Excluding the financial services industry, there were 649 breaches reported on and analyzed for the 2018 Verizon Data Breach Investigations Report (DBIR) in industries that are considered part of infrastructure verticals. These include utilities, transportation, healthcare, and others that employ operational technology (OT) systems in addition to traditional IT for their main operations.
In total, that represents 29.2% of reported breaches (not incidents). So, what exactly does that mean?
It means that just because an incident hasn't happened in your infrastructure environment, that doesn't mean it won't happen or that you can postpone or underfund your cybersecurity efforts. No, I don't believe we are facing a "Cyber Pearl Harbor." But I do believe organizations operating both IT and, particularly, OT systems need to put a more conscious effort into securing these systems not only from a security perspective but in terms of quality, safety, and reliability.
Although OT industries face a similar set of problems as traditional IT, the overall application of security programs and technologies is quite different in OT, and there is even more differentiation based on the characteristics of each vertical. That being said, there are best practices in key areas, both technical and organizational, that can help mitigate the risk to infrastructure environments, regardless of the vertical. Here are five.
Risk 1: Your Environment
An organization is at a serious disadvantage if it doesn't take the time to inventory its systems and assess the security posture for a given environment. It is nearly impossible to secure an environment if you are unaware of what is in it, how everything is connected, what data it uses (or generates), and how it affects your bottom line.
Best Practice: One of the best pieces of advice for organizations with a large installed base or many infrastructure environments is to pick a representative environment. Once you have selected an important or representative environment, move forward by cascading the lessons you've learned to the rest of your environments.
Risk 2: Patch Management
One of the prevailing issues in OT networks is the lack of technical solutions and organizational practices for patching. This is particularly relevant if the application sits on a commercial OS, as most do. In my experience, the average number of remote code execution vulnerabilities on the host operating system alone in OT environments is around 55! Consequently, developing and maintaining a strong patch management strategy is one of the most effective activities an organization can undertake. It's also a daunting undertaking.
Best Practice: To get started, interact with your system vendors. If your representative isn't familiar with the company's patching solutions, press deeper into the organization. Most major automation manufacturers are working toward solution sets compliant with standards such as IEC 62443, and customer pressure can convince niche vendors to address this problem as well.
Risk 3: Network Segmentation
Many OT systems are deployed in a flat network topology or without any segmentation between systems that should not be able to interact. There are two reasons for this. First, due to a misunderstanding about which systems need to communicate with one another, and the second, as a result of deploying systems from multiple vendors or integrators over time.
Best Practice: After assessing the network topology and data flows, you will need to develop network segmentation policies, which are similar to various industry standards language describing the zones and conduits of controlling access. The goal of these policies is to mitigate the damage potential of breaches or issues related to anomalous network traffic. Bottom line: only required traffic should pass between systems, and restrictions on communication paths between various zones should be enforced.
Risk 4: Your Supply Chain
In many OT environments, vendors maintain an aspect of control over the technical implementation of the solutions they provide through support contracts and changes that must be validated and certified to ensure the safe operation of a given system.
Best Practice: Your organizations should be sure to include security requirements for the procurement of new systems as well as ongoing maintenance efforts within their vendor management programs. Industry standards such as IEC 62443 can provide guidance in this effort.
Risk 5: IT vs. Process Control Teams
Over the past few years, at both the leadership and execution levels, IT security teams have become involved in OT network security efforts. In several cases, the differences in priorities and the understanding of technology has led to organizational stalemates and differing opinions on how to address security in operational environments.
Best Practice: Organizations need to bring these groups together with a common goal in order to foster a culture of cooperation between the two groups to address cyber threats. Training for both OT and IT security personnel should be part of that effort, including the development of a common understanding of objectives and solutions that work for your organization.
- 7 Steps to Start Your Risk Assessment
- Constructing the Future of ICS Cybersecurity
- Hidden Costs of IoT Vulnerabilities
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.