Earlier this month, the U.S. experienced it first major shutdown of critical infrastructure due to a cyberattack in the nation’s history. When adversaries targeted Colonial Pipeline with a disruptive ransomware attack, critical infrastructure security immediately became a mainstream concern, because the attack is unprecedented in terms of its impact. Millions of people were affected as the East Coast’s largest gasoline, diesel, and natural gas distributor suspended oil and gas delivery. What’s more, the aftermath has lingered as rising gasoline and home heating oil prices put further stress on the sector and on individuals’ wallets and plans.
For years now, the government has been warning openly and clearly of targeted attacks against government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Last July, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert in response to a growing number of attacks targeting industrial networks. The alert included broad warnings of an imminent and serious threat across all 16 critical infrastructure sectors and lengthy, detailed sets of recommendations for how to protect operational technology (OT) environments.
More recently, at the end of April, the NSA issued a second cybersecurity advisory on the risks of connecting industrial networks to IT networks. And following the attack on Colonial Pipeline, CISA and the FBI issued an alert urging critical asset owners and operators to adopt a heightened state of awareness and implement various controls in the face of ransomware attacks, including robust network segmentation between IT and OT networks, regular testing of manual controls, and the implementation of backups that are regularly tested and isolated from network connections.
Clearly, the days of the standard “crawl, walk, run” approach to implementing cybersecurity improvements are gone. We need to go straight to run. We don’t have three to five years nor the resources to physically segment networks that are geographically dispersed across, say, 100 manufacturing sites around the world. And attempting to implement the same 15+ IT security tools within an OT environment is often prohibitively time consuming, not to mention ineffective, unnecessary, and even risky in itself. Adversaries are evolving their approaches and escalating attacks against industrial networks. They aren’t operating on our timelines, so we need to focus on what we can do next week and next month to reduce risk the most.
Here are three ways to fast-track your organization’s journey to stronger industrial cybersecurity:
1. Tackle the visibility challenge. You can’t protect what you can’t see, so effective industrial cybersecurity must start with knowing what needs to be secured. This requires a centralized and always current inventory of all OT, IT and Industrial Internet of Things (IIoT) assets, processes, and connectivity paths into the OT environment, as well as understanding what normal looks like. The good news is that OT networks are designed to communicate and share much more information than is typically available from IT components – the software version they are running, firmware, serial numbers, and more. This information can be gathered with passive monitoring and other techniques that have little to no impact on operations. With visibility into assets, you can tackle inherent critical risk factors, from vulnerabilities and misconfigurations to poor security hygiene and untrustworthy remote-access mechanisms. You can establish a behavioral baseline against which to measure and understand the vulnerabilities, threats, and risks that may be present.
2. Deploy virtual segmentation to thwart ransomware. Often, improper segmentation between once-separate IT and OT environments is a key enabler of OT ransomware infections. While you execute your physical segmentation project within the OT networks (e.g., to segment Level 1 and Level 2, or DCS to Safety Systems), deploy virtual segmentation to zones within the industrial control system (ICS) network. This will alert you right away to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment. Or it will identify operational issues with the way the process is set up, which is equally important in achieving the goal of uptime and availability. In certain levels of the network, you can’t really block traffic because doing so also stops the physical process and may create safety issues. However, this type of segmentation can improve network monitoring and access control and greatly accelerate response time, saving cost and reducing downtime in the event an attacker does establish a foothold. What’s more, virtual segmentation provides visibility across the network that can inform your physical segmentation project. So, not only are you significantly reducing risk today, you’re accelerating and improving the outcome of your longer-term physical segmentation efforts.
3. Leverage visibility and an understanding of risk to enable detection and response. The reality is that no matter the protective controls or processes you implement, it is not possible to eliminate risk completely. For this reason, being able to detect and respond to threats when they do surface is imperative. Continuous threat detection and monitoring helps manage and mitigate risk from both known and emerging threats that are not yet known. This is particularly critical as businesses adapt to the reality of distributed work environments. In fact, a PwC survey finds 83% of companies expect hybrid workplaces to become the norm. So, as more employees and third-party vendors connect remotely to the OT environment, adjusting controls with secure remote access capabilities minimizes the substantial risks introduced by remote workers.
Fortunately, the essential elements are in place to help reduce risk to critical infrastructure, so we can move straight to run. Most Fortune 500 companies have the support of their board of directors and budgets to strengthen the security of their OT networks. And the technology and know-how exist to quickly build an industrial cybersecurity program and lock down production environments. So, let’s turn the events of the last few weeks into an opportunity to accelerate industrial operations protection.