Ransomware and malware are increasingly targeting industrial operational technology (OT) networks and applications, forcing OT to play catch up with information technology (IT) by defining and following strategies for defense in depth.
Every member of an organization in the OT space, from its frontline workers to executives, must change daily procedures to incorporate cybersecure best practices to keep production and data uncompromised. While there has been a substantial increase in vulnerability assessments—efforts surveying networks, applications, and organizational practices for weak points where bad actors can gain access to sensitive information—the patches being implemented remain subpar in many instances.
You know you have a problem, but how do you fix it? It is one thing to be aware of your vulnerabilities, and another to deal with them effectively.
Part of the issue began 20 years ago. As technology was rapidly evolving and OT began connecting isolated subsystems, many companies never stepped back to confirm infrastructure was ready. Today, many manufacturers are creating controllers and smart devices with cybersecurity in mind, but installing these products in a facility does not compensate for underlying infrastructure vulnerabilities.
With so much to be done, planning and prioritizing is critical. Efforts should focus on network infrastructure and core components. Many modern OT network security strategies rely on IT departments to air gap the automation system, with a single point or two for external access. But if the safeguard is breached from the outside or compromised by a user on the inside, the automation system must depend on its own set of protections. These include:
- network separation and segmentation
- protection against unauthorized access, or log in
- protection against unauthorized modification and manipulation
- authentication support
- audit and security event reporting
- intrusion detection and alerting.
Intrusion detection is of particular interest. A 2018 study by Mandiant revealed the average containment time of cybersecurity crises in 2017 was five days after detection. However, the average time for intrusion detection was a staggering 66 days. Although cybercriminality is very much a developing practice, the good news is there are parallels among many incidents.
Hacking does not occur in one fell swoop. It typically involves days, weeks, or months of bad actors snooping around the network and making a battle plan, be it a coordinated multi-actor effort or a lone wolf attack. By giving organizations the tools to detect unauthorized access and activity, smart automation systems can shut down these intrusions long before they turn into frontpage headlines.
This is accomplished by threat detection devices—which funnel all data to and from an OT network—working in concert with programmable logic controllers and other controllers. Artificial intelligence and machine learning algorithms can perform tasks such as cutting power in strategic locations, turning off device communications, initiating secure firewalls, identifying and quarantining affected devices, and denying external access to the network during cyberevents. Before unauthorized access can grow into a highly consequential attack, these quick intrusion detection and defense-in-depth strategies can be used to drastically reduce the risk of disruptive incidents.
Managers and leaders must support modern infrastructure improvements and champion safe practices in their companies. Cyberevent prevention begins with a culture of awareness and is carried forward by appropriate investments in people, procedures, and products.
This is more important than ever because global supply chains carry the potential for chaotic disruption with widespread impact, sometimes triggered by exploiting a single vulnerability. For this reason, there is no room for downtime when cybercriminals strike. With cyberattacks, it is not a question of if, but of when they will impact your organization. By taking proactive steps, companies can significantly reduce their impact.
This blog has been repurposed from InTech.