The Criticality of Specialised Security Operations in OT and ICS environments14 Dec 2020 | Mihai Andreescu
The benefits that come with OT and ICS are undeniable, from automation of processes to improved precision, the boundaries of whole industries are being redrawn, as advances are being made at an overwhelming pace.
Unfortunately, given the typical technology and innovation lifecycle, and common lack of secure-by-design principles, with every technological advancement, will come new inherent vulnerabilities, which inevitably turn into risks that need to be mitigated. OT/ICS innovations are under the same pressures, especially given the explosion of IoT/IIoT devices, coupled with IT/OT convergence. Security has been unable to keep up.
Imagine a national power grid going offline, a water treatment plant with altered water treatment chemicals, nuclear centrifuges being manipulated, and so on. These are some of the nightmare scenarios that have already happened.
Taking opportunity of this new attack surface, advanced threat groups have ramped up attacks against OT and ICS environments. Active exploitation of these vulnerabilities leads to incidents with far greater implications than in traditional IT networks. With OT and ICS environments being responsible for physical processes, the impact is no longer limited to the data space. The broad use of OT and ICS within incredibly diverse environments such as intelligent buildings, autonomous transport and industrial environments means that the physical impact of security incidents can have immediate consequences to areas ranging from health and safety to national security.
Traditional endpoint security solutions such as EDR do not offer coverage for these devices. Capitalising on the inability to conduct an in-depth investigation of these systems without specialised tools and expertise, the devices have become an increasingly attractive foothold for attackers. For them, persistence is gained by staying out of reach during basic IT incident response exercises. The difficulty of managing all of these different devices from a single central location adds to the likelihood that vulnerabilities will take longer to be patched, and will thus be more likely to be exploited.
A secure architecture lies at the foundation of a good defence, with air-gapped networks and logical segregation commonly seen in deployed infrastructures. While these have been bypassed in the past, the current pandemic introduced a new risk, employees working from home required to connect to their OT and ICS systems. This added connectivity, convenient and necessary for remote working, has created additional security risks at the perimeter.
Security risks are further exacerbated by the chronic shortage of OT/ICS cybersecurity talent. To showcase this, there are many cases where organisations have a security operations function covering the IT networks, instilling a false sense of protection of the OT and ICS infrastructure. However, in reality, the security posture of the organisation is fractured, wherein the specific requirements of industrial networks are not being addressed with specialised tools, and the traditional security operations function lacks the required skillsets.
The ICS space overflows with high-profile examples where organisations lacked this critical security operations capability and were unable to stop advanced attackers (i.e., nation-state) from taking over their infrastructure and causing havoc. From the energy sector to oil and gas, to aviation and chemical plants, time and time again attackers were able to not only compromise these OT and ICS devices but leverage them to conduct further attacks and enhance the impact of their actions. The common denominator usually is the inability to detect these threats before their effect is noticeable. This can only be mitigated through a specialised security operations team, with the specific task and training of securing these networks by providing continuous monitoring and taking decisive action when confronted with an adversary within the environment.
A security operations function with expertise in this area is a necessity. Mature organisations have gone to great lengths of having an operations team dedicated to OT/ICS to mitigate risks. The very limited and generic coverage of security solutions in this space has made behaviour monitoring and anomaly detection critical to ensure the secure working of an industrial environment. A security operations team with an ability to understand normal working behaviour and identify possible threats will have the intrinsic advantage of being able to contain threats before they can entrench into a network and perform actions on objectives.
Visit Digital14.com and learn how our extensive experience in this field can help your organisation.
Connect with us