OT Plant Floor Visibility Critical for Cybersecurity
Gary Parr | April 27, 2023
Take these steps to improve OT visibility and defend against ransomware.
By Jennifer Halsey, Dragos
Understanding the operational technology (OT) environment—including which assets are connected to the OT network, what unexpected traffic looks like, which vulnerabilities to prioritize, and which potential threat behaviors might be lurking within—is fundamental to strong industrial cybersecurity. Without comprehensive OT visibility, it’s almost impossible to measure and mitigate your unique risk landscape. It makes sense; after all, you can’t protect what you can’t monitor and you can’t monitor what you can’t see. Like most aspects of security, though, it’s more difficult than it sounds. OT visibility requires a great deal of planning and careful execution to improve and protect your operations.
The industrial cyber-threat landscape is constantly changing with new adversaries, vulnerabilities, and attacks that put operations and safety at risk. Dragos’s [Hanover, MD (dragos.com)], sixth annual ICS/OT Cybersecurity Year in Review research found that ransomware attacks against industrial organizations increased 87% between 2021 and 2022, with 437 manufacturing entities, spread across 104 unique subsectors, hit by ransomware in 2022 alone. Dragos tracked 35% more ransomware groups and noted a dramatic increase in Ransomware as a Service (RaaS).
RaaS developers provide their offerings, complete with data exfiltration tools, to other criminal actors who use it to opportunistically attack organizations most likely to pay the ransom (and adversaries who stage the attacks split the profits with RaaS developers). It can be difficult to identify ransomware groups behind these incidents because they use a cloud-based, point and click interface, making it a low barrier to entry for criminals. Plants lacking full visibility into their operational assets are the easiest targets for ransomware.
According to the Dragos report, 80% of service engagement customers had limited OT visibility into their ICS environment and 50% had issues with network segmentation. Many facilities were unaware of their external connections—more than half found undisclosed or uncontrolled external connections to the OT environment.
Does your organization suffer from limited OT visibility? Consider the following questions:
• Do you know exactly which OT assets you’re running, including the specific software versions they’re operating?
• Do you know which vulnerabilities exist in those assets—and which ones introduce the most risk to the OT environment? Do you have a methodology to prioritize patching and do you know how to implement alternative mitigations?
• Would you know if you were compromised? How long could a compromise go on before you knew it? In a recent Ponemon Institute study, it took companies an average of 170 days to detect an incident.
The path to progress
OT visibility consists of three major components: asset visibility, threat visibility, and vulnerability management.
Organizations achieve OT asset visibility by discovering, inventorying, and classifying the systems that run operational processes in industrial facilities. OT asset visibility tracks configuration states of assets, versions used, and maps relationships between assets. Asset visibility is first established with an inventory of assets, which can then be used to prioritize which assets to monitor on a continuous basis for threat detection, vulnerability management, and change control.
This provides the framework for vulnerability management and threat visibility. Without an understanding of which assets are deployed within an environment, it can be nearly impossible to know where to look for flaws, let alone active threats operating within them. When organizations fully identify and inventory their OT assets, every cybersecurity process becomes easier, including detecting threats, managing vulnerabilities, implementing security initiatives, or responding to an incident.
Threat visibility leverages the combination of thorough, relevant OT threat intelligence and threat detection mechanisms that identify active threats in an environment. OT threat intelligence is collected by expert ICS cybersecurity researchers who actively hunt for and observe industrial-specific adversaries on a range of industrial networks worldwide. They categorize the tactics, techniques, and procedures (TTPs) of the threat actors and provide advisories that include attack details and technical indicators of compromise (IOCs) tied to them. OT threat detection codifies advisory information about threats operating elsewhere and uses that information to look for clues about similar threat activity inside an OT environment. Detection relies on monitoring OT assets and network traffic in the context of threat intelligence.
As security processes mature, adversaries adjust their tactics to circumvent new safeguards put in place, often going undetected. Greater threat visibility can be achieved by assessing the capabilities of threat groups and connecting this information with what is happening in an organization’s OT environment. This paves the way for early warning and detection of threats and facilitates threat hunts within an organization’s infrastructure. Threat hunts help you find undiscovered threats in your ICS networks and identify weaknesses in architecture, security controls, and policies and procedures to avoid compromise.
Vulnerability management is the practice of identifying and remediating vulnerabilities or weaknesses in OT assets that put them at risk of a cyberattack. Software flaws can exist in operating systems, applications, industrial firmware, or protocols and are classified based on risk of exploitation. Remediation can result from patching vulnerable assets or implementing compensating controls that mitigate the risk of a flaw.
Just as with information technology (IT) systems, OT assets contain a range of software and configuration flaws that can be exploited. In 2022, the number of ICS/OT system vulnerabilities increased 27% and Dragos Inc., Hanover, MD (dragos.com), found that 34% of advisories contained errors. Most vulnerabilities studied (83%) resided deep within the ICS network and 51% could cause a loss of view and a loss of control, an increase from 35% in 2021. It can be difficult for asset owners to know which vulnerabilities to mitigate and how to prioritize patching or other mitigations in the context of production uptime requirements and regulatory factors.
Effective OT vulnerability management can help an OT cybersecurity program:
• Simplify compliance by effectively documenting vulnerabilities and their disposition (patched, remediated, or risk-accepted).
• Prioritize action around vulnerabilities based on importance of the asset, downtime risks, and evidence of in-the-wild exploits against them.
• Maximize remediation resources to get the most out of cybersecurity budgets.
• Provide a unifying view of vulnerabilities across assets for OT operators and cybersecurity stakeholders.
When all three components are well integrated to provide end-to-end OT visibility, they can be leveraged to improve your facility’s cybersecurity posture. These components can also fuel more effective and efficient incident response in the event of a breach, enabling teams to analyze changes to infrastructure and provide forensic records to reconstruct threat activity.
Jennifer Halsey is the Senior Manager of Industry Marketing for Dragos Inc., Hanover, MD (dragos.com). Prior to joining Dragos, Halsey was the Director of Communications & Brand Strategy at the International Society of Automation (ISA), Pittsburgh (isa.org). Among other projects, she was responsible for the marketing and PR efforts behind ISA/IEC 62443, the consensus-based series of cybersecurity standards, and the ISA Global Cybersecurity Alliance, a 50+ member consortium to advance cybersecurity readiness across all vertical industries using automation. Dragos is one of the founding members of the ISA Global Cybersecurity Alliance.