Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/9/2018
10:30 AM
Michael Fabian
Michael Fabian
Commentary
100%
0%

Vulnerabilities in Our Infrastructure: 5 Ways to Mitigate the Risk

By teaming up to address key technical and organizational issues, information and operational security teams can improve the resiliency and safety of their infrastructure systems.

Excluding the financial services industry, there were 649 breaches reported on and analyzed for the 2018 Verizon Data Breach Investigations Report (DBIR) in industries that are considered part of infrastructure verticals. These include utilities, transportation, healthcare, and others that employ operational technology (OT) systems in addition to traditional IT for their main operations.

In total, that represents 29.2% of reported breaches (not incidents). So, what exactly does that mean?

It means that just because an incident hasn't happened in your infrastructure environment, that doesn't mean it won't happen or that you can postpone or underfund your cybersecurity efforts. No, I don't believe we are facing a "Cyber Pearl Harbor." But I do believe organizations operating both IT and, particularly, OT systems need to put a more conscious effort into securing these systems not only from a security perspective but in terms of quality, safety, and reliability.

Although OT industries face a similar set of problems as traditional IT, the overall application of security programs and technologies is quite different in OT, and there is even more differentiation based on the characteristics of each vertical. That being said, there are best practices in key areas, both technical and organizational, that can help mitigate the risk to infrastructure environments, regardless of the vertical. Here are five.

Risk 1: Your Environment
An organization is at a serious disadvantage if it doesn't take the time to inventory its systems and assess the security posture for a given environment. It is nearly impossible to secure an environment if you are unaware of what is in it, how everything is connected, what data it uses (or generates), and how it affects your bottom line.

Best Practice: One of the best pieces of advice for organizations with a large installed base or many infrastructure environments is to pick a representative environment. Once you have selected an important or representative environment, move forward by cascading the lessons you've learned to the rest of your environments.

Risk 2: Patch Management
One of the prevailing issues in OT networks is the lack of technical solutions and organizational practices for patching. This is particularly relevant if the application sits on a commercial OS, as most do. In my experience, the average number of remote code execution vulnerabilities on the host operating system alone in OT environments is around 55! Consequently, developing and maintaining a strong patch management strategy is one of the most effective activities an organization can undertake. It's also a daunting undertaking.

Best Practice: To get started, interact with your system vendors. If your representative isn't familiar with the company's patching solutions, press deeper into the organization. Most major automation manufacturers are working toward solution sets compliant with standards such as IEC 62443, and customer pressure can convince niche vendors to address this problem as well.

Risk 3: Network Segmentation
Many OT systems are deployed in a flat network topology or without any segmentation between systems that should not be able to interact. There are two reasons for this. First, due to a misunderstanding about which systems need to communicate with one another, and the second, as a result of deploying systems from multiple vendors or integrators over time.

Best Practice: After assessing the network topology and data flows, you will need to develop network segmentation policies, which are similar to various industry standards language describing the zones and conduits of controlling access. The goal of these policies is to mitigate the damage potential of breaches or issues related to anomalous network traffic. Bottom line: only required traffic should pass between systems, and restrictions on communication paths between various zones should be enforced.

Risk 4: Your Supply Chain
In many OT environments, vendors maintain an aspect of control over the technical implementation of the solutions they provide through support contracts and changes that must be validated and certified to ensure the safe operation of a given system.

Best Practice: Your organizations should be sure to include security requirements for the procurement of new systems as well as ongoing maintenance efforts within their vendor management programs. Industry standards such as IEC 62443 can provide guidance in this effort.

Risk 5: IT vs. Process Control Teams
Over the past few years, at both the leadership and execution levels, IT security teams have become involved in OT network security efforts. In several cases, the differences in priorities and the understanding of technology has led to organizational stalemates and differing opinions on how to address security in operational environments.

Best Practice: Organizations need to bring these groups together with a common goal in order to foster a culture of cooperation between the two groups to address cyber threats. Training for both OT and IT security personnel should be part of that effort, including the development of a common understanding of objectives and solutions that work for your organization.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Michael Fabian is a principal consultant within the Synopsys Software Integrity Group. His primary area of specialization involves adapting and bringing systems-level security objectives, processes, and technical solutions into a variety of non-traditional cyber systems in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3350
PUBLISHED: 2019-11-19
masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping.
CVE-2011-3352
PUBLISHED: 2019-11-19
Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context ...
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.