What's wrong with this picture? The COVID-19 pandemic continues to rage worldwide, so everyone who can is working at home by connecting to a host of expanding and/or newly multiplying Internet networks. This lets them collaborate with other remote coworkers, and consult with colleagues who must remain onsite or in the field. Fine, but many new links aren't as closely monitored or managed because they're new, hastily set up, and not yet part of established policies and procedures for older, centrally controlled networks. At the same time, the awareness and vigilance about cybersecurity that workers habitually maintain in offices and plants can stretch thin when they work at home or other settings with competing demands for their attention.
In short, more connections and distractions mean more vulnerabilities to probes, intrusions and attacks. So, once again, COVID-19 is throwing a harsh, high-relief spotlight on what users and their organizations are doing—or not doing—and should be doing, in this case, about cybersecurity.
"The pandemic has increasingly brought to light the importance of cybersecurity fundamentals and the benefits that come from following them. COVID-19 and responses to it provide excellent examples of both effective and ineffective security responses to an unknown threat. One crucial observation we can make is that we can't protect our systems (or ourselves) if we don't know the vectors that threat agents use to compromise (infect) a system," says Daniel McKarns, senior industrial systems engineer at Matrix Technologies Inc. in Maumee, Ohio, and a certified member of the Control System Integrators Association (CSIA). "Having the fundamentals in place can allow you to effectively defend against many threats and minimize the impact of others."
When an attempted intrusion or an actual breach occurs, McKarns reports the first step is to go through is a process of discovery to learn what, if anything, is compromised and how that compromise occurred. "Identifying and characterizing the attack—successful or not—is critical," he says. "The next step is to mount a response, similar to how the human immune system might react to a threat.
"If we already have network segmentation and other defense-in-depth layers in place, they provide a bulwark for protecting vital systems, equivalent to a robust immune system. Segmentation, access controls and good network visibility give us tools to detect abnormal behavior and attempted compromises, allowing defenders to take action before a threat spreads too far or too fast. Response time is critical in reducing the impact of threats. With those tools in place, there's a much better chance of responding appropriately and in a timely manner. Ideally, infection may be avoided entirely."
McKarns explains that visibility and control also aid in remediation because, once an intrusion is contained, users can being restoring affected systems to their proper status. "COVID-19 put many users and systems into 'isolation,' he adds. "While this is by no means an ideal state to operate in, it has bought us the time we've needed to qualify the threats against us, and update our responses accordingly. The same can be done with a control system if architected with appropriate cybersecurity measures."
Sick security cure
Just as cybersecurity has always been framed in healthcare language, McKarns explains it still helps to understand it using sickness and health concepts, especially now that COVID-19 has everyone thinking in those terms.
"Of course, COVID-19 scaled up remote work, which impacts IT systems because all those new connections means dealing with more potential vectors of compromise and the associated risks," says McKarns.
Even though more connections means more exposure to vulnerabilities, Paul Noone, also a senior industrial systems engineer at Matrix, reports the actual risks, intrusions and potential attacks are the same as always. Attackers are always working to improve their tools to further avoid detection and take advantage of any security weakness they can find, but many of the cures are the same, too.
"When users and their companies implement more remote-work programs, they just need to make sure they're including layered protections, risk mitigation and other cybersecurity best practices at the same time," says Noone. "Many of us sound like broken records, but most organizations still aren't doing cybersecurity properly, even though there's a lot they can do that isn't too costly. This is similar to responding to COVID-19 by wearing masks, washing hands and social distancing. Just like we used to think of cybersecurity as an extension of process safety, we can also think about how we're dealing with the pandemic to understand and improve our cybersecurity responses. All employees need to practice good cybersecurity hygiene because only one human error can take down a system. A USB flash drive with malware embedded in the firmware will appear clean to all malware scans, but the simple act of plugging in an untrusted flash drive can compromise a system."
Firewalls, encryption and endpoints
Shifting to a cybersecurity mindset can begin by viewing an ICS as a business inside of a larger business, according to Noone, who adds this demonstrates why plant-floor and enterprise-level servers and networks need to be separated by firewalls with a demilitarized zone (DMZ) between them. The firewalls must be configured to only allow authorized traffic, perform protocol and stateful data packet inspections, and encrypt their communications, too. This allows them to keep track of the talk between devices in their network, define security zones and levels of trust, and use access lists to decide which devices can start a conversation.
"It's also important to limit physical access, such as using a hardware key to make sure devices only operate in run mode, so they can't be reprogrammed," says Noone. "If more network or physical access is allowed than what's needed to do a job, then something may be left open that an intruder can take advantage of. The same goes for remote access, so users have to again determine how much is needed, and grant only what's required."
McKarns cautions that encrypting communications is still important, but it must be performed carefully. "Encrypting can make it harder for firewalls to see inside packets or it can even render packets effectively invisible, so updated or next-generation firewalls may be needed," says McKarns. "Most malware is now deployed using encrypted network protocols, so not all cybersecurity methods are as effective as they were before. This means endpoint devices also need malware protection, and system administrators will again have to balance security versus what they can afford. A defense in depth security strategy does not begin and end at the edge of the network. Every device needs an immune system."
McKarns adds that standards such as NIST 800-53 and ISO 27005 can help administrators and their organizations develop a risk framework and cost-benefit analysis to determine the best approach to implementing an effective cybersecurity strategy. "A risk framework can point a business toward the best cybersecurity investment for them based on their understanding of their risks," he says.
"A word of caution though: targeted attacks are much more challenging to defend against than chance encounters. If your system is a high-value target, then you can't get away with just being more secure than your neighbors in the hopes of not being the low hanging fruit," says McKarns. "The appropriate actions for your system should be born out in your risk assessment. Segmenting networks used to be enough, but not anymore. There are advanced persistent threats and state actors out there that must be faced. Additional countermeasures such as regular patching, a least-privilege operational security model and other endpoint security measures are important because they help implement security policy closest to the devices most at risk of compromise."
McKarns explains that one feature to implement in a good endpoint security strategy is the ability to control what patches are distributed to which endpoints and when. "When a good patching mechanism is in place, it's much easier to coordinate scheduled production timetables and a judicious patching schedule. Another is to follow a least-privilege methodology, implemented wherever security can be enforced. As an example, internal servers should not have their host firewalls disabled simply because there's a network firewall. Both host and network firewalls should be used. This extends to the user level as well. Avoid granting administrative credentials to everyone. Only grant permissions a user needs to do their job. Lastly, endpoint security strategies greatly benefit from solutions that can perform application whitelisting and active virus protection. The application whitelisting method can take some additional time to configure and tweak, but is well worth it in maintaining a healthy system as it’s the only viable defense against some types of threats."
McKarns adds it’s becoming rarer to find completely air-gaped systems as the benefits of connectivity between control systems and business networks increase. "Proper defense-in-depth strategies don't have to rely on former isolation methods that treated the control system like a walled garden," he says. "Endpoint security is like giving an immune system to each individual component, which increases the resilience of each component as well as the system as a whole.”
