The security community is continuously changing, growing, and learning from each other to better position the world against cyber menaces. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Chris Sistrunk, Technical Manager in Mandiant’s ICS/ OT Consulting practice and former engineer at Entergy, where he was a subject matter expert on communication and distribution of supervisory control and data acquisition( SCADA) systems. In this blog, Chris shares best practises to help mitigate the security threats to operational technology( OT) environments.
Natalia: What tools do you use to monitor and govern your OT environment?
Chris: First, you can use the control system itself, which already offers some degree of visibility into what’s happening. It looks like NASA control. Operators sit and watch the process all day. You can see what looks normal and what doesn’t look normal.
What’s new is not just looking at the system itself but at OT network security. Especially in the past five or six years, the focus has been on getting network visibility sensors into the control network. There was still several dealers, like MODBUS, Siemens S7, and DNP3, out there that understand its optional protocol and further develop sensors that are purpose-built to analyze OT network traffic rather than IT traffic.
With a newer control system, it’s much easier. Many times, they’ll use virtual machines to manage OT, so you are eligible to set agents in those areas. If it’s a Windows 10 or Windows 7 environment, you are eligible to even use Microsoft Defender Antivirus and compile the Windows event logs and switching logs. If you don’t look at the logs, you’re not going to know what’s there, so you need to monitor behavior at the network layer employing technologies like deep packet inspection( DPI) to identify compromised devices.
Natalia: What are some best practices for securing remote access to the OT network?
Chris: Number one, if you don’t need it at all, don’t have it. That’s the most secure option.
Number two, if you have to have it, make sure it’s engineered for why it’s needed and tightly control who can use it. It’s also important to make sure it’s monitored and protected with multifactor authentication( MFA) unless it’s just for read-only access to the control network, in which case it’s less of a risk. A lot of times, these OT equipment vendors involve in their warranty contracts that they have remote access with full control and the ability to change configurations, which means you’ve given someone a high level of privileged access to your control systems.
Number three, have a process and procedure for when that remote access is use and when it’s turned off. You should at least know who was there and for how long, and who did what, applying audit logs, for example.
I want to highlight that the Water ISAC, the international security network created for the water and wastewater sector, published a free document called 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. It’s a reminder to consider where remote access is coming from.
Natalia: What percentage of organizations are continuously monitoring their OT networks?
Chris: Today, it’s the exception , not the rule. The only ones monitoring are the ones that have to do it, such as nuclear companies, and the 3,000 or so largest electric utilities that are under North American Electric Reliability Corporation Critical Infrastructure Protection Standards( NERC CIP) regulation, as well as any companies that might have been attacked in the past. But even NERC CIP doesn’t require continuous network security monitoring, simply monitoring event logs in a SIEM, for example, which means you can still miss stuff.
So percentage-wise, it’s not very many, especially in non-regulated sectors like manufacturing, pharmaceuticals, chemicals, oil and gas, mining, and warehousing and logistics.
Companies don’t like to spend money on security if they don’t have to. Unfortunately, it’s going to take an attack. We didn’t have electric reliability standards until we had two Northeast blackouts that affected millions of people in 1965 and in August 2003. After that, they said, “Oh, we should probably have some electric reliability standards.” When I started at the power company, one of the lineman safety instructors said, “Safety rules are written in blood.” The only reason why we have reliability rules is because we’ve had darkness.
Natalia: How can teams break down IT and OT silos?
Chris: Communication. It’s the only thing you can do. If you’re in IT, go take a box of doughnuts down to the operators and ask, “What are the pain phases here? How can I learn more about what you do so I can understand and so you won’t slap my hand every time I say,’ Please patch.’” They will be overjoyed that someone came and visited them to learn about what they do.
Generally, if an IT guy with a white hard hat that has never had a scratch on it comes in, operators guess, “Don’t touch anything.” But if you build that trust and communication, that strengthens an organization, and you can start training courses and knowledge sharing.
Natalia: What should roles and responsibilities look like?
Chris: Now, anything that’s on a network, even in the control system environment, can report up through the chief information officer( CIO) or chief information security officer( CISO ). Even in power companies, they’re put everyone, even the folks who do SCADA for the power grid, under the CIO or CISO instead of under functionings. At smaller companies, like water and wastewater, it’s still the old situation, where you have an IT guy and an OT engineer or operator. At larger companies, OT is coming through the IT organisation under the CIO or IT is under the CIO and runnings are in the process of functionings, and the link is under the CISO. You might have security people in IT and safety people in OT.
If you’re wondering whether the CISO should be responsible for both IT and OT security, it’s a simple answer. You can’t have enterprise-wide security unless you include OT. Security needs to be applied to it all, but go to a provider that “says hes” provide enterprise-wide security and ask, “Do you know anything about OT networks in power plants? ” “Nope.” OK, then, you don’t do enterprise-wide security. You’re not protecting what attains money.
Chris: I’ve seen it implemented as one merged SOC, but I’ve also ensure two separate ones because if they have physically separate systems, they have to have physically separate SIEMs. For instance, a nuclear plant will have its own SOC, and corporate will have its own SOC. If a power company has a nuclear power plant, that plant will have its own SOC because it’s air-gapped and not connected to the outside world or the IT network. But if you have an oil and gas environment, it may have both combined into one.
There are pros and cons. If you have the money and the budget and the people, you can do it either way. Just put your people in a room, give them a lunch of pizza, and let them come up with the best solution. There are advantages of having a merged SOC. You don’t even need an OT-specific SOC analyst. Just have a good IT security person learn from the control technologists or operators, and then create those alerts, and do hunting, tool tuning, and regulation tuning.
Natalia: What would you say to a board of directors to get them to prioritize OT security?
Chris: I’d keep it short and sweet: “What would happen if you couldn’t stimulate hammers anymore? ” If the CISO can’t answer that question, you know the person needs to gain that awareness. Do we have visibility of the network? Do we have offsite backups for our control systems? Do we have security awareness train?
Board members are not concerned with the latest and greatest advanced persistent menace( ATP ), but they do care about risk to the business. They’ll say, “We don’t have any security because we don’t have enough people. If we don’t have security implemented, we have a small risk of having downtime.” If “youre talking to” any administrator, they’ll know exactly how much money they lose per period if production goes down. We look at business risk in terms of the equation: hazard equals impact hours probability. Since we don’t have enough data about cyberattacks in OT to have a probability, we tie cybersecurity to the risk register and replace likelihood with exploitability. How easy is it to exploit? Can a script kiddie do it? Could my 13 -year-old son do it?
If you’ve got an operating system exposed to the Internet, discoverable via Shodan, it is exploitable within minutes. What is the impact of that? If it’s in a chemical, pharmaceutical, food factory, or refinery, that’s a problem not just for downtime but more importantly because it could cause a safety or environmental incident. If it’s a temperature ascertain, that’s much less danger. Corporations will have a risk register for everything else, including natural disasters. They should have one for OT cybersecurity danger too.
To learn more about Microsoft Security answers, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Likewise, follow us at @MSFTSecurity for the most recent developments and updates on cybersecurity.
The post Mitigate OT security threats with these best practices seemed first on Microsoft Security .
Read more: microsoft.com