The recent attacks on Florida’s water treatment system, the worrisome trend of cyber attacks that physically impact control systems, and the growing pattern of supply chain attacks against entities such as SolarWinds have lead the White House to undertake a new effort to help critical industries protect against cybersecurity breaches.
U.S. Deputy National Security Advisor, Anne Neuberger, has shared the US government’s concerns and vision in a recent interview with the Associated Press. The interview followed a previous brief by Department of Homeland Security (DHS) Secretary, Alejandro Mayorkas, made last month.
In this blog, we will review four of the main concerns expressed by the two US cybersecurity leaders and we will offer advice on how they can best be addressed.
Unlike IT networks, where attacks impact data and threaten business operations via utility operational (OT) networks, when it comes to critical industries, threat actors can take control of and severely damage physical assets. From power interruptions and water supply disruptions, to large-scale operational accidents, these attacks measurably endanger human safety and lives.
Lack of visibility is one of the major concerns of critical infrastructures operators, utilities suppliers, and industrial companies. Here, operational networks (OT) are usually distributed; they contain multiple-vendor systems spanning multiple generations, many of which include legacy systems that lack even the basic security measures. These are managed by many different control systems and are often monitored manually. As a result, we can rarely find organizations that have good visibility into their operational (OT) networks.
Gaining full visibility of such a plant without automation is nearly impossible, rendering risk reduction and cybersecurity defenses ineffective.
As such, the first step in protecting critical control systems from cyber-attacks should be to gain full visibility. Full visibility of operational environments can be achieved only by applying automated asset discovery that identifies assets using various technologies capable of detecting multi-generation devices. In addition, it is essential that the asset discovery not only identifies assets in the network, but also provides context that includes the business process and operational impact of all assets.
Traditional security solutions, especially those designed for operational networks, are usually focused on post-breach detection of attack patterns such an intrusion signature or specific events that are known to be malicious. The result: thousands of daily alerts that are uncorrelated, lack context and cannot be managed. To effectively defend operational networks against cyber-attacks, it is essential that events coming from different systems and different parts of the network be automatically correlated and that attack patterns across the organization be identified. In doing so, organizations can proactively mitigate risks based on actual threats against their organizations.
One efficient way to detect anomalous cyber behavior includes performing continuous breach and attack simulations (BAS). OT managers traditionally shied away from BAS, rightfully wishing to avoid any unnecessary intrusion into an already sensitive environment. However, recent advancements, like OTORIO’s patent-pending digital twin technology, allow organizations to run simulations with zero impact on the production environment. In doing so, they can predict future attacks, understand the potential impact on their operational network and identify actionable mitigation steps to dramatically reduce cyber risks.
It’s unfortunate but true: these days, nearly everything we do in operational cybersecurity is reactive. Most available security solutions detect attacks after they’ve already breached your network, rather than identifying risks before they are being exploited. This essentially means we need to wait for the attack to happen - then respond very fast. It is an endless cycle of cat and mouse.
The main reason for this is that operational cybersecurity solutions were originally designed for traditional IT security, or, at least, according to its concept. But operational networks require a different approach, as safety is at risk and downtime is not optional.
We suggest a focus on proactive risk reduction and avoidance. This approach allows security teams and operational engineers to work closely together to prevent and mitigate risks across operational environments.
This risk-based approach is the future of operational cybersecurity; it’s the only way to protect critical infrastructures from irreversible damage.
When we called Florida’s water attack “a warning signal”, we didn’t imagine that less than two months later another cyber-attack would affect water supply in the US. In April 2021, a former employee of Post Rock, Ellsworth, was charged for remotely accessing one of a water treatment’s computers, over two months after he resigned, to shut down the cleaning and disinfecting procedures that make water potable.
This is not the first case of a former employee using unrevoked remote access privileges to damage operational systems. As early as in 2014, a former employee of Georgia-Pacific, a paper maker, used his active VPN connection to access the company’s servers and interfere with industrial control systems (ICS) in the plant for two weeks.
It is very common to confuse VPN connection with a solution for secure remote access. In reality, VPN solutions are only as good as their weakest link. The company has limited control over who has access to the OT network, the access permissions are too broad and there’s no monitoring or auditing being performed, whatsoever.
A recent example is the Cring Ransomware that conducted a series of attacks against industrial targets and control systems (ICS) by exploiting Fortinet’s FortiGate VPN server.
It’s true that many utility providers still rely on VPN. However, as a leading industrial cybersecurity company, Otorio recommend using secure remote access tools that were designed to access operational networks to boost their security. It’s important to use tools that restrict the access to allowed persons, assets and timeframes only. The solutions should apply two-factor authentication and in general, they should be secured by design and tested for potential security vulnerabilities by their vendors. To learn more, watch our recent secure remote access webinar.
It is no wonder that the White House puts such a high focus on control systems cybersecurity. Safe critical infrastructure is essential for public safety, health, environmental protection, and economic growth. Ensuring the reliability of critical infrastructure requires addressing the unique security constraints of operational networks. The recent attacks on US water treatment facilities and the growing trend of cyber-attacks targeting operational networks is alarming. We recommend that critical infrastructure safety and cybersecurity stakeholders take advantage of the US government’s planned resource allocation for control systems cyber defense to take their cybersecurity approach to the next level. This will enable them to combine reactive and proactive risk avoidance approaches within their operational networks.