Endpoint protection for operational technology, Fortinet experts say “Endpoint resilience is absolutely critical.”
According to a recent study commissioned by cybersecurity company Fortinet, interest in endpoint protection for operational technology is growing. According to their 2020 report, 25 to 30 percent of enterprises have already adopted endpoint detection and response solutions and another 31 percent are interested in deploying EDR technology in the future. Another 14 percent are currently engaged in an ongoing project to deploy EDR technology.
This increased interest likely stems from the increased threat to industrial environments. At the Cyber Security for Critical Assets World Conference in June, Fortinet staff discussed the current threats facing industrial environments, the expanding attack surface in OT and the importance of endpoint protection.
“We’re seeing more and more threats because of the fact we’re starting to connect things to the internet, because we’re adopting new technologies and more devices within our environments,” said Michelle Balderson, Director, Operational Technology (OT) and Critical Infrastructure (CI) SME, Fortinet. “Digital innovation within operational technology is really creating an increased risk and disruption to operational technology. We’re adding additional devices into these environments that have traditionally been air gapped, but they have a requirement for internet connectivity so therefore we’re reducing or eliminating the air gap.”
According to Balderson, an expanding attack surface, advanced threats using artificial intelligence and machine learning, and ecosystem complexity are all causing security issues.
In industrial environments, the digital attack surface is expanding and the perimeter is no longer easy to define due to the expansion of users and devices. This expanding attack surface involves changing networks along with the adoption of cloud, software as a service, hyperscale data centers and edge compute.
“Within OT what we’re seeing is an opportunity to be able to use these new compute and network capabilities to be able to digitally transform our business to become more operationally efficient,” Balderson said.
However, despite the benefits of digital transformation, attacks stemming from this transformation can be damaging and the ways in which attackers are gaining access is changing.
A decade ago, the malicious computer worm Stuxnet was the most significant threat facing supervisory control and data acquisition systems. It was a predominantly physical form of attack because in order to gain access, a person needed to physically insert a USB device into the industrial environment. Since then, new attack methods have emerged.
“The trend we’re seeing is cyber physical which is the risk coming from the internet and malware coming from the internet,” Balderson said. “We need to be able to protect holistically across the environment, from not only the cyber, but the physical side of the fence.”
In a Fortinet audience poll during a recent endpoint protection webinar, 50 percent of respondents indicated ransomware was their top cybersecurity concern.
“One thing I’ve observed is most of the enterprises are really in a hurry to boost malware protection maturity,” said Tsailing Merrem, Director of Product Marketing of endpoint security for Fortinet. “It’s become consumerized and you can easily get file-less malware in the dark market. As a result enterprises really need to move their protection maturity up and deploy EDR technology.”
However, Merrem emphasized that attackers are constantly changing their attack methods. In addition to ransomware, she’s seen attackers use phishing tactics along with using a supplier’s weakness to gain access.
In order to defend against the wide range of attacks, Merrem said companies need an integrated endpoint security solution that includes prevention, detection and response. This solution should include features like behavior-based detection for file-less attacks/living off the land attacks, automated response and remediation, and attack surface reduction.
“Everybody now has prevention and most likely will have machine learning anti malware. Most people are able to do behavior-based detection and have some kind of response capability,” Merrem said. “However, what you want to watch out for is are they manual or are they automatic? You also want to look for the ability to protect the system post infection, planning for the inevitable. If a system is infected, how quickly can you protect the system? And on the detection side, how can you balance detection with making sure the system learns from its mistakes, continuously tuning to reduce false positives, because we don’t want alert fatigue to bog down our team.
“And on the response side, to deal with modern threats like ransomware, that really can strike in seconds or minutes, a few hours or 24 hour response time is not going to cut it so you need to have an automated response.”
Endpoints are the first physical point of access into industrial environments and the last point that can be protected. Balderson said an effective endpoint security framework must include visibility, control and awareness. Complete visibility means organizations must be able to see any device, anywhere on the network. Control is dependent on each system and subsystem doing it’s job and only its job. And awareness includes continuous analysis of behaviors for actionable intelligence. Balderson recommends installing EDR on all devices.
“Endpoint resilience is absolutely critical. If we don’t put endpoint protection and response on our solutions, what we see is devices become one of a community and in that community if one gets infected they ultimately all get infected because we have east west traffic and that east west traffic isn’t controlled,” Balderson says. “When we start to do isolation relative to isolating the host, we then understand the individual capabilities of the host. We understand the processes that are running on the host, and then we can put in controls relative to the individualized process and anything that is malicious and we won’t then impact the rest of the community.”
Overall Fortinet’s cybersecurity experts said endpoint protection requires a broad, integrated and automated approach. This involves identifying the broad attack surface, a rapid response, and automated trust assessment. It also involves not just protecting against known threats but unknown threats.
“I absolutely believe in defense in depth,” Balderson said. “We also need to integrate detection of unknown threats and that’s the machine learning capabilities that we see deployed within the EDR, but it’s also sandboxing technologies that can be deployed within the network to be able to virtually look at what an attack is actually doing.”
For more information on endpoint protection and Fortinet’s solution FortiEDR visit fortinet.com.