Developing a proactive and successful approach

A successful cybersecurity approach for industrial companies is proactive and requires a thorough plan that assesses and implements many tools and procedures to keep workers on alert and ready for a potential attack.

Learning Objectives

IT/OT cybersecurity insights

• Industrial firms face escalating cyber threats due to legacy IT/OT assets, making them lucrative targets vulnerable to successful cybercrimes.
• Implementing a comprehensive cybersecurity strategy involves assessing vulnerabilities, designing solutions, continuous monitoring and real-time threat detection.
• Successful defense requires a holistic approach considering pre-, during- and post-cyberattack phases, emphasizing asset inventory, countermeasures, incident handling and robust backup processes.

Cybercrime pays and pays big. Cybercriminals always seem to be one step ahead and successful cybercrimes are in the news every day. Cybercriminals are getting rich, and increasingly it’s at the expense of industrial companies. Not only do most of these companies have deep pockets and the ability to pay, they’re also some of the most vulnerable targets.

Most industrial companies have more legacy information technology and operational technology (IT/OT) assets than they may even be aware of, and it’s these legacy assets that are the most vulnerable. Most industrial companies tend to be myopic when it comes to threats, seemingly more focused on defending themselves against the last attack than poised to prevent the next attack.

This article discusses various aspects of cybersecurity that are part of a proactive and successful approach. The previous article highlighted the typical threats and vulnerabilities industrial companies face as well as approaches that don’t work. This article lays out the basics of a proactive and successful approach to cybersecurity specifically for industrial companies.

The basic approach starts with a simple four-step framework:

1. Assess the situation, inventory the IT/OT infrastructure, and analyze any vulnerabilities and risks. An important part of the assessment is to be aware of current threats against hardware and software assets by taking advantage of cybersecurity advisories that are regularly updated such as those from the Cybersecurity & Infrastructure Security Agency (CISA).

2. Design the cybersecurity solutions to handle the complete IT/OT landscape and address any vulnerabilities and risks.

3. Implement the solutions, covering people, processes and technology, with the required training, and on-going proactive services to make sure everything works and works well.

4. Monitor the IT/OT infrastructure continually, looking for changes, identifying new vulnerabilities, assessing new risks, upgrading the solutions and looking for threats in real time, able to respond in real time to any conceivable threats.

Attack continuum

A proactive and successful approach to IT/OT cybersecurity must look at all aspects. Too often industrial companies focus on just one or two cybersecurity areas. The most successful approaches look at all aspects of the attack continuum, before a cyberattack occurs, during a cyberattack, and after a cyberattack.

Before a cyberattack occurs, a proactive approach assesses the current situation, identifies the assets that are potentially vulnerable, and takes specific measures to protect those assets. During a cyberattack, a proactive approach detects and responds to the cyberattack. And after a cyberattack, a proactive approach responds to the aftermath of the cyberattack and takes specific steps to recover.

Asset inventory

When it comes to the world of IT/OT infrastructure and systems, most industrial companies have assets they don’t even know they have. These assets are so old and outdated they may not even be getting security patches anymore. When asked about these old legacy assets most IT directors, even up to the chief information officer (CIO), would swear there was none of that in their company. But if someone were to go out on the shop floor and look for them, they’ll find them. They’ll find some of them are critical to production.

That’s why the first place to start is a detailed inventory of all IT/OT assets. That means going out on the shop floor and searching in every nook and cranny and finding what’s out there. Not what everyone thinks is out there, but what’s really being used in production on the shop floor. It’s amazing what an inventory exercise can reveal about existing assets that only a few people know about but are nevertheless critical to production.

Patch or replace the assets

Once the assets are identified, they must be patched with the latest security patches. If they are legacy assets, it’s a good bet they haven’t been patched for a while. Getting them patched is the first step to reducing the vulnerability.

If they can’t be patched — and some of the oldest assets might not be able to be patched because they’re too old — consider replacing them. Isolating these assets with firewalls or even air gaps may seem like a viable solution. However, that doesn’t work because systems used in production almost always have a data interchange at one time or the other, and that makes them vulnerable. So, they must either be patched with the latest security patches or replaced. Those are the only choices.

Complete a vulnerability and risk assessment

One of the main tasks for a successful proactive approach to IT/OT cybersecurity is a vulnerability and risk assessment. While many industrial companies have a lot in common, particularly when it comes to the amount of legacy infrastructure they have, each company is unique in its vulnerabilities and risks. There’s no “one size fits all” approach to IT/OT cybersecurity and performing an in-depth vulnerability and risk assessment is one of the first steps to mapping out an overall IT/OT cybersecurity strategy.

The main point of the vulnerability and risk assessment is it must be comprehensive. Most industrial companies perform various flavors of assessments, but many aren’t comprehensive enough. It’s necessary to look at all the potential vulnerabilities and all the potential risks, and to perform this assessment for all IT/OT assets.

Put another way, cybercriminals are going to be trying everything in their arsenal to breach the security measures, so it’s a must to look at all vulnerabilities and risks for all IT/OT assets.

