Industrial control systems (ICS) are essential for managing critical infrastructure. Knowing that control systems are operational is paramount for keeping critical functions running. However, with the growing threat landscape, ease of access and use of malicious cyber capabilities, sophistication of cyberthreats, and ease of crypto payments for ransom, protecting ICS from malicious actors has become of top concern.
The burden of this protection or resiliency has been placed on many different roles in organizations. For instance, some instrumentation and control engineers (I&C) are now the operational technology (OT) cyber defenders, some information technology (IT) focused chief information security officers (CISOs) have been saddled with creating resilient critical functions for an organization.
An OT or industrial critical infrastructure cyber defense program must address multiple key areas. Some key areas that form the foundation of an effective ICS resiliency program are multi-type mitigation vulnerability management, OT network asset visibility, OT/ICS-specific threat detection, proactive consequence driven cyber-informed engineering tabletop exercises, and OT/ICS-specific incident response plans.
Let’s dive into a few of these topics.
Multi-Type Mitigation Vulnerability Management
Do not patch everything!
It is a waste of resources to try and keep up with just patching and it never fully covers what an organization needs. Instead, building a multi-type mitigation vulnerability management program is the answer — for example, mitigating some vulnerabilities by patching while mitigating other vulnerabilities with network-based mitigation blocks, mitigating with identity and access controls, segmentation and so on.
If you base your decisions on risk, sometimes you will accept the risk and not utilize resources to patch for a certain amount of time.
A multi-type mitigation vulnerability management approach is crucial for identifying, prioritizing and mitigating vulnerabilities rather than hoping that the attacker doesn’t get to the vulnerability first. By focusing on the most critical vulnerabilities, organizations — such as 1898 & Co. — can allocate resources efficiently. This allows for mitigating vulnerabilities differently before they can be exploited.
Asset Management and Network Connectivity
Not only is a comprehensive understanding of the assets within an ICS environment essential for effective cyber defense, but understanding how the assets are network connected is key for mitigation strategies.
Asset management is valuable in a critical infrastructure environment for multiple reasons, including operational planning, capability planning and disaster recovery. This means that it is crucial to understand the current functions and understand the limitations and risks of this function. This involves creating an inventory of all connected devices, including controllers, sensors and other network components with physical, logical and functional network connectivity. By maintaining an up-to-date system, organizations allow for better asset management, control, planning and protection.
Organizations must know the assets, the connectivity and the value of the critical functions. Once known, monitoring changes, detecting any unauthorized or suspicious devices within the system, and detecting changes to the network connectivity allow for enhanced visibility for proactive defense measures and rapid incident responses.
Threat Detection
Threat detection mechanisms are pivotal in identifying and mitigating cyberthreats in real time. Implementing advanced threat detection technologies in OT and ICS environments, such as intrusion detection systems — specifically designed to detect threats in OT protocol traffic and possible malicious device changes — helps an organization detect and quickly respond to potential attacks.
The goal is to identify and rule out possible threat activity as early as possible to reduce the impact of a breach. Once attackers achieve initial access and gain a foothold, they can quickly move laterally across network segments to compromise and control entire environments. Finding a system that provides asset and network visibility, continuous monitoring, anomaly detection and alerting capabilities allows security teams to investigate and respond to security incidents swiftly. 1898 & Co. has partnered with industrial network security appliance providers Claroty, Dragos, Nozomi, and Armis to provide deployment and integration as well as 24x7x365 managed threat protection and response.
Proactive Consequence-Driven Cyber-Informed Engineering Tabletop Exercises
Proactive cyber consequence engineering tabletop exercises simulate various cyberattack scenarios to assess an organization's preparedness and response capabilities. These exercises bring together stakeholders from different departments, including IT, OT, security and management, to evaluate incident response plans, communication protocols and team coordination.
An engineering discipline-based approach developed by INL, consequence-driven cyber-informed engineering provides a basis for conducting exercises to test out the critical functions required by an organization and then engineers out connections or risks created by cyber means.
By regularly conducting tabletop exercises, organizations can identify their high-consequence events and refine incident response plans and protections of the systems associated with high-consequence events, thereby enhancing their ability to mitigate cyberthreats effectively.
OT-Specific Incident Response Plans
Industrial control systems require specialized incident response plans tailored to the unique characteristics and needs of an OT environment. These plans should consider the operational constraints, safety implications and potential impact on critical processes.
OT-specific incident response plans outline predefined steps for detecting, containing and eradicating threat strategies for system recovery and business continuity. Regular drills and exercises, alongside continuous improvement based on lessons learned, are vital to seeing the effectiveness of these plans.
Securing industrial control systems is of utmost importance in today's interconnected world. A well-rounded program for OT/ICS should encompass risk-based vulnerability management, assets visibility, threat detection, proactive cyber consequence engineering tabletop exercises and OT-specific incident response plans.
By adopting a comprehensive approach that addresses these core areas, organizations can significantly enhance their ability to safeguard critical infrastructure, minimize disruptions and protect against cyberthreats that target industrial control systems. Investing in these foundational pillars lays the groundwork for a resilient operation. 1898 & Co. can help devise a plan to establish a process that covers multi-type mitigation strategy and aid in asset management and network connectivity and visibility from an assessment and technological perspective. For more information on 1898 & Co. capabilities, click here.