As geopolitical tensions continue to escalate, companies around the world are looking for ways to quickly strengthen their defenses against an always-evolving landscape of threats.
Dragos recently released its 2022 ICS/OT Cybersecurity Year in Review, exploring ICS and OT vulnerabilities, threats targeting industrial environments, and industry trends from customer engagements worldwide.
2022 saw a breakthrough escalation in capabilities by a new modular ICS malware, PIPEDREAM, developed by the threat group, CHERNOVITE. CHERNOVITE’S PIPEDREAM toolkit has the capabilities to impact devices that control critical infrastructure – devices that manage the electrical grid, oil and gas pipelines, water systems, and manufacturing plants. For industrial operators, this can be viewed as a supply chain risk, as the methods target key vendor systems.
Some of the key findings from the report include:
- An 87% increase in ransomware attacks against industrial organizations (72% of those attacks were focused on manufacturing.)
- The first attacks against the mining and metals industries in Australia and New Zealand.
- Continued targeting of renewable energy companies in the U.S. and the European Union.
- Increased attacks on food and beverage, pharmaceuticals, chemicals, water, and wastewater facilities worldwide.
- Accelerated attacks in energy, including electrical, manufacturing, oil and natural gas, and liquefied natural gas sectors.
Considering these trends and the complexity of the global environment, what can organizations reasonably do for their operational technology environments in the short term?
Dragos recommends asking yourselves a few questions to evaluate your current readiness and maturity:
- Do your facilities teams understand what an attack could look like for your organization? Do you know the most common threat scenarios in your industry and how your defenses are aligned to protect your enterprise?
- Do you have a comprehensive incident response plan that has been vetted by OT and IT teams; practiced and adjusted; and communicated between all the stakeholders?
Once you understand where you are on these topics, consider leveraging the SANS Five Critical Controls for Effective OT Cybersecurity as a guide for how to prioritize next steps. The five critical controls put a strong emphasis on practices that facilitate an active defense as opposed to a traditional prevention-focused approach. The controls include:
- Incident Response Plan: Create a dedicated plan that includes the right points of contact, such as which employees have which skills inside which plant, as well as thought-out next steps for specific scenarios at specific locations. Identify responsible parties, notifications, and escalation policies. Leverage tabletop simulation exercises to test and improve response plans.
- Defensible Architecture: OT security strategies often start with hardening the environment - removing extraneous OT network access points, maintaining strong policy control at IT/OT interface points, and mitigating high risk vulnerabilities. Perhaps even more important than a secure architecture are the people and processes to maintain it. The resources and technical skills required to adapt to new vulnerabilities and threats should not be underestimated.
- ICS Network Visibility and Monitoring: You can’t protect what you can’t see. A successful OT security posture maintains an inventory of assets, maps vulnerabilities against those assets (and mitigation plans), and actively monitors traffic for potential threats. Visibility gained from monitoring your industrial assets validates the security controls implemented in a defensible architecture. Threat detection from monitoring allows for scaling and automation for large and complex networks. Additionally, monitoring can also identify vulnerabilities easily for action.
- Secure Remote Access: Secure remote access is critical to OT environments. A key method, multi-factor authentication (MFA) is a rare case of a classic IT control that can be appropriately applied to OT. Implement MFA across your systems of systems to add an extra layer of security for a relatively small investment. Where MFA is not possible, consider alternate controls such as jump hosts with focused monitoring. The focus should be placed on connections in and out of the OT network and not on connections inside the network.
- Risk-Based Vulnerability Management: Knowing your vulnerabilities – and having a plan to manage them – is a critical component to a defensible architecture. Over 1200 OT-specific vulnerabilities were released last year, most of them with incomplete or erroneous information. While patching an IT system like a worker’s laptop is relatively easy, shutting down a plant has huge costs. An effective OT vulnerability management program requires timely awareness of key vulnerabilities that apply to the environment, with correct information and risk ratings, as well as alternative mitigation strategies to minimize exposure while continuing to operate.
For more information about the 5 Critical Controls and how they can help your company prioritize its cybersecurity programs, download this report.
