Back to basics: the top five technical issues to address in industrial cyber securityJalal Bouhdada, founder and CEO, Applied Risk, offers up his top five technical issues to address in industrial cyber security
While industrial facilities are facing more cyber security challenges than they used to, the good news is that awareness around these challenges is increasing. That said, there’s still a marked difference between how well cyber security is understood in the consumer and corporate IT worlds, and how well it’s understood in industrial environments driven by OT.
In a sense that’s not surprising. After all, most well-publicised attacks have been in consumer and corporate IT. But with attacks on critical industrial environments now becoming more frequent, people are starting to wake up to the operational, financial, reputational and even human and environmental damage they can inflict.
Awareness is one thing. But the fundamentals of cyber security are still not being practised regularly. What are those fundamentals? In our cyber security work with organisations operating critical infrastructures around the world in sectors including power, oil and gas, water management, manufacturing and maritime, we’ve identified the top five technical issues that need addressing.
1. Software is outdated and vulnerable
In many industrial environments, the software behind control systems is obsolete. This is due to a failure to patch operating systems and applications, as well as to make essential upgrades to firmware when these become available.
All too often, we see poor patch management and the use of unsupported software. That makes it easy for attackers with off-the-shelf tools to exploit weaknesses – as we saw with the spread of the WannaCry ransomware that crippled many organisations. In 2018 and 2019, other ransomware campaigns also directly impacted industrial sectors. These systems should be upgraded, replaced or properly isolated to communicate with only what is explicitly necessary.
Cyber security scores: a new standard in mitigating risk?
2. Networks are ineffectively segregated
It’s essential that IT/OT systems are segregated correctly, but this isn’t happening enough. Poor segregation of safety instrumented systems (SIS) from the rest of the OT network is also a major issue, as this leaves employees exposed to a higher level of risk.
And as OT becomes ever more closely integrated with enterprise and business systems, the boundaries between OT and IT environments are often weak, as are many firewalls. Attackers seeking to gain control of OT through the network are well versed in the technique of exploiting poorly configured gateways and other equipment to leverage weaknesses in the IT network, and that way enter the OT environment.
3. Poor systems hardening
Systems hardening is key to reducing vulnerability to attack, through eliminating possible attack vectors and condensing the attack surface of the systems. Yet many device installations have either no or minimal hardening measures in place.
Vulnerabilities are created in systems when, for example, access credentials are left in their default state or organisations use insecure protocols or permissive services. If vendors don’t make patches and updates available, organisations may need to upgrade, migrate or isolate a system from the network.
4. Weak access control
Access control in both the physical and logical sense are often poorly managed and can undermine the security controls that have been put in place. Think of things like managing joiners and leavers, managing account permissions and the use of weak passwords.
Facial biometrics: assuring genuine presence of the user
These can be resolved by establishing and enforcing a strong password policy. Storage of passwords is also a key consideration: a strong password is useless if it’s stored on an unencrypted system that is accessible to other users.
Organisations should also apply the principle of ‘least privileges’ – only granting permissions for user accounts to those who require them.
5. Insufficient logging and monitoring
Systems need to be monitored constantly and in real-time, in order to detect any unusual behaviour. Careful monitoring also helps build up comprehensive system logs that are of great use in the forensic investigation of any attack that does occur.
AI in cyber security: predicting and quantifying the threat
Recent developments in the IT world have shown that one of the most effective ways to spot new and evolving threats is through host-based monitoring, such as with Endpoint Detection and Response tools. These tools can facilitate effective incident response processes. For OT systems that don’t allow host-based monitoring, there are passive and active monitoring tools that can monitor the network. They are improving hugely in quality.
Fortunately, most of these issues are all relatively easy to fix. It’s not a one-off job, however. Sustainable cyber security is a never-ending process, with many moving parts. To do it right, it’s vital to appoint people directly responsible for maintaining security in the OT domain, and implement a ‘defence-in-depth’ strategy with multiple levels of protection such as layered networks, strong access control, system hardening and regular testing of all entry points.
Written by Jalal Bouhdada, founder and CEO, Applied Risk