial network as resistant as possible to malicious attacks, it’s vital to remember that you can’t protect what you don’t know about.
The industrial sector is facing a new set of challenges when it comes to securing a converged IT-OT (information technology/operational technology) environment. We’ve seen these growing pains come to light over the past several months in the form of the Solarwinds incident, and through continued attacks on critical infrastructure, including major pipeline operators, food distributors, water and power supply.
In the past, cyber security was focused on IT assets like servers and workstations, but the increased connectivity of systems requires that industrial security professionals expand their understanding of what’s in their environment. Bottom line – you can’t protect what you don’t know about. Not to mention, the increase in large-scale ransomware attacks has proven that IT events often impact OT systems, which can result in significant downtime and have grave financial implications for operators.
The attacks we’ve seen on both critical infrastructure and supply chains reinforce a need for more hardened Industrial Internet of Things (IIoT) environments that can defend against cyber attacks. Tripwire recently surveyed 312 security professionals in partnership with Dimensional Research, and found that 99 per cent of them report challenges with the security of their IoT and IIoT devices, and 95 per cent are concerned about risks associated with these connected devices.
In the industrial space specifically, more than half (53 per cent) said they are unable to fully monitor connected systems entering their controlled environment, and 61 per cent have limited visibility into changes in security vendors within their supply chain.
Properly securing your IIoT environment can feel like a major undertaking, which is valid, but creating a solid baseline is not as treacherous as you might think. Attackers are inclined to take the path of least resistance, so the majority of cyber attacks are not highly sophisticated. In most cases, implementing basic security controls, adapted for the environment, is the best way to protect against major cyber events.
There are a few basic principles that can help harden critical systems against an attack. In industrial environments, cyber events aren’t always visible, and increasing visibility into industrial networks becomes more important as attackers continue to target critical infrastructure. A complete and up-to-date inventory of all the devices in your environment is the most basic starting point for securing them.
Also important is having a secure configuration. Finding and addressing misconfigurations can dramatically reduce risk. Once you know what’s in your environment, you can work to make sure everything is configured securely from the start. A misconfiguration in your environment is like leaving the front door unlocked for an attacker.
Finally, there’s vulnerability management. Vulnerabilities are flaws in a system that an attacker can take advantage of to gain access or make changes. In control-system environments, vulnerabilities can be difficult to address because systems can’t always be patched as easily. Addressing vulnerabilities in control systems may require strategies other than applying a patch, such as network segmentation.
In light of recent incidents involving ransomware, it’s important to point out that these best practices are part of an effective ransomware prevention strategy. Detecting ransomware is important, but preventing your organisation from getting infected in the first place is the most effective way to deal with this particular threat.
No matter your level of preparedness, however, no organisation is immune to a cyber attack. Creating a contingency plan before you’re in the middle of a crisis is key. This includes determining who should be involved, what their roles should be, and how information will be communicated. It’s also important to have the correct technical tools in place to understand what happened and how to course correct.
Properly securing our IIoT environments and critical infrastructure will continue to be a pressing concern for both national and organisational security. Understanding what you have, making sure it’s configured securely, addressing vulnerabilities, and preparing to respond to incidents will go a long way towards defending against major cyber events.
Tim Erlin is vice-president of product management & strategy at Tripwire.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.