Know What's Lurking in Your Network

As hacks into industrial control systems increase with devastating impact, how do you strengthen your operational security to reduce cyber threats? And, what do you do about those already lurking on your network?

When thinking of the difference between IT and operational technology (OT), hackers aren’t using mind bullets to attack industrial infrastructure, but they do have the power to move and control physical objects. Systems such as nuclear centrifuges, blast furnaces, and power grid on-off switches are open targets.

In general, hackers can be placed into three main tiers. Those who might hack into industrial control systems (ICS), but then have no clue what to do. Those who know enough to use human machine interface (HMI) systems to get into the ICS systems in order to disrupt operations. And finally, those more advanced threat actors—usually nation states—who are investing time, money, and resources to research how to get access to control systems without relying on HMI. Bottom line for ICS organizations: they need to be prepared for all three.

Gaining insight into intent and skill sets of potential hackers is a start toward establishing a better defense. If, for example, a less-skilled group from a nation state is using five-year-old exploits, it’s not necessary to invest as much in terms of time or resources when basic IT hygiene would provide sufficient protection. However, with groups who employ zero-day attacks, it’s important to understand and deploy more cutting-edge exploit mitigation tool kits or attempt to model malicious code behaviour for improved threat detection. This works for both IT and OT environments. Nowadays, bad actors may be more aware of code footprinting and obfuscating techniques, but no matter how stealthy or self-aware, all perpetrators leave a trail. Nobody’s perfect, and even the best make mistakes. By profiling and investing in a cyber intelligence team, organizations can go above and beyond basic computer incident response and get to the Holy Grail of information security: the ability to determine good from bad intent.

The key is detecting earlier and avoiding surprise. One way to do this is to engage security professionals who can help assess, protect, and certify critical infrastructure environments and devices. By conducting robustness testing, for example, it’s possible to uncover vulnerabilities and thwart potential exploits. 

As Richard Bejtlich summed up in his book, The Tao of Network Security Monitoring, “prevention eventually fails.” This simple, three-word phrase, which gets to the core of his detection-centric philosophy, is a critical and timely maxim for OT teams. One that bears repeating, sharing, and maybe even framing and hanging on a control room wall.  No matter how many fences or firewalls organizations mount, at some point they will fail. And that’s not to say that they should give up on prevention or that they shouldn’t be prepared, but rather that the prudent approach is to accept the limitations of preventative measures and switch focus to detection and response.

The eighties, nineties, and aughts were all about patching systems and deploying firewalls. The problem is savvy computer people know how that technology works—and they also know how to get around it all. A major shift today, especially for OT, is to be prepared to be compromised. The more skilled that companies can become at detecting and responding to malicious behavior, the more they can mitigate the risk of something really bad happening.

It’s not time to get complacent, especially for ICS organizations.

Be sure to:

• Establish a process for assessing your asset environment, especially as IT and OT systems are integrated

• Build fault tolerance and resilience through asset knowledge and document controls

• Diminish disruption or downtime to business operations by identifying, in advance, any machines that can be taken offline

Just because you feel safe behind your castle wall doesn’t mean someone isn’t tunnelling under it.