One of the most useful ways users can determine the right cybersecurity approach is learning about its increasingly lengthy history and how more recent events continue to affect it. For example, early breaches due to malware like Stuxnet, Triton, Not Petya and many others evolved in the wake of seemingly unrelated world events like the COVID-19 pandemic and Russia’s invasion and war in Ukraine.
“The pandemic drastically increased remote connections into operating environments, and initially many weren’t done using the most secure practices,” says Larry Grate, business development director for OT infrastructure and security at Eosys Group, a system integrator in Nashville, Tenn., and a certified member of the Control System Integrators Association (CSIA). “Most were driven by the need to support operations without the risk of having employees physically come into manufacturing environments. However, during past few years, we’ve seen a lot of work on remediation and securing remote access.”
Get your subscription to Control's tri-weekly newsletter.
Eosys works mostly in the food and beverage, chemicals, pulp and paper, and steel industries, but it’s also a member of the Manufacturing Information Sharing and Analysis Center, which is a cybersecurity threat-awareness and mitigation community for small, medium and enterprise-level manufacturers. Grate recommends joining MfgISAC, as well as Dragos’ Operations Technology-Cyber Emergency Readiness Team, which provides free policy and procedure templates, intelligence sharing and cybersecurity best practices for perimeter defenses and other protections.
“The definition of ‘perimeter’ must include networks as well as physical facilities because someone can bring in assets, calibrations, smart phones with Bluetooth wireless connections and anything else that can be brought in or out,” says Grate. “This has been the situation for at least 10 years, but what’s changed significantly in the past couple of years is the rate at which OT has been hit with many more ransomware and other cyber/attacks.”
Defend the device level
While the lowest level devices in industrial control systems (ICS) don’t typically support any encryption or authentication, Grate adds the two best options for protecting them are network segmentation and ICS-specific monitoring tools.
“To implement either, you’ll need to deploy managed switches deployed throughout your facility as deeply as you want to segment and monitor your network,” add Grate. “Your first step will likely be upgrading your network infrastructure to support your monitoring tools and enable segmentation. For your most critical systems and processes, consider implementing software-defined networking (SDN), which provides arguably the most secure micro-segmentation available. Finally, define your use case for a network security monitoring (NSM) tool, and find one that meets your needs.”
Separate and disconnect
Once physical and network perimeters are established and evaluated, and assets and configurations within them are inventoried, Grate reports users must develop an incident-response and disaster-recovery plan for every cyber-threat they expect to face. “There are two main playbooks for today’s cyber-attacks. The first is how to respond to ransomware by separating networks and recovering equipment,” explains Grate. “The second is being able to disconnect landed operations, similar to how IT does it, and creating temporary air gaps when necessary.”
For instance, Eosys recently worked with a Tier 1 automotive parts manufacturer that previously had isolated islands of automation, but subsequently allowed a direct connection between its plant and enterprise networks. This caused it to suffer a compromise incident during which its IT staff could see callouts from ransomware on the OT side.
“This automotive client tried to keep running in an islanded state until they could address their outage, remove the ransomware, reload their HMIs other equipment and start back up,” adds Grate. “Their system had to run for six months with this malware, which had used an encrypted key to gain entry. During that time, they couldn’t use any of their crippled equipment.
Once the ransomware was removed and the automotive client was fully operational again, Grate reports it and Eosys drafted an incident-response plan, which included creating a defensible architecture based on network segmentation with zones and conduits advocated by the ISA/IEC 62443 cybersecurity standard. They also started authenticating users and passwords with an active-directory server (ADS), which identifies individuals based on their job roles. Finally, they built an asset inventory with vulnerability data, initiated network traffic evaluation, and adopted a zero-trust strategy, which is similar to whitelisting, but create micro-perimeters that allow more granular segmentation than individual work cells, though not as granular individual devices.
“This allows more precise segmentation by risk, and lets users define their risk appetite,” explains Grate. “Users are typically OK with accepting some risk. If a process is low-risk, they can segment it by process work cell or larger. If a process is high-risk, they can segment closer down to the devices. Once these risk levels are established, users can begin to implement secure, remote access by using multi-factor authentication”
Fearful futures
“Unfortunately, with the rapid adoption and development of artificial intelligence (AI), we’re likely to move from ransomware being the primary threat to operating environments to much more sinister things, such as a successful attack against a safety instrumented system (SIS),” adds Grate. “The other challenge is that many users don’t watch for threat actors, so they may not be aware they have adversaries in their environment stealing their intellectual property. Fortunately, attacking OT environments and getting a desired effect isn’t a trivial effort. Shutting down a process is rather simple, but using a system to create a desired effect in a process is far more difficult, and would require insider knowledge or significant reconnaissance work. This is why it’s so critical to protect items like PID and electrical drawings, control narratives and loop sheets. These documents can draw a roadmap for an adversary to their desired destination, which is something none of us want to see happen.
