Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/18/2018
02:30 PM
Barak Perelman
Barak Perelman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Top 5 Security Threats & Mitigations for Industrial Networks

While vastly different than their IT counterparts, operational technology environments share common risks and best practices.

Our nation's critical infrastructure and the industrial control networks that manage them are under constant threat from a host of malicious actors — including nation-states, politically or financially motivated hackers, insiders, and disgruntled ex-employees.

Unfortunately, all industrial control system (ICS) networks share a common weakness: they were built before cyber threats existed and are not designed with built-in external security controls.

A breach of an ICS network can be disastrous and expensive. Consequences range from physical and environmental damage and costly downtime for manufacturing processes to putting lives at risk. In addition, a breach can bring heavy fines from regulators and lawsuits from parties claiming injury or damage, and it can also shake shareholder confidence.

Given these stakes, let's consider the five most common threats to ICS networks and how to reduce the risk associated with them.

Risk 1. Poor Network Configuration
The weaker the configuration, the greater the likelihood of a successful attack. For example, once a control device has been exposed to the Internet due to a poor configuration, both phases of a breach can occur — the attacker can gain a foothold in the network and exploit a sensitive asset.

Mitigation: ICS devices should never be directly connected to the Internet. Strict network segmentation should be implemented and the integrity of the network should never be sacrificed for the sake of convenience.

Risk 2: No Audit Trail
An audit trail is essential for understanding what's going on in any network. However, logging mechanisms in some ICS environments do not exist or are incomplete. In many cases, security teams lack the knowledge of operational technologies (OT) to know how to collect logs or where to look for them.

Mitigation: Basic record-keeping is crucial for both the incident response and the forensic investigation of an attack. It is also required for any type of regulatory compliance audit. This begins with understanding the limitations of the environment — what data is being monitored and collected, and what isn't. One hundred percent visibility, monitoring, and control should be the goal, including the collection and aggregation of all logs.

Most ICS networks have components that generate an audit trail, but too often these capabilities are underutilized. All incidents should be automatically reported to the security incident response team, logged, and correlated via a real-time audit mechanism.

Risk 3: Lack of Control
Many ICS environments do not have basic controls for managing assets that are considered table stakes in IT networks. As a result, security hygiene in OT networks is often an afterthought and lacking in the following ways:

  • Patches can't be easily deployed and usually aren't.
  • There's no centralized, up-to-date inventory of assets, configurations, software versions, patch levels, etc.
  • Internal security policies are not monitored or enforced.
  • The security model is based on a "if it works, better not mess with it" paradigm.

Mitigation: Implementing a centralized and automated asset management capability for OT networks is crucial. Without an up-to-date and accurate inventory of ICS assets, especially the controllers responsible for managing physical processes, it is virtually impossible to assess risks, apply patches, and detect unauthorized changes and activity.

Risk 4: Employee Ignorance
Just as in IT environments, employees pose a significant risk to OT network security. Phishing attacks, social engineering, and risky browsing behaviors all threaten to punch a hole that can be exploited by attackers to compromise the IT, OT or both networks via lateral movement.

Mitigation: Security training, network segmentation, and multifactor authentication can all help prevent breaches caused by employee lack of awareness, policy violations, or human error.

Risk 5: Insider Attacks
Insiders in OT environments pose the same security risk as in IT environments. The source can be malicious, such as a disgruntled employee, an insider who is paid to steal or sabotage assets, or an internal account compromise attack by an outsider. An insider threat can also be unintended, caused by human error.

Mitigation: Performing a risk assessment to identify and address vulnerabilities such as over-privileged accounts, insiders with access to resources they don't need to do their jobs, and orphaned accounts is essential to reducing the attack surface for insider threats. Knowing and monitoring OT attack vectors, which are primarily the network and direct access to devices via serial ports, can also defeat these threats. Network activity anomaly detection and routine device integrity checks can identify malicious activity before it's too late. Finally, unifying IT and OT security, because both environments are often interconnected, can help protect against attacks that originate on one network and attempt to move laterally to the other.

Despite the cultural divide between IT and OT, both environments share a common set of threats and vulnerabilities. And while the consequences of an OT security breach are decidedly more physical in nature, many of the lessons learned and best practices from IT can help prevent them. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.