Industrial cybersecurity company Claroty said that the COVID-19 pandemic has accelerated the transition towards a remote workforce. For industrial information technology (IT) and operational technology (OT) systems, the shift exposed industrial networks to increased security threats through remote connections that inherently expanded an organization’s attack surface.
The physical distancing requirements implemented in response to COVID-19 pandemic forced many organizations to transform to a virtual workplace. While it is widely understood that purpose-built technology is required to mitigate the security threats associated with the ‘new normal,’ a crowded marketplace saturated with insufficient solutions means that decision-makers must understand what criteria to evaluate vendors.
Many virtual private networks (VPNs) or other offerings that claim to provide secure off-site access to industrial technology environments eliminate or obfuscate the audit trail of remote user activity, Claroty said in a blog post. This makes it difficult, or even impossible, to investigate potentially malicious remote user activity and correlate it with other events on an organization’s industrial network. This is particularly concerning in situations where the questionable remote activity could have an impact on process integrity or safety, irrespective of whether the activity is malicious or unintentional.
Traditionally, industrial cybersecurity incidents have typically required personnel to work on-site in order to access network and forensic data. In the post-COVID era, remote investigations will likely remain commonplace for many enterprises as part of accelerated digital transformation.
Even with remote access, time is of the essence when it comes to investigating potential security threats to enterprise industrial technology environments, Claroty pointed out. The longer it takes security personnel to analyze potential security threats, the more likely an incident could affect process integrity and safety. As such, decision-makers should scrutinize vendors on their offering’s ability to evaluate and examine indicators of compromise within an industrial network, as well as the impact the indicator in question has had on similar technology environments.
When it comes to addressing industrial security alerts, the more context about a security threat provided to a security operations center (SOC) analyst, the better. A remote user action under investigation may have been performed by an adversary, or alternatively, by a process engineer, vendor or contractor. SOC analysts need detailed information to help determine key questions, such as who performed the operation and whether it was authorized.
Claroty also pointed out that digital extortion through scattered, spam email-based attacks for relatively low payoffs have largely been replaced by targeted campaigns, where victims are chosen based on their perceived ability and willingness to pay.
With more IT systems using OT environments, CISOs and executives in discrete manufacturing, food and beverage, automotive and other industrial settings will have to contend with the growing awareness among threat actors of industrial processes and the risks to them introduced by connectivity to the internet.
Claroty and CrowdStrike incorporated last month Claroty Platform’s OT asset discovery and threat detection capabilities with CrowdStrike’s Falcon platform for identifying targeted and compromised endpoints. Claroty’s OT security platform promises complete IT/OT visibility and threat detection coverage for industrial control system (ICS) networks and endpoints.
This integration will provide IT/OT visibility and a single source of information for these assets across connected sites, by enabling Claroty to identify and enhance IT-oriented ICS assets in which a CrowdStrike agent is installed.