Story image

Managing OT cybersecurity vulnerabilities at industrial facilities – PAS Global

10 Sep 2018

Article by PAS product management director Scott Hollis

The OT vulnerability threat landscape is expanding, rapidly and such vulnerabilities are considerably harder to identify and remediate than IT vulnerabilities.

The sophistication and effectiveness of industrial cyber attacks, such as the Industroyer/CrashOverride malware attack in 2016 and the Triton/Trisis malware attack in 2017 demonstrate that it is more important than ever to identify and remediate OT vulnerabilities.

Even though attacks on OT systems are escalating rapidly, many industrial organisations continue to focus cybersecurity efforts on IT-centric, rather than production-centric endpoints.

They also continue to rely on manual vulnerability management processes, leaving their industrial facilities exposed to unacceptable risks.

IT-centric cybersecurity approaches focus on securing Level 2 endpoints (Perdue model) − operator workstations, servers, routers and switches − as they are much easier to assess than controllers and smart field instruments.

However, focusing on Level 2 endpoints gives only a surface view because they make up only 20 percent of endpoints that exist in process control networks.

Level 1 and 0 systems are often left unassessed.

They comprise 80 percent of the cyber assets in industrial facilities and include distributed control systems (DCS), programmable logic controllers (PLC), safety instrumented systems (SIS), turbine controls, smart field instrumentation, and the sensors that directly connect to process equipment.

Level 1 and 0 endpoints matter the most in industrial facilities because they are responsible for delivering safe and profitable production. However, proprietary architectures and lack of standard protocols in multi-vendor process control environments make asset discovery, vulnerability assessment, and risk mitigation difficult.

This leaves OT systems exposed to vulnerabilities lurking on these underlying systems.

Rising vulnerability counts

The number of vulnerability advisories issued by ICS-CERT has increased by 1,035 percent since 2010.

Many of these vulnerabilities have likely been present for years, only coming to light now due to increased awareness of ICS cybersecurity risk.

OT vulnerability assessment is often a largely manual, point-in-time activity performed by outside contractors once every few years.

Assessments quickly become outdated as systems change, existing vulnerabilities are remediated, and new vulnerabilities emerge.

To maintain currency, OT cybersecurity professionals monitor ICS-CERT and automation vendor websites for new vulnerability advisories or bulletins, and then send emails to asset owners at sites to determine if systems are vulnerable, and if so, what the remediation plans are.

Timely, accurate responses are rare, leaving most organisations in the dark regarding their current risk.

Vendor patches and updates are often not applied for months or years.

What’s required is better OT vulnerability visibility and management.

The variety of automation system brands and models running in industrial facilities necessitates a more efficient, standardised approach to OT vulnerability identification and remediation tracking.

Industrial environments need a comprehensive, evergreen inventory of all their Level 2, 1, and 0 systems, including detailed information about current system configurations, firmware versions, operating systems, and applications.

Best practices for OT protection

Manage change effectively:  Asset security postures change when process control engineers install new components or perform upgrades and maintenance. Cybersecurity personnel must have an automated way to identify changes and quickly discover any new vulnerabilities.

Look for vulnerabilities all the time:  Only automated approaches to OT vulnerability assessment can keep up with the rapidly evolving OT threat landscape so risks to production safety and reliability can be quickly identified. Levels 2, 1, and 0 assessments should occur when new vulnerabilities are published, new systems come onto the PCN, or existing systems are updated.

Prioritise remediation or mitigation:  Cybersecurity personnel must prioritise vulnerability remediation or mitigation activities effectively based on potential impacts. Many organisations use the National Vulnerability Database (NVD) Common Vulnerability Score System (CVSS) to gauge the potential impact a vulnerability may have. CVSS scores provide important information about vulnerability exploit ease, potential exploit impact, and if there is known malware that targets the vulnerability. Other factors, such as asset location and criticality to process safety and reliability, should also be taken into account when prioritising remediation actions.

Track vulnerability remediation continuously:  Defined vulnerability remediation and mitigation workflows ensure consistent activity tracking and reporting. Viewing the latest data in dashboards and trend views give asset owners, OT and IT cybersecurity personnel the information to make educated vulnerability remediation and cyber risk management decisions.

Stay on top of OT vulnerabilities and risks:  Industrial facilities must recognise that vulnerability management is an ongoing, never-ending process focused on risk reduction, not a point-in-time assessment. Continuously reducing cybersecurity risk across the entire environment is what an OT vulnerability management program is all about.

As new vulnerabilities are disclosed and system configurations change, OT systems that were previously secure become insecure.

Organisations that implement continuous OT vulnerability management practices across all their Level 2, 1, and 0 endpoints are best positioned to avoid the danger unseen OT vulnerabilities present to production safety and reliability.

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Tech community rocked by deaths of Atta Elayyan and Syed Jahandad Ali
Both men were among the 50 killed in the shooting in Christchurch last Friday when a gunman opened fire at two mosques.
NZ ISPs block internet footage of Christchurch shootings
2degrees, Spark, Vodafone and Vocus are now blocking any website that shows footage of the mosque shootings.
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.