Mandiant pushes for proactive security measures for OT, critical infrastructure environments

Mandiant pushes for proactive security measures for OT, critical infrastructure environments

Mandiant has proposed the deployment of proactive security assessments in operational environments, as that involves real-world simulation of adversary techniques, which have proven to be invaluable methods for uncovering critical security issues and high-risk attack paths in enterprise environments. 

“The testing methodologies for proactive security assessments in OT networks need to account for the unique characteristics of industrial control system environments, with particular emphasis on real-time nature of operations and safety-critical concerns for physical processes controlled by these systems,” Mandiant researchers wrote in a blog post on Monday. The firm, however, warned that such assessments, if performed using traditional techniques, without considering the differences between IT and operational technology (OT) environments, can often produce superfluous, irrelevant, and unactionable results, or worse, introduce unacceptable risks to real-time operations in OT environments. 

The advancement in industrial automation is also coupled with the increasing use of standard communication technologies that support off-the-shelf integration between OT networks and external networks, Mandiant said. This often translates to enterprise-level collaboration between an operator’s OT network and the parent organization’s IT network. The provisioning of remote communication paths between IT and OT means that Internet-connected IT devices can often be used as pivot points to propagate into OT networks and attempt remote compromise of previously unreachable industrial control system devices, it added.

In the context of increasing cost-benefit for cyber threat hackers and the growing threat profile for OT, Mandiant recommends that governments and critical infrastructure organizations enhance their preparedness to protect industrial networks and OT environments from both opportunistic and motivated cyber attacks.

Mandiant recommends that proactive security assessments for OT environments should incorporate OT threat modeling, threat intelligence, risk management, OT attack lifecycle, defense-in-depth, and detection in depth. 

Each OT network is acutely tailored to achieve the specific objectives of its industrial operation, and often includes a multitude of local area network segments, disparate or remote geographical sites, state-dependent configuration settings, proprietary network communication protocols, and special-purpose embedded devices, Mandiant identified. “Threat modeling can help organizations identify context-specific attack scenarios, discard irrelevant assumptions for the operating environment, establish constraints and requirements for OT-specific adversarial testing, and formulate a risk-prioritized plan that covers attack vectors across the end-to-end OT environment,” the researchers added.

The Reston, Virginia headquartered company recognizes that not every OT environment has the same threat profile. The size of the organization, critical infrastructure industry sector, area of operations, geopolitical landscape, threat actor motivations, and evolving attacker techniques can all play a part in defining the current threat profile of a critical infrastructure organization. In the context of proportionate prevention and response, threat intelligence forms an essential element for prioritization of relevant proactive efforts and informed decision-making for cost-effective mitigation of cyber security risks.

OT networks also support mission-critical industrial operations and are comprised of high availability network segments that have zero scope for unintentional disruption of real-time operations, the Mandiant researchers observed. Testing approaches for security assessment of OT networks need to incorporate stringent risk management techniques that minimize the potential for real impact on critical operations in a production environment. 

It is imperative to base such testing on an in-depth understanding of both safety-critical (engineering) and operations-critical (business) constraints within the target environment. This often involves strategic preparation, strict rules of engagement, delineation between critical and non-critical segments, partial or even full simulation in a non-production environment, and customized OT-specific techniques or toolsets, they added.

If an attacker can exploit a specific issue and gain unauthorized access to a critical system in OT, it does not necessarily translate to the ability to cause a profitable end-stage high consequence event in the industrial environment, Mandiant said. On the other hand, seemingly low-risk issues can often be chained together to achieve a high-gain adversarial objective against a target organization, it added. 

Mandiant recognizes that the goal of proactive testing is not limited to the identification of standalone security issues. It is also important to uncover end-to-end attack chains and assess the impact on operations and business (without undue exaggeration or presumed mitigation). In addition, a key component here is the identification of actionable mitigation efforts or alternative compensating controls that can increase the cost for attack progression and OT-specific mission completion.

Mandiant also pointed out that security assessments for OT environments usually focus on network segmentation and perimeter defenses, however, these assessments often neglect security weaknesses and preventive controls within the core industrial environment itself. In an era of irrevocable demand for increased connectivity, it can often be difficult to repress the risk of a cyber attack in OT networks using perimeter protection alone. 

The researchers also addressed security monitoring and incident response as essential requirements for an effective cybersecurity strategy. This is even more true for OT networks where opportunities for implementation of preventive controls or remediation efforts for security vulnerabilities are often inhibited by competing priorities and operational requirements. Thus, in addition to the identification of security vulnerabilities and assessment of preventive controls, it is important that security assessments also cover preparedness and evaluation for breach detection and incident response capabilities across OT networks, they added.

Mandiant’s line of thinking is fairly similar to the risk management program within the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 passed by the Australian government last month. The SLACIP Act requires critical infrastructure owners and operators to manage the risk of hazards that affect the delivery of essential services, designed with industry and building on existing regulatory frameworks, where possible. The program is intended to uplift core security practices related to the management of critical infrastructure assets. In addition, it aims to ensure responsible entities take a holistic and proactive approach toward identifying, preventing, and mitigating risks from all hazards.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related