Another day, another massively critical vulnerability. Microsoft has released two CVEs at the most critical level within as many months. The latest (CVE-2020-1472) has even warranted a rare Emergency Directive from the Cybersecurity & Infrastructure Security Agency (CISA), which required all federal agencies to patch over a weekend, and also strongly suggested that all state and local governments and critical infrastructure companies patch as quickly as possible.
That’s all well and good, but the challenge faced by a board of directors, executive management and operations staff is how to most effectively manage the risk of this vulnerability being abused. This is what risk professionals are supposed to do, right? Take the limited resources of people, money, and in the case of industrial control systems (ICS), operational down time and balance it against mitigating the potential cybersecurity risk this vulnerability poses.
Sounds easy enough. It’s super bad according to basically everyone, and we just need to patch. In IT this isn’t really a problem, they have pretty routine maintenance windows, and even taking an emergency outage on an infrastructure like Active Directory, designed and refined for resiliency over the last two decades, is pretty low risk.
OT environments are different, though. You have real trade-offs and bottom-line decisions to be made. We’ve talked about this a little bit before when the last major Microsoft vulnerability was announced, the worm-able DNS flaw, but we are going to dig deeper into the risk story here.
Let’s pretend you have three major plants owned by a large company. One makes power and steam for the other two, one mixes volatile chemicals, including an ingredient that leverages waste from the power plant to make a key input in the third factory, which makes glass marbles for chaff in military planes. They all have very different cost and profit structures. Each of these assets will have their own unique operating characteristics. There are things like process cycle times, boilers that need to time to ramp up and cool down, and pipes, tubs or filters that need to be flushed and cleaned between every shutdown and startup. They will have their OEMs, support vendors, protocols, IT infrastructure and staff. Looking at the DefenderSphere is a great visualization of this complexity. In short, each plant, even within the same company, has a very different risk profile from the other.
So, when your board member, who is a former general from the armed services, wakes up and reads a dozen emails from their peers about this alert, it starts a chain reaction. We will give this company the benefit of the doubt and assume their CISO has a direct relationship with the board, especially those on the Risk Committee, like the general. The CISO is awoken by the sound of text with a link to the directive.
This is where our story can really diverge from those who have holistic cyber risk programs with visibility and analytics to support the entire enterprise, including OT, and those who don’t.
We all know the story for the company with no visibility into their OT endpoint risk. It doesn’t go well, and they lose millions in downtime, contractual penalties, vendor callouts at double rates for emergency, security consultants, etc. But what if they had real visibility into their risk? What does that look like?
It looks a lot like this:
This is what happens when you combine complete visibility into your OT endpoints and networks with a flexible risk framework grounded in a monitored, measured and managed controls framework.
When you know what is really in your OT environments, you can begin to create real risk frameworks, built not around what a vendor thinks is risky, but tailored to the unique needs of your company.
When the call comes in, the CISO and their staff of analysts are not only able to see what systems are missing the patch, but how that fits into the bigger picture. Not all OT systems are created equal, and therefore have completely different risks.
The power plant, because it sells excess power on the grid, has some contractual obligations with the local grid operator. It installed Industrial Defender a long time ago and has been managing things for the better part of a decade. Its patches are all up to date, especially compared to its peers. It’s also completely in alignment with its baseline configuration, meaning account policies, installed software, interface configurations and firewall rules are also all as they are supposed to be.
The chemical plant saw some looming legislation a couple years ago and leveraged the benefits the power plant had seen from deploying Industrial Defender. It’s in second place of the three sites in terms of OT risk management maturity. Their annual maintenance is only a month away, however, that means it hasn’t seen a patch in months. There are couple of devices that should be monitored but haven’t communicated in a while. Otherwise, they are fairly in compliance with their design configurations.
The manufacturing plant is a hot mess. It’s only recently come into scope. Compared to its peers, it not only has a plethora of vulnerabilities, but the firewalls also all have exceptions. It looks like the monitoring agents aren’t reporting in, probably due to one of those recent unapproved firewall changes, so they would miss any events, including local malware and removable media events that could be used to head-off any foothold in the environment.
So, what does one do? Do you patch the manufacturing environment first because of its higher attack surface? Do you patch the power plant due to its importance to the other plant’s operations?
The truth of the matter is, I don’t know. That’s the call that people within an organization have to make based on their unique needs, which is why we allow you as the risk owner to pick the data points that matter most to you, and their weights, to determine what an asset’s risk score is. We allow you to account for intangibles like the criticality of the asset, which you can set, or whether that asset is subject to regulatory requirements like NERC CIP, and at what level. Our mission at Industrial Defender is to arm you with the best data possible to make a prudent decision based on your needs, not our predefined formula.
To learn more about how our new Endpoint Risk Analytics Suite can help you make smarter cybersecurity and risk management decisions, schedule a time to chat with one of our ICS experts.