It’s been a tough year for cybersecurity teams. Critical infrastructure has faced an onslaught of cyberattacks, including high profile incidents like the Colonial Pipeline and JBS ransomware attacks and the Florida water treatment plant hack, and the situation doesn’t look to be improving anytime soon. With the increasing geo-political tensions in Eastern Europe, CISA has issued a “Shields Up” alert, encouraging every organization to adopt a heightened cybersecurity posture. If Western countries do decide to launch cyberattacks designed to disrupt Russia’s ability to sustain its military operations in Ukraine, as reported by NBC News, private companies in the US and Europe must ensure that they have robust defenses in place now to prevent or detect any potential retaliatory attack.
When it comes to operational technology, there are frequently missed elements of a strong security program that could leave you exposed. In this post, we will walk through 6 actions you can take now to strengthen your OT security posture.
Many companies are not periodically auditing their user account base or access control settings. This can cause them to overlook things such as unnecessary administrative permissions, weak or old password credentials and open accounts for employees who have left the company. For example, we recently identified active login accounts for employees who had left over one year ago, as well as excessive failed logins from service accounts that should have been eliminated due to sunsetted applications.
We recommend auditing all user accounts for your industrial control systems to ensure hygiene, password strength and appropriate levels of access for each account. If you are an Industrial Defender customer, you can use our platform to identify, monitor and manage all data related to system access and authentication in your OT environments. User accounts can also be extracted into an easy-to-audit list from all endpoints, with privilege levels and credentials available for examination.
An often-overlooked issue in industrial control systems is software installed that is not relevant to a company’s operations. For example, Industrial Defender recently discovered Guitar Hero software on a workstation, as well as iTunes running on an HMI. Security teams should also check for open vulnerabilities in their software and create a prioritized patching list for anything critical. If you have an old, unsupported OS that you can’t update, then you need to figure out what mitigations you’ll put in place to manage that risk vector.
Not having a complete picture of what software is in your operating environment opens you up to potential cyberattacks, and we recommend working to identify both unauthorized and vulnerable software in your OT systems now and plan risk mitigations where needed. If you are an Industrial Defender customer, you already have a current, and complete inventory of your software and can quickly discover older, and potentially unsupported, software applications to plan accordingly. When using the file integrity monitoring (FIM) feature, keep a close eye on critical. exes and .dlls that are often targeted during a cyberattack.
Ensure that all your firewall rules are up to date to reflect any recent changes such as the removal of operational sub-system devices or software. Also be vigilant about “Any/Any” rules that would allow wide open access to anyone inside the system. This can potentially result in unauthorized communication attempts to the internet from an attacker who has made it into a company’s network. For example, Industrial Defender discovered a server trying to phone “home” that was reaching out to a vendor for updates which were not approved by the security team.
We recommend auditing and continuously monitoring your firewall rules now to ensure they are properly segmenting your OT networks. If you are an Industrial Defender customer, you can monitor both firewalls and endpoints in real time to detect any rule changes and act immediately if an unauthorized change occurs. The most important element here is that you have the visibility (and the knowledge) that the unauthorized changes took place. Too often, an unintentional change is made and never reversed. This unauthorized change could remain in production for an extended amount of time.
We often see customers overlooking or deprioritizing signature updates in endpoint and/or network intrusion detection systems. Having outdated AV and malware protection may leave you open to the latest cyberthreats.
We recommend monitoring these applications and ensuring that you have installed all the latest signatures. If you are an Industrial Defender customer, you can use the platform to automatically monitor your devices to ensure that they have the proper antivirus versions running, as well as the latest signature files.
Removable media is the second most common attack vector in cyberattacks against industrial control systems. Not regularly monitoring things like USB ports for suspicious activity is a very common mistake we see. For example, one of our engineers recently ran into an employee attempting to use a USB port in a control room to charge their cell phone. While convenient, this should be an unacceptable practice since it opens the system up to whatever threats may be hiding in those devices. Another potential issue could happen if the phone is setup as a new network interface to the system. This could open up the workstation to the internet from what used to be a completely air-gapped environment.
We recommend monitoring any removable media ports to identify unauthorized activity. If you are an Industrial Defender customer, you have this ability already. Any time a USB device (or CDROM, etc.) is inserted or removed it will be logged, and available for alerting/reporting.
Device configurations can change daily, so it’s important for security teams to keep a close on this and analyze whether these changes are legitimate or not. This isn't as sexy as AI or ML, but most attacks are logged and were just never reviewed/noticed. Unfortunately, in OT environments, daily log reviews are not a common practice.
We recommend diligent monitoring of your logs, especially as it relates to remote access. If you are an Industrial Defender customer, then your system logs are already being monitored. If there are additional application logs that you wish to add to the Industrial Defender platform, you can reach out to our support team for assistance.
Visibility is critical in times like these, and we recommend these and other important actions during this challenging period. We encourage our critical infrastructure partners around the world to remain alert, be vigilant and stay safe. As always, our team is here for you to answer any OT cybersecurity questions you might have. Current Industrial Defender customers can reach out with any questions or requests for assistance by opening a support ticket or by email at firstname.lastname@example.org.