Analysis
Attacks and Vulnerabilities
Features
ISA/IEC 62443
IT/OT Collaboration
Supply Chain Security

Building infrastructure resilience into ICS environments to bring about holistic cybersecurity approach

July 10, 2022
Building infrastructure resilience into ICS environments to bring about holistic cybersecurity approach

With the rising number of cybersecurity threats and vulnerabilities, it is increasingly becoming imperative to tackle the complex challenges and opportunities of interconnected IT and OT (operational technology) environments with infrastructure resilience and maintenance. Rising adversarial attacks and an increasing number of vulnerabilities have led to a growing need to adopt a multi-dimensional approach that considers several factors and stakeholders at the local, regional, national, and global levels. 

Primarily, the strategy is to bring people, technologies, and policies together to prevent cyber attacks from disrupting the course of operations while embracing the ability of a business to recover after a successful attack while keeping the impact of such an attack to the minimum. 

Organizations must address critical infrastructure security and resilience through planning, helping communities and regions understand and communicate how infrastructure resilience contributes to community resilience. Infrastructure resilience contributes to a more resilient community and can help develop and maintain a strong, safe, and economically vibrant place to live and work. Additionally, organizations need an action plan that addresses risk and enhances infrastructure resilience by identifying and prioritizing potential solutions, focusing on incorporating infrastructure resilience projects and strategies into the community. Regional plans and processes for measuring success must also be chalked out. 

Industrial Cyber reached out to industry experts to assess the biggest challenges faced by the industrial sector in adopting infrastructure resilience in ICS environments.

VP of OT Product & Engineering
Daniel Trivellato vice president of OT product and engineering at Forescout

“At the moment, one of the biggest challenges the industrial sector is facing is a lack of problem awareness and understanding of the need for protecting ICS environments, especially at the executive level of OT organizations, which limits the allocation of budgets for OT cybersecurity,” Daniel Trivellato, vice president of OT product and engineering at Forescout, told Industrial Cyber. “This stems partially from the limited amount of historical data that exists around OT incidents and their impact on organizations, which in turn, prevents proper risk quantification and business case creation needed to fund OT cybersecurity projects. We see interest and initiatives from OT organizations that never turn into actual projects due to lack of funding or budget prioritization,” he added.

Another common challenge this sector faces in adopting infrastructure resilience is the shifting (and sometimes unclear) ownership of OT security responsibilities or even the lack of established processes and collaboration between IT and OT owners/teams. In many organizations, budget and responsibility for OT networks have shifted to the CISO group, Trivellato said. 

“The third challenge we see is the shortage of skills and people. Without the right talent, organizations are struggling to keep their infrastructure secure and are unable to execute large security programs,” according to Trivellato. “Lastly, heterogeneity of architecture, ICS vendors, and components within individual organizations makes it difficult for security projects to execute at scale. Each site is often different from the other, even within the same organization, and requires different approaches. This prevents an easy replication of solution implementation across sites and creates extra effort and time, slowing down the execution of these projects,” he added.

William Noto director of product marketing operational technology at Fortinet
William Noto director of product marketing operational technology at Fortinet

“The convergence of operational technology (OT) and information technology (IT) networks has increased efficiencies and, at the same time, expanded the attack surface to include industrial control systems (ICS),” William Noto, director of product marketing – operational technology at Fortinet, told Industrial Cyber. “In the process of removing the air gap between IT and OT environments, these systems are now exposed to increasingly advanced and persistent threats. Industrial environments are low-hanging fruit for hackers involved in terrorism, cyber warfare, and espionage. Ensuring the security of industrial systems is paramount to preventing catastrophic real-world consequences.”

Security challenges in ICS environments can be difficult to remediate due to a perceived brittleness in OEM-prescribed network architectures, according to Noto. “A network switching solution that incorporates converged security features and capabilities is a great way to enhance the infrastructure resilience in ICS,” he added. 

Justin Parr-Davies partner and APMEA head of OT IoT and cyber-physical security cybersecurity and risk services at Wipro
Justin Parr-Davies partner and APMEA head of OT IoT and cyber-physical security cybersecurity and risk services at Wipro
Shyamkant Dhamke consulting partner for ICS and IoT security services at Wipro
Shyamkant Dhamke consulting partner for ICS and IoT security services at Wipro

“The perennial challenges of cybersecurity awareness, asset visibility, and management (particularly patching) remain, but ICS network accessibility issues are on the rise due to connectivity with the organization’s IT network not to mention public/private clouds and the Internet,” Justin Parr-Davies, partner and APMEA head of OT, IoT and cyber-physical security cybersecurity and risk services at Wipro and Shyamkant Dhamke, consulting partner for ICS and IoT security services at Wipro, told Industrial Cyber. “We are also seeing an increase in attacks at the facility level (CyberPhysical), adding to the key challenges that our clients are meeting and addressing as they move towards an ICS ‘zero-trust’ ecosystem within their organization as part of any ICS cyber-resiliency uplift initiative,” they added.

Addressing the additional measures that large-scale organizations must put in place to strengthen their infrastructure resilience in ICS environments, Trivellato said that the first measure organizations should take is towards understanding where they are on their path to securing their infrastructure. “For example, do they have visibility over their network and devices? Do they have a way to identify if a malicious actor is active in their network or, more generally, if some undesired activity is going on? Are they adhering to available cybersecurity standards, such as NIST or ISA? What gaps do they see within their organization based on existing regulatory requirements,” he added.

