Vulnerabilities / Threats

11/9/2018
10:30 AM
Michael Fabian
Michael Fabian
Commentary
100%
0%

Vulnerabilities in Our Infrastructure: 5 Ways to Mitigate the Risk

By teaming up to address key technical and organizational issues, information and operational security teams can improve the resiliency and safety of their infrastructure systems.

Excluding the financial services industry, there were 649 breaches reported on and analyzed for the 2018 Verizon Data Breach Investigations Report (DBIR) in industries that are considered part of infrastructure verticals. These include utilities, transportation, healthcare, and others that employ operational technology (OT) systems in addition to traditional IT for their main operations.

In total, that represents 29.2% of reported breaches (not incidents). So, what exactly does that mean?

It means that just because an incident hasn't happened in your infrastructure environment, that doesn't mean it won't happen or that you can postpone or underfund your cybersecurity efforts. No, I don't believe we are facing a "Cyber Pearl Harbor." But I do believe organizations operating both IT and, particularly, OT systems need to put a more conscious effort into securing these systems not only from a security perspective but in terms of quality, safety, and reliability.

Although OT industries face a similar set of problems as traditional IT, the overall application of security programs and technologies is quite different in OT, and there is even more differentiation based on the characteristics of each vertical. That being said, there are best practices in key areas, both technical and organizational, that can help mitigate the risk to infrastructure environments, regardless of the vertical. Here are five.

Risk 1: Your Environment
An organization is at a serious disadvantage if it doesn't take the time to inventory its systems and assess the security posture for a given environment. It is nearly impossible to secure an environment if you are unaware of what is in it, how everything is connected, what data it uses (or generates), and how it affects your bottom line.

Best Practice: One of the best pieces of advice for organizations with a large installed base or many infrastructure environments is to pick a representative environment. Once you have selected an important or representative environment, move forward by cascading the lessons you've learned to the rest of your environments.

Risk 2: Patch Management
One of the prevailing issues in OT networks is the lack of technical solutions and organizational practices for patching. This is particularly relevant if the application sits on a commercial OS, as most do. In my experience, the average number of remote code execution vulnerabilities on the host operating system alone in OT environments is around 55! Consequently, developing and maintaining a strong patch management strategy is one of the most effective activities an organization can undertake. It's also a daunting undertaking.

Best Practice: To get started, interact with your system vendors. If your representative isn't familiar with the company's patching solutions, press deeper into the organization. Most major automation manufacturers are working toward solution sets compliant with standards such as IEC 62443, and customer pressure can convince niche vendors to address this problem as well.

Risk 3: Network Segmentation
Many OT systems are deployed in a flat network topology or without any segmentation between systems that should not be able to interact. There are two reasons for this. First, due to a misunderstanding about which systems need to communicate with one another, and the second, as a result of deploying systems from multiple vendors or integrators over time.

Best Practice: After assessing the network topology and data flows, you will need to develop network segmentation policies, which are similar to various industry standards language describing the zones and conduits of controlling access. The goal of these policies is to mitigate the damage potential of breaches or issues related to anomalous network traffic. Bottom line: only required traffic should pass between systems, and restrictions on communication paths between various zones should be enforced.

Risk 4: Your Supply Chain
In many OT environments, vendors maintain an aspect of control over the technical implementation of the solutions they provide through support contracts and changes that must be validated and certified to ensure the safe operation of a given system.

Best Practice: Your organizations should be sure to include security requirements for the procurement of new systems as well as ongoing maintenance efforts within their vendor management programs. Industry standards such as IEC 62443 can provide guidance in this effort.

Risk 5: IT vs. Process Control Teams
Over the past few years, at both the leadership and execution levels, IT security teams have become involved in OT network security efforts. In several cases, the differences in priorities and the understanding of technology has led to organizational stalemates and differing opinions on how to address security in operational environments.

Best Practice: Organizations need to bring these groups together with a common goal in order to foster a culture of cooperation between the two groups to address cyber threats. Training for both OT and IT security personnel should be part of that effort, including the development of a common understanding of objectives and solutions that work for your organization.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Michael Fabian is a principal consultant within the Synopsys Software Integrity Group. His primary area of specialization involves adapting and bringing systems-level security objectives, processes, and technical solutions into a variety of non-traditional cyber systems in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
6 CISO Resolutions for 2019
Ericka Chickowski, Contributing Writer, Dark Reading,  12/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When Harry Met Sally
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7690
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-7691
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-8033
PUBLISHED: 2018-12-13
The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitati...
CVE-2018-20127
PUBLISHED: 2018-12-13
An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.
CVE-2018-20128
PUBLISHED: 2018-12-13
An issue was discovered in UsualToolCMS v8.0. cmsadmin\a_sqlback.php allows remote attackers to delete arbitrary files via a backname[] directory-traversal pathname followed by a crafted substring.