By Gary DiFazio
Traditionally, the OT environment is built with a “set it and forget it” mentality. But, once the network is connected to the outside world, that model is no longer optimal. The network becomes dynamic, ever-changing and in constant interaction — most changes are legitimate, some are accidental and some, unfortunately, are nefarious.
When it comes to cybersecurity, there is a three-step progression that can help any industrial environment evolve from highly vulnerable to strongly protected against inevitable threats. Of vital note, these steps protect networks from any cyber event – everything from malicious external or internal hacker attacks to human error and unexpected component failure – the latter events are far more common and often just as damaging, if not more so.
Step 1 is achieving visibility. Step 2 is establishing protective controls, and Step 3 is using these tools for ongoing continuous monitoring to keep you highly protected from any threat, malicious or accidental, internal or external, around the clock, 24/7/365.
If you are a “newbie” to industrial cyber security and aware how extraordinarily important it is to move away from being in a highly vulnerable environment with little or no protections in place, but unsure how to proceed, you are not alone. However, don’t let uncertainty lead to ongoing vulnerability that can and almost certainly will lead to downtime and lost productivity, if it hasn’t done so already. The steps are manageable.
As I noted, the first step in any cybersecurity strategy is creating visibility. As we often say, “How can you protect something if you don’t know what you have or what it does, or what ‘normal operation’ even looks like?” The obvious answer is “you can’t,” and I find that just asking the question often leads to a lot of head nodding, since most network operators will freely admit their network is not mapped out anywhere. And, with things so frequently added to the network over the years and no methods in place to keep tabs, it is an extremely common situation to have little to no idea what you have, especially as networks add more and more productivity-enhancing outside data connections.
You need these insights in order to move forward, and, for example, know where to place firewalls and other kinds of protective control solutions, and accurately ensure every single point is optimally protected. After all, it only takes one “missed” unprotected point to allow a hacker malicious access into your industrial control system.
There are a half dozen aspects of visibility that, together, provide a complete picture into the state of your network. They are:
1. Asset inventory – taking stock of every piece of hardware and software on the network and capturing all relevant information – vendor, make, model, firmware version, installed software, etc. This is a vitally important step. In fact, people equate “visibility” with asset inventory, and although it is a vital part of it, it is only one component.
2. Configurations — a snapshot of how each device on the network, such as controllers, switches, routers, firewalls, databases, HMIs, engineering workstations, etc., is currently configured, so any changes to those configurations can be quickly flagged.
3. Log information — log files can be a treasure trove of information: Who is logging on and when? Where are they maneuvering to? Are they changing something? And what is the password behavior? Was it correct the first time, or did it take 20 failed attempts in ten seconds to log on? Obviously, this is the fingerprint of a brute force attack to break the password.
4. Known vulnerabilities and defined weaknesses — these are tracked and correlated against the hardware and software identified as being on your network, with corrective action prioritized with a risk rating. Most vendors publish alerts if a security issue is uncovered with their products, and make new firmware or patches available. Also, organizations such as Homeland Security alert users by subscription. Large networks may receive many of these announcements; this aspect automates this vital process to help you stay on top of it.
5. Communication Pattern Changes — a snapshot of “what is talking to what” is taken. If, down the road, a controller is suddenly talking to a different IP address, or a communication that used to occur once a day is now transmitted several times in an hour, or a VFD is being directed by another source, it can be flagged for attention.
6. Network Topology — a snapshot of how the constituent parts of a network are arranged and interconnected. Once you know, you can readily identify changes and determine their legitimacy.
A complete visibility solution encompasses all of these six dimensions. All are interconnected and often inform each other to give a more complete picture, and all must be covered to avoid leaving a gaping hole in the armor. For example, a log entry confirms Joe Jones, a legitimate user, logged on at 12:00. However, it would be dangerous to assume just because Joe has the proper credentials that everything he does is fine – what if Joe is distracted and makes an error, or he is disgruntled, or what if his password keystrokes had been captured and emulated by an imposter? Therefore you have to correlate that with the actions that Joe performed. Did he change a configuration? Did he maneuver to an area with a known vulnerability? Looking at multiple aspects and their relationships enables you to fully understand the situation.
It may sound like a lot, and it is. That is, there is lot to be covered, but fortunately, there is not a lot that an operator needs to do to cover it all. In fact, this complete holistic visibility – gaining insight into every point and not leaving any one of them invisible and therefore unprotectable – is fairly readily attainable.
The most important thing is not to be frozen in place, and to move forward decisively, taking the first step to gain visibility into your environment. Once that’s done, you can identify and implement the right protective controls, and lock your network down tight against threats of all kinds. And then, with continuous monitoring, get all this actionable data generated on an ongoing basis.
Gary DiFazio is the strategic marketing director for industrial cyber security at Tripwire, which is part of Belden Inc.