“Second, they could compare notes with their peers to understand what other organizations in their industry are doing with respect to these standards and mandates, and where they plan to invest in improving their security posture,” according to Trivellato. “This will enable them to learn from each other and identify gaps they didn’t previously consider,” he added.

Having addressed these questions will better equip organizations to take more informed decisions when they define and execute a cybersecurity strategy, Trivellato said. “By being proactive and addressing cybersecurity gaps before incidents happen, organizations decrease the potential for attacks and can actually save a substantial amount of money,” he added.

Noto said that large-scale organizations should approach their security strategy with a cybersecurity mesh architecture in mind. “It is a foundation that considers all layers of the network working together as part of an integrated ecosystem, versus a collection of stand-alone point solutions that do not communicate or work well together. Obtaining complete fabric coverage over all aspects of the network is vital for quickly detecting and mitigating threats,” he added. 

“Adding network segmentation to provide layered security and zones of control in the event of a breach is critical. Additionally, implementing technology to increase visibility for security teams across all network activity, and deploying network access in a way that constantly verifies and ensures least-privilege user access is given based on their role is very important,” according to Noto. “Behavior analytics also helps security teams learn who, what, where, and when individuals are attempting to access the network. This helps reduce the dwell time of potential threat actors-in-hiding by flagging behavior that is outside of the norm,” he added. 

“Large-scale organizations should continue to balance their ICS cyber risk tolerance with the need for non-stop ICS operational continuity in a safety-based context. One of the key components to realizing return on investment on emerging technologies is to have holistic integration with the existing security landscape and the broader IT ecosystem,” the Wipro executives said. “However, the old adage still rings true that you cannot plan to defend, let alone actually defend what you do not know about. Therefore, knowing what ICS (OT and IoT) assets are in the estate is a critical first step.”

Once a comprehensive inventory of assets has been compiled, it is important to establish baselines for both activity and configuration and keep those baselines maintained and up to date, according to Parr-Davies and Dhamke. “Thereafter, higher maturity capabilities such as secure remote ICS access, ICS endpoint protection, threat detection, and vulnerability management can be prioritized all within a ‘context aware’ segmented network which enables the creation of containment points for any incident that may occur within the ICS network environment. Finally, these should be integrated into any existing enterprise IT SOC/SIEM capability allowing for a coordinated incident management response,” they added.

Scrutinizing the role that regulations, standards, and other policies play in adopting infrastructure resilience in ICS environments, and strengthening the cybersecurity posture at critical infrastructure installations, Trivellato said that he believes that regulations, standards, and other policies are very helpful to make ICS environments more secure and cyber resilient. 

“In particular, policies and regulations help by pushing organizations to accelerate the process of securing ICS environments, according to Trivellato. “Similarly, standards help organizations understand how to secure their environment since standards are typically the result of worldwide experts compiling and refining security best practices. Eventually, they both help to ensure that cyber security strategies and solutions keep pace with the expanding threat landscape,” he added.

Trivellato also analyzed the main downsides of regulations as that they are sometimes very generic or do not look at cyber security from a holistic perspective (i.e., all the way from the ‘identify’ to the ‘recover’ of the NIST Cybersecurity Framework). Therefore compliance becomes a check box-ticking exercise for organizations that gives a false sense of security. 

He pointed out that a powerful approach could be to have regulation simply refer to standards for best practices in how to implement security, as opposed to trying to reinvent the wheel. “Standards such as the NIST CSF, IEC 62433, for example, have worldwide acceptance and are the result of years of re-work from hundreds of security experts. Regulations could then limit themselves to prescribe timelines, prioritizations, and impacts of non-compliance for organizations,” Trivellato added.

Noto said that threat actors are constantly evolving their tactics and techniques to be increasingly sophisticated and destructive. “Despite consensus on the challenges surrounding the expanding attack surface, there remains a high degree of variation in security practices and capabilities across organizations. Regulations and standards bring guidance and consistency to an entire industry’s security posture. This is particularly important for ICS environments, which include a mix of both legacy and modern equipment,” he added. 

“As we continue to monitor, detect, and respond to targeted attacks, regulation and policy must continue to evolve to stay ahead of the latest threats,” according to Noto. “Organizations that can keep up with the latest standards and regulations, and consistently update, adjust and strengthen their cybersecurity posture, ensure that they will be in the best position possible to deal with incoming attacks on their ICS environments – and across the full OT and IT spectrum,” he added. 

“Regulations and Standards will continue to grow in importance as will harmonization at a global level; Governments and Regulators are responding to real-world, real-time threats that can negatively impact their economies and national stability,” Parr-Davies and Dhamke said. “While guidance has been provided historically on risk assessment and secure design through the ISA/IEC 62443, NERC CIP, NIST 800-53, ISO 270001, TSA Pipeline, DHS CFATS, and the ISA S99 series of standards, to name a few.”

“We see scope for growth in the obligations for regular testing and auditing of any ICS environment, which will place accountability onto senior stakeholders and drive cybersecurity improvement into their agenda of top priorities,” according to Parr-Davies and Dhamke. “In the immediate future, ICS cybersecurity regulation is most likely going to be more prescriptive in nature with a reliance on increased auditing by suitably qualified and empowered regulatory bodies. This will require a significant step-change in thought process, investment, and effort from organizations around the world,” they concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading