Vulnerabilities / Threats

11/9/2018
10:30 AM
Michael Fabian
Michael Fabian
Commentary
100%
0%

Vulnerabilities in Our Infrastructure: 5 Ways to Mitigate the Risk

By teaming up to address key technical and organizational issues, information and operational security teams can improve the resiliency and safety of their infrastructure systems.

Excluding the financial services industry, there were 649 breaches reported on and analyzed for the 2018 Verizon Data Breach Investigations Report (DBIR) in industries that are considered part of infrastructure verticals. These include utilities, transportation, healthcare, and others that employ operational technology (OT) systems in addition to traditional IT for their main operations.

In total, that represents 29.2% of reported breaches (not incidents). So, what exactly does that mean?

It means that just because an incident hasn't happened in your infrastructure environment, that doesn't mean it won't happen or that you can postpone or underfund your cybersecurity efforts. No, I don't believe we are facing a "Cyber Pearl Harbor." But I do believe organizations operating both IT and, particularly, OT systems need to put a more conscious effort into securing these systems not only from a security perspective but in terms of quality, safety, and reliability.

Although OT industries face a similar set of problems as traditional IT, the overall application of security programs and technologies is quite different in OT, and there is even more differentiation based on the characteristics of each vertical. That being said, there are best practices in key areas, both technical and organizational, that can help mitigate the risk to infrastructure environments, regardless of the vertical. Here are five.

Risk 1: Your Environment
An organization is at a serious disadvantage if it doesn't take the time to inventory its systems and assess the security posture for a given environment. It is nearly impossible to secure an environment if you are unaware of what is in it, how everything is connected, what data it uses (or generates), and how it affects your bottom line.

Best Practice: One of the best pieces of advice for organizations with a large installed base or many infrastructure environments is to pick a representative environment. Once you have selected an important or representative environment, move forward by cascading the lessons you've learned to the rest of your environments.

Risk 2: Patch Management
One of the prevailing issues in OT networks is the lack of technical solutions and organizational practices for patching. This is particularly relevant if the application sits on a commercial OS, as most do. In my experience, the average number of remote code execution vulnerabilities on the host operating system alone in OT environments is around 55! Consequently, developing and maintaining a strong patch management strategy is one of the most effective activities an organization can undertake. It's also a daunting undertaking.

Best Practice: To get started, interact with your system vendors. If your representative isn't familiar with the company's patching solutions, press deeper into the organization. Most major automation manufacturers are working toward solution sets compliant with standards such as IEC 62443, and customer pressure can convince niche vendors to address this problem as well.

Risk 3: Network Segmentation
Many OT systems are deployed in a flat network topology or without any segmentation between systems that should not be able to interact. There are two reasons for this. First, due to a misunderstanding about which systems need to communicate with one another, and the second, as a result of deploying systems from multiple vendors or integrators over time.

Best Practice: After assessing the network topology and data flows, you will need to develop network segmentation policies, which are similar to various industry standards language describing the zones and conduits of controlling access. The goal of these policies is to mitigate the damage potential of breaches or issues related to anomalous network traffic. Bottom line: only required traffic should pass between systems, and restrictions on communication paths between various zones should be enforced.

Risk 4: Your Supply Chain
In many OT environments, vendors maintain an aspect of control over the technical implementation of the solutions they provide through support contracts and changes that must be validated and certified to ensure the safe operation of a given system.

Best Practice: Your organizations should be sure to include security requirements for the procurement of new systems as well as ongoing maintenance efforts within their vendor management programs. Industry standards such as IEC 62443 can provide guidance in this effort.

Risk 5: IT vs. Process Control Teams
Over the past few years, at both the leadership and execution levels, IT security teams have become involved in OT network security efforts. In several cases, the differences in priorities and the understanding of technology has led to organizational stalemates and differing opinions on how to address security in operational environments.

Best Practice: Organizations need to bring these groups together with a common goal in order to foster a culture of cooperation between the two groups to address cyber threats. Training for both OT and IT security personnel should be part of that effort, including the development of a common understanding of objectives and solutions that work for your organization.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Michael Fabian is a principal consultant within the Synopsys Software Integrity Group. His primary area of specialization involves adapting and bringing systems-level security objectives, processes, and technical solutions into a variety of non-traditional cyber systems in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...