Introduction

Despite investing significant budgets and resources in security products and services. The common response is inconclusive—leading us to focus on incident response and system recovery as our primary objectives. 

Why Do Attackers Target Security Systems First?

To address this question, one must comprehend the situation through a thorough investigation process—particularly when substantial funds are allocated to security measures. Let's explore two concepts for a better understanding. First, consider the analogy of armies in a real war attempting to strike each other's critical infrastructure. They need to neutralize the defense ability first to proceed with hitting the critical infrastructure successfully.

Similarly, in cyberattacks, hackers aim to compromise security systems initially to ensure the overall success of their subsequent attacks. Secondly, in the Operational Technology (OT) environment, security products are often configured not to disrupt OT operations. This reduction in security measures may introduce vulnerabilities, making it easier for attackers to compromise the system compared to traditional IT systems.

The answer lies in understanding concepts like these: attackers target our security measures first to ensure the success of the entire attack. In our OT environment, where security products are customized, vulnerabilities may arise due to the need for adjustments that do not interfere with operations. Consequently, attackers find it easier to exploit these security weaknesses compared to other systems like IT.

The response to the challenging question from management can be summarized as follows: the initial answer lies in our security measures, where significant investments are made. Let's delve into the Adversary Tactics, Techniques, and Procedures (TTP) to understand how they target security measures and penetrate these layers. Subsequently, we'll provide solutions to safeguard our security measures from adversaries.

Adversaries' Tactics and Techniques

In the current landscape, adversaries employ various methods to target and bypass security products and services such as firewalls, IDS, IPS, and antivirus. These methods can be broadly categorized into three groups:

• Bypassing Tactics: Attackers manipulate network connections to penetrate security products like firewalls without detection. Techniques include packet rebuilding, network protocol exploitation, and session encryption. Detection requires advanced measures like Security Operations Center (SOC) monitoring.

Scenario: Attackers use packet rebuilding to conceal attacks within seemingly legitimate packets, making it challenging for firewalls to identify malicious activities.

• Exploitation of System and Software Vulnerabilities: Traditional attacks target programming errors in security products and services, exploiting common operating systems, firmware, or software vulnerabilities.

Scenario: Attackers exploit vulnerabilities in edge firewalls facing the internet, ensuring their attacks pass through undetected.

• Input and Output Manipulation: This method focuses on misconfigurations in security products and services. Attackers exploit these misconfigurations to custom-tailor attacks, testing and playing with input for applications.

Scenario: Attackers test firewall policies for misconfigurations, using loopholes in network policies to facilitate scanning methods and successful attacks.

How to Enhance Your Security Strategies:

Understanding why attackers target security capabilities and the common methods used, we now need a strategic approach to mitigate these risks. ISA/IEC 62443 standards provide a foundation for security concepts, fundamental requirements, and system and component requirements. By following these standards (e.g., 62443-2-1, 62443-3-3, and 62443-4-1), you can apply them across different industries and sectors, addressing unique challenges.

It's crucial to recognize that cybersecurity standards and frameworks serve as baselines for your cybersecurity program. While they aid in compliance, breaches often surpass these guidelines and budgets.

To reinforce your security mindset, consider security products as any software or hardware in your possession. Understand that these products, while providing security services, are vulnerable. Approach security products with extra focus during risk assessments and audits, subjecting them to rigorous testing such as vulnerability assessments and penetration testing. This proactive approach reduces the likelihood of security products becoming the weak link in your organization.

For example, implement IEC 62442-3-2 risk assessment specifically for security systems and architecture in OT systems. This focused risk assessment provides insights into security capabilities, allowing you to identify and address risks effectively. Keep in mind that additional budget and resources may be required for such assessments.

Conclusion

When dealing with organizational assets—prioritize testing security products and services thoroughly. Develop a robust security testing plan, as these products are the primary targets for attackers. Regardless of the budget allocated to these products, vulnerabilities persist. One vulnerability in these products could serve as an entry point for multiple attacks on your OT system.

Embrace a mindset shift within your organization, recognizing that handling security assets requires special attention. Implementing security-focused risk assessments for security systems ensures a proactive approach without conflicting with broader OT system risk assessments. While these standards and frameworks provide a starting point, enhancing your security capabilities against advanced attackers targeting your OT system requires a change in mindset.