The culture clash between IT an OT operators has taken a back seat to three emerging security issues for the industrial control systems (ICS) community. “That won’t work for OT” was a common mantra in the days before SolarWinds and smart device source code snafus. IT expert staff ranging from a single employee to robust round-the-clock teams are reconciling with emerging unknowns rather than racing to secure Windows XP vulnerabilities and dealing with technical overshare from system vendors. Security leaders and security operations centers face three major hurdles in 2021: debates over proprietary versus open source security tools, supply chain management battles, and an increasingly bleak landscape of Internet of Things (IoT) vulnerabilities.
Proprietary Vs. Open Source
Software vendors rely on the proprietary nature of their products in sales pitches to convince customers that they are more trustworthy than open source software that can be altered by virtually anyone. This practice is reinforced by OEMs purchasing security software companies to be offered strategically alongside their systems and products. Cybersecurity budgets on average are incredibly small, reportedly between 0.2% and 0.9% of net revenue. An even smaller portion is directed to ICS. This reality—coupled with the criticality of 24/7 safe and reliable operations—creates a cutthroat atmosphere for choosing the right security tools.
Open source programs are free and essentially crowd-sourced, and therefore also potentially debugged rather than manipulated by many. At the same time, the utility of any software goes only so far as humans know how to extract value from its outputs. To get full utility, end users usually provide data, sometimes confidential, which must be part of the risk calculus before purchase. End users have limited visibility into proprietary code in software that relies on access to and exchange of their data. The same is true for managed services. A security team might decide on an open source tool for network monitoring, but purchase a third-party software as a service solution—such as SolarWinds—for management and orchestration. It is increasingly difficult to weigh the costs and benefits on either side when both options present unique and unforeseen risks.
Supply Chain Management
The SolarWinds attack was novel for two main reasons. First, it went unnoticed by major security firms for several months, and second, its precise targeting allowed the authors to affect many organizations simultaneously. It may go down as the biggest cybersecurity event of 2020, but supply chain attacks are here to stay. Designing malware to masquerade as legitimate traffic will likely be a rule rather than an exception going forward, as evidenced by this approach to sending legitimate packages from public code sources to internal or private corporate applications with automated tools.
The supply chain for ICS is an added stressor to communication networks that already lack the visibility required to engender a defense-in-depth cybersecurity program. Many static OT data protocols and processes live in spreadsheets, with outdated software versions running on industrial machines 10 to more than 30 years old. ICS hardware and software in a single environment come from dozens of different vendors. Among the switches, firewalls, gateways, and port mirroring devices, network traffic might be segmented, but recent incidents reveal unknown internet connections on OT devices and vendor-supplied systems and subsystems. To ensure the integrity of software going forward, a required software bill of materials could go a long way in terms of prevention and integrity. Unfortunately, cataloguing ICS to retroactively track supply chain metadata and provenance is an expensive, time-consuming, and arduous task.
The promise of revolutionizing industry by providing unprecedented levels of interconnectivity and data optimization drive many companies to continue to bring new IoT products to market every day. In homes, factories, and cities, smart connected things are designed to serve specific functions. Created to be deployed in high numbers at low cost in industrial settings, these devices often lack basic security and data protections. They can be attacked to gain access to a larger target, to achieve deeper objectives within a corporate network. They can also be used for simple reconnaissance and espionage. Or they can be hijacked and redirected at scale to weaponize code and overflow traffic to affect critical targets.
Although endpoint security in industrial operations is gaining traction, it won’t treat the underlying causes that make IoT insecure. More data feeds, connectivity, and data management tools offer a band-aid for weak password, authentication and encryption protocols, insecure update mechanisms, and mundane privacy protections. A novice threat actor can find internet-connected devices on the website Shodan and learn how to circumvent network segmentation and penetrate isolated IoT networks using open source tools such as Nmap and Ncrack. Managing intrusions will be a constant battle between detection and response, with little attention left for addressing underlying issues after IoT products are bought and deployed from vendors.
Next Steps for Stakeholders
With these challenges in mind, it is time to get serious about securing ICS. Piecemeal approaches to vulnerability patching and compliance box checking won’t prevent sabotage by a threat actor. Critical sectors need to take note and plan inquiry and action to perform bottom-up assessments of critical operations, systems, and information. There are several useful ICS collection management frameworks, asset inventory guides, and threat intelligence resources. To build real momentum, organizations need to do reconnaissance on their operations and begin testing their assumptions.
A new standard in the ISA/IEC 62443 series, ISA/IEC 62443-3-2: Security Risk Assessment for System Design, defines a set of engineering measures to guide organizations through the process of assessing the risk of a new or existing ICS or IIoT system. It also establishes how to identify and apply security countermeasures to reduce that risk to tolerable levels.
Another new methodology from experts at the Idaho National Laboratory (a member of the ISA Global Cybersecurity Alliance), Consequence-Driven, Cyber-Informed Engineering (CCE), focuses on worst-case access and exploitation scenario planning. CCE proceeds from the assumption that the only way to understand attacks before they occur is to think like an attacker and stress-test your network and security policies.
These approaches are individualized, and allow experts to address security risk in critical systems to begin to confront and mitigate major pain points in 2021.