Endpoint

9/18/2018
02:30 PM
Barak Perelman
Barak Perelman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Top 5 Security Threats & Mitigations for Industrial Networks

While vastly different than their IT counterparts, operational technology environments share common risks and best practices.

Our nation's critical infrastructure and the industrial control networks that manage them are under constant threat from a host of malicious actors — including nation-states, politically or financially motivated hackers, insiders, and disgruntled ex-employees.

Unfortunately, all industrial control system (ICS) networks share a common weakness: they were built before cyber threats existed and are not designed with built-in external security controls.

A breach of an ICS network can be disastrous and expensive. Consequences range from physical and environmental damage and costly downtime for manufacturing processes to putting lives at risk. In addition, a breach can bring heavy fines from regulators and lawsuits from parties claiming injury or damage, and it can also shake shareholder confidence.

Given these stakes, let's consider the five most common threats to ICS networks and how to reduce the risk associated with them.

Risk 1. Poor Network Configuration
The weaker the configuration, the greater the likelihood of a successful attack. For example, once a control device has been exposed to the Internet due to a poor configuration, both phases of a breach can occur — the attacker can gain a foothold in the network and exploit a sensitive asset.

Mitigation: ICS devices should never be directly connected to the Internet. Strict network segmentation should be implemented and the integrity of the network should never be sacrificed for the sake of convenience.

Risk 2: No Audit Trail
An audit trail is essential for understanding what's going on in any network. However, logging mechanisms in some ICS environments do not exist or are incomplete. In many cases, security teams lack the knowledge of operational technologies (OT) to know how to collect logs or where to look for them.

Mitigation: Basic record-keeping is crucial for both the incident response and the forensic investigation of an attack. It is also required for any type of regulatory compliance audit. This begins with understanding the limitations of the environment — what data is being monitored and collected, and what isn't. One hundred percent visibility, monitoring, and control should be the goal, including the collection and aggregation of all logs.

Most ICS networks have components that generate an audit trail, but too often these capabilities are underutilized. All incidents should be automatically reported to the security incident response team, logged, and correlated via a real-time audit mechanism.

Risk 3: Lack of Control
Many ICS environments do not have basic controls for managing assets that are considered table stakes in IT networks. As a result, security hygiene in OT networks is often an afterthought and lacking in the following ways:

  • Patches can't be easily deployed and usually aren't.
  • There's no centralized, up-to-date inventory of assets, configurations, software versions, patch levels, etc.
  • Internal security policies are not monitored or enforced.
  • The security model is based on a "if it works, better not mess with it" paradigm.

Mitigation: Implementing a centralized and automated asset management capability for OT networks is crucial. Without an up-to-date and accurate inventory of ICS assets, especially the controllers responsible for managing physical processes, it is virtually impossible to assess risks, apply patches, and detect unauthorized changes and activity.

Risk 4: Employee Ignorance
Just as in IT environments, employees pose a significant risk to OT network security. Phishing attacks, social engineering, and risky browsing behaviors all threaten to punch a hole that can be exploited by attackers to compromise the IT, OT or both networks via lateral movement.

Mitigation: Security training, network segmentation, and multifactor authentication can all help prevent breaches caused by employee lack of awareness, policy violations, or human error.

Risk 5: Insider Attacks
Insiders in OT environments pose the same security risk as in IT environments. The source can be malicious, such as a disgruntled employee, an insider who is paid to steal or sabotage assets, or an internal account compromise attack by an outsider. An insider threat can also be unintended, caused by human error.

Mitigation: Performing a risk assessment to identify and address vulnerabilities such as over-privileged accounts, insiders with access to resources they don't need to do their jobs, and orphaned accounts is essential to reducing the attack surface for insider threats. Knowing and monitoring OT attack vectors, which are primarily the network and direct access to devices via serial ports, can also defeat these threats. Network activity anomaly detection and routine device integrity checks can identify malicious activity before it's too late. Finally, unifying IT and OT security, because both environments are often interconnected, can help protect against attacks that originate on one network and attempt to move laterally to the other.

Despite the cultural divide between IT and OT, both environments share a common set of threats and vulnerabilities. And while the consequences of an OT security breach are decidedly more physical in nature, many of the lessons learned and best practices from IT can help prevent them. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
6 CISO Resolutions for 2019
Ericka Chickowski, Contributing Writer, Dark Reading,  12/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When Harry Met Sally
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7690
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-7691
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-8033
PUBLISHED: 2018-12-13
The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitati...
CVE-2018-20127
PUBLISHED: 2018-12-13
An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.
CVE-2018-20128
PUBLISHED: 2018-12-13
An issue was discovered in UsualToolCMS v8.0. cmsadmin\a_sqlback.php allows remote attackers to delete arbitrary files via a backname[] directory-traversal pathname followed by a crafted substring.