In the wake of a growing number of cyber-attacks against SCADA based environments within manufacturing and CNI; organizations are increasing spending on improved defenses. However, as potential vulnerabilities are uncovered, many of these newly woke organizations are faced with a potentially insurmountable list of problems that need addressing – whilst still needing to deliver uninterrupted services.
The risk landscape has evolved in recent years and high-profile incidents such as Saudi Aramco and Hydro Norsk are just a tip of an iceberg that has seen more active attacks against manufacturing and CNI.
According to Kaspersky Labs’ State of Industrial Cybersecurity 2018 survey of 320 executives within OT/ICS cybersecurity, 31% had experienced a breach or security incident in the preceding 12 months. Perhaps more worryingly, a further 10% did not even measure these metrics.
This last data point suggests that a significant number of organizations do not have complete visibility over their OT environments. As such, the first stage of any plan to strengthen infosec posture starts with a security audit and assessment phase to create an initial baseline.
Audit and Assessment
Considering that a typical power plant will have over 1000 discreet systems, creating an audit is a significant task. This process can be fed from multiple sources including initial design schematics, asset management systems and visual inspection. One of the most powerful ways is through network analysis using well known tools such as Wireshark via Port Mirroring, also known as SPAN (Switched Port Analyzer). The goal of this exercise is to discover all systems down to make, model and operating software version along with how they are connected using which protocols.
In a power plant for example, this process can take a four person team several months to complete. Alternatively, a growing number of industrial cybersecurity platforms can build this assessment through automated inspection of protocol traffic via probes that sit on the network and passively catalogue data flows over the course of a week or so.
An audit and assessment generate a matrix that then needs to be correlated against known vulnerabilities supplied from lists such as ICS CERT that cover issues within specific protocols, operating systems and software versions. To start carrying out remediation projects, the matrix of assets and vulnerabilities needs to be supplemented by a risk score.
This process must be weighed against the criticality of each system and the business impact. So, for example, a potential vulnerability that if exploited could lead to a major health and safety issue or environmental damage will have a higher weighting.
Some of this task can also be automated through analysis systems that have learned models that understand the processes flows and independencies within an environment such as a water treatment or gas fired electrical generation. Another required stage that adds weighting is an evaluation of attack vectors compared against risk. For example, a critical system with a known but unpatched vulnerability may have a high-risk score, but if that system is 100% air-gapped within a closed loop, the risk score may well be lowered.
Attacker Profiling
Most organizations involved in audit and assessment will tend to stop here before starting the process of remediation. However, an often overlooked and increasingly vital step is a benchmark against an external standard such as IEC 62443 that is designed to improve the safety, availability, integrity, and confidentiality of components or systems used in industrial automation and control.
This is most valuable in defining the Security Level (SL) that a system must be able to maintain compared against range attackers. These range from SL1 to indicate casual or coincidental violation up to SL4 which indicates a sustained attack by a well-funded state actor. For CNI, risk analysis should always consider the type of adversary as it will help to further refine where resources should be allocated and where defenses need to be strengthened.
Remediating vulnerabilities and strengthening of proactive defenses are still constrained by budget and available human resources. As such, the goal of all these assessments and risk scoring exercises is to create a list of projects based on quantifiable data that can be actioned.
This list will be different for every organization but after operating system, software and firmware updates; two decades of working within the industry has seen network segmentation to isolate potentially vulnerable systems from the attack vector emerge as the most prevalent remediation strategy. This is not a panacea but is an increasingly common requirement, especially as industrial environments start to interconnect with other networks and internet facing systems.
Constantly Vigilant
Another vital consideration is to think of this cycle of audit, assessment and remediation as a continual process that should ideally be carried out quarterly but at worse case, at least twice a year. This is vital when you realize that a major vulnerability database such as ICS CERT will typically add between 100-150 new entries each quarter that are relevant to ICS/SCADA environments.
Whether budget stretches to highly automated Industrial cybersecurity platforms for vulnerability assessment or the tasking of a team to carry out the process across several months, without understanding the baseline, there can be no improvement in security posture.
The 2019 SANS OT/ICS Cybersecurity Survey also uncovered another insight; fewer than half of organizations have inventoried their control system devices and software applications, even though they may be considered to have the highest impact if exploited. This is a startling admission and suggests that more organizations need a plan.