This is part two of a two-part series by cybersecurity expert Dan Ricci on OT and ICS exposure points such as misconfigurations and insecure remote access that jeopardize processes beyond the risks introduced by software and firmware vulnerabilities. Part one can be found here.
Operational technology’s (OT) exposure to cyber threats extends beyond the confines of technical software and firmware vulnerabilities. The supply chain and insiders are two other significant areas of concern, where risks can originate from third-party vendors or suppliers with inadequate cybersecurity measures or those inside the firewall with similarly privileged access.
In part two of this two-part series, we’ll examine these risks, and suggest some mitigation strategies.
A supplier with weak cybersecurity measures can become a conduit for attackers to infiltrate an otherwise secure OT network. We’ve seen some devastating examples of supply chain attacks in recent years. The most notorious likely being the SolarWinds attack where advanced attackers infiltrated the company and sent malicious updates to users that opened backdoors to those systems.
The use of open source software within commercial and homegrown products can also pose a risk if a popular library is compromised. A recent example of this is the XZ backdoor affecting Debian and Red Hat Linux which had that attack been successful, compromises at a significant scale could have happened.
These are significant exposures beyond an exploit of a known vulnerability that must be managed.
Similarly, malicious or unintentional insider threats pose a substantial risk. Employees with privileged access can inadvertently expose OT systems to threats or intentionally misuse their access for malicious purposes. An insider with malicious intent can exploit their access privileges to bypass security controls and compromise OT systems. Moreover, personnel unaware of cybersecurity best practices can inadvertently expose OT systems to threats through seemingly innocuous actions. Thus, addressing these factors through cybersecurity awareness training, is crucial in enhancing the overall security posture of OT environments, especially in the areas of phishing awareness or avoiding the use of weak or default credentials.
Reducing the risk of OT exposure necessitates a comprehensive strategy that tackles technical and non-technical elements.
Misconfigured devices can introduce vulnerabilities, underscoring the importance of implementing solid configuration management practices. Regular checks and updates can ensure that devices are configured accurately and that any modifications do not bring about new vulnerabilities.
Moreover, enhancing supply chain security is of paramount importance. Supply chain security includes ensuring third-party vendors comply with stringent security standards and routinely evaluating their security stance to avert supply chain attacks. The ISA/IEC 62443 set of standards offers an all-encompassing framework for executing cybersecurity measures in industrial settings, detailing best practices, guidelines, and prerequisites that your organization can adhere to for securing your OT systems and data.
The significance of cybersecurity consciousness and training for OT personnel is paramount. As the primary operators of OT systems, these individuals are crucial in upholding security. Thorough training initiatives can give them the knowledge and abilities to recognize potential threats, adhere to best practices, and respond efficiently to incidents. As per NIST SP 800-82 Rev 3 guidelines, cybersecurity awareness, and training should be consistent and regularly updated to tackle new threats and vulnerabilities.
Furthermore, CISA offers guidance on enhancing the security of OT systems, highlighting the importance of backing open-source software (OSS) development and maintenance, managing and patching vulnerabilities in OT/ICS environments, and utilizing the Cross-Sector Cybersecurity Performance Goals (CPGs) as a standard framework for implementing critical cybersecurity best practices about OSS.
OT security is a complex operational environment with high stakes and potential exposure points that extend beyond traditional vulnerabilities. From misconfigured devices and network connections to supply chain risks and insider threats, each facet presents its unique challenges. However, these challenges can be effectively addressed with a comprehensive and multifaceted strategy. This strategy involves implementing robust configuration management practices, enhancing supply chain security, and fostering a culture of cybersecurity awareness among OT personnel.
The ISA/IEC 62443 standards, NIST SP 800-82 Rev 3 guidelines, and CISA's guidance provide valuable frameworks for securing OT systems and data. They emphasize the importance of learning to adapt to evolving threats and vulnerabilities. By adhering to these best practices, guidelines, and prerequisites, organizations can significantly reduce the risk of OT exposure and safeguard their critical infrastructures. The journey towards resilient OT security is continuous, requiring vigilance, commitment, and a proactive approach to stay ahead of potential threats.
Dan Ricci is founder of the ICS Advisory Project, an open-source project to provide DHS CISA ICS Advisories data visualized as a dashboard to support vulnerability analysis for the OT/ICS community. He retired from the U.S. Navy after serving 21 years in the information warfare community.