If you touch any part of operational technology (OT), you’re likely well-aware of the mounting cyber threats facing critical infrastructure, which inherently runs on OT. OT drives our global economy, from treating the water we drink and making modern medicines to powering the lights in our homes. OT is essential, and cybercriminals are overtly aware of this dependence.
To make matters worse, the attack surface is expanding. We are now in the era of converged IT and OT environments, where previously isolated OT devices are now internet-accessible. Today’s adversaries are entering OT environments and critical infrastructure from all bases, even by traversing from IT to OT. The recent Activity Alert from the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) warned of increased malicious activity targeting critical infrastructure and urged facilities to take immediate action to secure OT assets. A recent study from Forrester Consulting, commissioned by Tenable, supports this, citing that 65 percent of U.S. organizations experienced business-impacting cyberattacks or compromises that involved operational technology systems in the past year.
The underlying message here is to be prepared—but how?
Listen to Your Network
The majority of modern converged industrial environments contain “IT-like” devices, such as Windows workstations. Traditional methods to track network vulnerabilities with static, point-in-time visibility aren’t designed for converged environments, increasing the likelihood of blind spots. It's time to make changes to level the playing field and reduce cyber risk.
Cybercriminals move fast, and today’s interconnected devices have provided a number of entry points. Organizations can benefit from equipping security teams with tools built to scan and assess IT and address OT through real-time, passive monitoring. Utilizing passive monitoring provides security teams with holistic visibility into which hosts (computers or devices) are active on the network, when new hosts become active, which ports/services are active, and which inter-asset connections. If a cybercriminal attempts to exploit a vulnerability and instigates a network attack, passive monitoring is key for teams to stay aware and swiftly take action to remediate.
Maintain Device-Level Visibility
While passive monitoring can illustrate the propagation of an attack, leveraging active querying in tandem can identify an attack at the outset—at the device level.
Active querying is a proactive approach to securing operations that brings timely insights about the OT devices on your network. It takes into account all operating systems, firmware and configurations and delivers vital, real-time data on all assets, vulnerabilities, and security risks. If successful, an attack on control devices could cause imperfect or dangerous medicines to be made in a pharmaceutical production facility, or allow for a faulty vehicle to leave the assembly line. Maintaining device-level visibility to remediate vulnerabilities and monitor changes for anomalies can stop a cybercriminal in his or her tracks, before affecting operations.
Embrace Risk-Based Vulnerability Management
Though passive monitoring and active querying provide the schematic of your environment and alert you of vulnerabilities to remediate, nothing can change the deluge of vulnerabilities security teams must assess. There will always be new attack vectors in both IT and OT environments that cybercriminals are looking to exploit, but they are most often looking to exploit the vulnerabilities that can result in the biggest impact, whether it’s halting operations or stealing sensitive data.
Instead of using precious time to sort through low-risk vulnerabilities, security teams should prioritize remediation of the vulnerabilities that pose the most risk to the business. This can be achieved with tools that leverage data science, predictive analytics, and research to predict which vulnerabilities should be prioritized based on the likelihood of actual exploitation. Taking a risk-based approach to vulnerability management can streamline operations to improve security posture.
Just as cybercriminals are often ruthless in their attempts to break into networks, organizations operating OT and critical infrastructure should act in-kind and continuously secure all access points. A proactive over reactive approach to cybersecurity is essential to keep the pace to face the threats in today’s converged environments. A combination of passive monitoring, active querying, and risk-based vulnerability management helps security teams seal all virtual doors and windows, and raises the alarm during potential attacks. With this peace of mind, industrial organizations can focus on what matters most: the critical operations driving the global economy and welfare.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.