Attacks and Vulnerabilities
Control device security
Critical infrastructure
End Point (HMI) security
Features
ICS Security Framework
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
Secure Remote Access
Secure-by-Design
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

Need to enhance role of OT endpoint security in safeguarding industrial environments from rising cyber attacks

June 02, 2024
Need to enhance role of OT endpoint security in safeguarding industrial environments from rising cyber attacks

In industrial and operational environments, the integration of OT endpoint security into an overarching industrial cybersecurity program is paramount. Endpoint security plays a critical role in fortifying the cybersecurity posture of industrial settings, necessitating a robust strategy to safeguard against evolving cyber threats and attacks. Continuous monitoring and threat intelligence have emerged as key components when securing OT (operational technology) endpoints, often changing in response to escalating cyber threats like nation-state-sponsored attacks and geopolitical challenges

Organizations must adapt to these dynamic landscapes to ensure the resilience of their industrial systems. Challenges faced by IT endpoints in OT environments, including HMIs (Human Machine Interface), EWS (Engineering Workstation), and historians, require a nuanced approach. Traditional endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions are being scrutinized for their applicability to these specialized endpoints, highlighting the need for tailored security measures. 

Recent advancements in endpoint security technologies for OT and ICS (industrial control systems) devices within organizational environments are reshaping security protocols. Manufacturers are increasingly working on integrating new security features into PLCs and other OT-specific endpoints to enhance their defenses, reflecting a proactive stance towards cybersecurity in industrial settings.

Role of OT endpoint security in industrial cybersecurity programs

Industrial Cyber reached out to cybersecurity experts to elucidate the integration of OT endpoint security within a comprehensive industrial cybersecurity program. Drawing from their expertise, they shed light on the pivotal role of endpoint security in bolstering the overall cybersecurity resilience of industrial environments.

Qiang Huang head of product management of Palo Alto Networks IoT security product
Qiang Huang head of product management of Palo Alto Networks IoT security product

OT endpoints encompass a diverse range of functions, requiring tailored cybersecurity measures, Qiang Huang, head of product management of Palo Alto Networks’ IoT security product, told Industrial Cyber. “Managed assets within OT environments, such engineering workstations, are relatively easier to protect with robust security policies enforced by firewalls, antivirus software, and advanced threat detection. In contrast, unmanaged assets like Remote Terminal Units (RTUs), sensors, and Programmable Logic Controllers (PLCs) present a greater challenge. These devices are designed for durability and long-term use, often running on real-time operating systems lacking built-in security features and the computing resources needed to run more advanced security software. Additionally, they can be geographically dispersed and not easily accessible for regular maintenance or updates.” 

He added that ensuring safety, security, and system uptime requires a comprehensive cybersecurity approach that includes OT asset visibility which is essential for understanding and monitoring all OT networks and assets, detecting anomalies, and identifying potential threats; endpoint security by installing endpoint protection directly on assets where possible; and network segmentation that helps ensure critical systems are isolated, reducing the risk of widespread disruption during an attack.

Huang also noted that robust policy enforcement ensures consistent application of security protocols; vulnerability management identifies and addresses weaknesses before they can be exploited; and ownership and governance that provides clear accountability and oversight, establishing a framework for decision-making, resource allocation, or help with compliance towards industry standards and regulations. “By integrating these elements, organizations can create a resilient cybersecurity posture that protects their industrial operations from evolving threats,” he added.

Marty Rickard, APAC regional director of customer success and technical support at Nozomi Networks
Marty Rickard, APAC regional director of customer success and technical support at Nozomi Networks

Marty Rickard, APAC regional director of customer success and technical support at Nozomi Networks, told Industrial Cyber “Our research team (Nozomi Networks Labs) conducts a bi-annual assessment of the state of OT and IoT security.  Since our initial report in 2020,  we’ve continued to track a rise in both vulnerabilities and threat activity in  industrial environments.”

Richard added that as these threats increase and grow in complexity,  OT endpoint security has moved fairly quickly from a nice-to-have consideration to a critical gap in their cybersecurity postures. “However IT-based solutions often aren’t a viable or effective option in OT environments.”

Mechanisms to deal with rising cybersecurity incidents

The executives assess the significance of continuous monitoring and threat intelligence in securing OT endpoints. They also emphasize the evolution of these practices in response to escalating cyber threats, including nation-state-sponsored attacks and geopolitical challenges.

Huang noted that detecting and mitigating attacks in real time requires the ability to profile endpoints and network behavior to spot anomalous activity. “This capability allows organizations to respond quickly and accurately to threats. As attackers increasingly move laterally from IT networks into OT networks, protecting OT protocols has become a necessity rather than a luxury,” he added.

He also pointed out that continuous monitoring enhances situational awareness and visibility against specific risks, such as supply chain attacks. By integrating real-time monitoring with threat intelligence, organizations can proactively detect, analyze, and mitigate risks at scale.

“Geopolitical and nation-state attacks underscore the essential role of continuous monitoring and threat intelligence in maintaining robust security. OT threat intelligence offers crucial insights into the tactics, techniques, and procedures (TTPs) used by adversaries targeting industrial settings,” according to Huang. “By identifying which threat groups frequently target specific industries, regions, and technologies, security operations teams can better understand and contextualize threats within OT environments, enhancing the protection of operations and critical infrastructure.”

Huang also identified that as lateral attacks moving from IT to OT are on the rise, unmanaged assets in IT infrastructure pose significant risks to industrial environments. “Organizations must continuously monitor internally and manage their external attack surface to detect and mitigate potential threats effectively. Organizations can benefit from external attack surface management solutions to securely manage their external attack surface at scale.”

Rickard said that an unprotected, or poorly protected, endpoint in an OT environment can easily become a blind spot which may result in an unmonitored point of access or execution for a cyber attack. “Continuous endpoint monitoring and up-to-date threat intelligence help limit the likelihood of such a blind spot occurring. By monitoring endpoint activity in a continuous and proactive manner, cyber defense teams can reduce the time taken to detect and respond to a potential attack. This in turn will reduce the recovery time, and combined, these reduce the risk exposure and potential cost of recovery,” he added. 

Evaluating challenges of IT endpoints in OT environments 

The executives identify the common challenges faced by IT endpoints like HMIs, EWS, FMS, and historians within OT environments. They explore the application of traditional endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions to address these specific endpoints.

“IT endpoints like HMIs, EWS, and historians face unique challenges in OT environments. Designed for long-term use, these devices prioritize operational safety and availability but often run on legacy systems that may not support traditional EPP and EDR solutions,” Huang said. “This can result in newly discovered vulnerabilities remaining unpatched, as these endpoints may lack the latest operating systems or security protections.” 

Additionally, he added that older hardware in OT environments frequently encounters resource constraints (memory, CPU) where running security software on the endpoint would lead to performance and functional degradation. This risk of loss of visibility and control makes EP security on older hardware impractical.

“In these cases, a network-based approach can help monitor and secure these endpoints, and to adapt processes to avoid disruptions during security scans,” Huang said. “Balancing security and operational continuity is key to maintaining the integrity and safety of critical industrial processes.”

Rickard said that when it comes to industrial processes, one of the biggest issues with IT endpoint security solutions is performance. “IT Endpoint security solutions have a bad reputation for using up CPUs. That’s not an option for OT, where, unlike IT, there is no room to slow down or compromise availability and integrity. Endpoint security tools must be able to monitor and relay information while maintaining 100% process reliability and they must be able to communicate with OT protocols that aren’t compatible with IT,” he added. 

Progress of IT devices across OT environments

The executives discuss recent advancements in endpoint security technologies for IT devices within OT environments. They also examine whether endpoint security solutions for OT environments are primarily offered by OEMs or if third-party solutions are gaining traction.

Huang identified that recent advancements include extended detection and response (XDR) platforms which use machine learning to continuously profile endpoint and network behavior, detecting anomalous activities that may indicate attacks. “XDR integrates endpoint, network, cloud, and identity data, along with third-party alerts, to provide a comprehensive view of incidents. This helps identify and stop advanced threats such as supply chain and zero-day attacks by offering key artifacts and threat intelligence details,” he added.

“For managed hosts like engineering workstations, third-party solutions are becoming more common,” according to Huang. “However, for OT devices like PLCs, security is typically provided by the OEMs for the embedded devices.”

Rickard noted that endpoint security solutions for OT are still fairly limited, though greatly needed. “However progress is being made. In fact, it’s an area Nozomi Networks is passionately pursuing.”

Assessing current methods of securing PLCs, other OT-specific endpoints

The executives delve into the current methods of securing PLCs and other OT-specific endpoints compared to previous decades. They also explore the integration of new security features by manufacturers into PLCs to bolster their overall security measures.

“So far, the adoption of secure OT protocols has not progressed as anticipated,” Huang identified. “OEMs have not widely implemented secure-by-design methods, and these methods do not address the numerous legacy devices still in use. Therefore, prioritizing robust network security continues to be a practical and effective strategy.”

Anna Ribeiro

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
NHS updates on disruptions, potential data breach following London lab ransomware attack
NHS updates on disruptions, potential data breach following London lab ransomware attack
Five Eyes' Critical 5 nations focus on adapting to evolving cyber threats to boost critical infrastructure security, resilience
Five Eyes’ Critical 5 nations focus on adapting to evolving cyber threats to boost critical infrastructure security, resilience