Zones, conduits and countermeasures

One of the first security measures everyone needs to implement is the zones and conduits model defined in the ISA/IEC 62443.02.01 standard. The gist of this standard is the creation of IT and OT zones based on specific functions to create a defense-in-depth strategy. All data into and out of the zones is tightly controlled through specific conduits and all activity inside the zones is strictly monitored. Any communications between zones or in or out of zones must have a conduit. The idea is to progressively reduce the probability of attacker success as they penetrate deeper into the system.

In conjunction with the implementation of the zones and conduits model, it also makes sense to deploy specific countermeasures based on all identified vulnerabilities and risks. Countermeasures are methods to protect assets from cyberattacks. They range from physical and operational countermeasures to those specifically designed for cyber assets. These tactics might include identity management, access management, network security, intrusion detection, intrusion prevention, data loss prevention, and so on. The key is to make sure countermeasures match up to the identified vulnerabilities and risks.

Real-time threat detection

One of the key countermeasures that must be in place is real-time threat detection. The problem here is the arsenals used by the cybercriminals are broad and deep and have many tools at their disposal. That means threat detection must be as broad and deep and it must be in real time. There’s not much value in finding out about an attack hour or even days after it occurs. Attacks must be visible in real time so a real-time response is possible.

Most industrial companies have some type of real-time threat detection in place already, but it’s often very limited. It looks for just a few types of attacks, and in most cases, it’s looking for the attacks the cybercriminals used last time.

The solution is real-time threat detection of attacks the cybercriminals are using now. That’s easier said than done because cybercriminals always seem one step ahead. However, that’s the real-time threat detection that’s truly needed.

A successful cybersecurity approach for industrial companies is proactive and requires a thorough plan to keep workers on alert. Courtesy: Rockwell Automation

When an asset inventory is completed, it will almost certainly reveal assets, systems, hardware, software, devices and who knows what else that were not previously on the cybersecurity radar. It also will show how dynamic the entire IT/OT landscape really is. It’s changing all the time. New assets are added. Assets are moved. Some are retired. New connections are made. New interfaces are put in place. New devices added on. It’s constantly changing.

That means the IT/OT landscape must be constantly monitored and administered. A proactive approach to cybersecurity maintains a constant vigil to discover new vulnerabilities and new risks.

There also must be procedures for adding new assets, for changing assets, for creating new connections, for adding new devices. Administrative procedures must be established to ensure whatever is going on meets cybersecurity standards and does not create new vulnerabilities.

Incident handling and response

Incidents are going to happen. Companies must be ready to handle them and must be ready to respond. Make sure the first time an incident is handled isn’t during an actual attack. Conducting a red team vs. blue team exercise with simulated attacks and responses on a regular basis can reveal vulnerabilities and sharpen readiness. These “war games” must simulate every attack and every trick in the book the cybercriminals might try, and they need to test every aspect of incident handling and response. They must stress the people, processes and technology to make sure all are ready to defend against a cyberattack.

Some fail safes should also be in place for when an attack happens. The fail safes are part of a good defense-in-depth strategy. If a cyberattack is detected and is succeeding, action must be taken. Fail safes might need to shut down specific IT/OT assets or shut down large parts of the IT/OT infrastructure or some other drastic action. Taking radical steps, even shutting down entire facilities, is a far better result than what the worst cybercriminal has in mind.

Prepare proper backup and disaster recovery

If a cyberattack is even a little successful, it can have a huge impact. One of the keys to surviving a cyberattack is proper backup and disaster recovery processes. Again, make sure the first time that backup and disaster recovery processes are tested is not during or after an actual attack. These processes need to be developed and tested as part of a proactive approach.

Cyber defenses must be fully tried and tested and must be comprehensive with the same defense-in-depth strategy mentioned before. There needs to be multiple ways to recover and processes must consider all aspects of the IT/OT infrastructure. It’s not just data and programs. It’s configurations, interfaces, devices, assets, hardware or anything else that can be compromised. Companies must have proven processes in place that have been tested many times, that will quickly recover any aspect of IT/OT infrastructure, which might be compromised by a cyberattack.

Companies must be proactive

Cybercriminals remain one step ahead. Industrial companies are especially vulnerable and potentially lucrative, targets. The best way for most industrial companies to defend themselves is to take a proactive approach to IT/OT cybersecurity that looks at the entire attack continuum.

The basic framework is simple: Assess, design, implement and monitor. It also must contain specific aspects of a proactive approach looking at before a cyberattack occurs, during a cyberattack and after a cyberattack.

A proactive approach assesses the current situation, identifies the assets that are potentially vulnerable, and takes specific measures to protect those assets. A proactive approach detects and responds to the cyberattack. A proactive approach also responds to the aftermath of the cyberattack and takes specific steps to recover from the cyberattack.

There’s no defense that guarantees safety from attacks by cybercriminals and there’s no defense that can promise zero damage from a cyberattack. However, a comprehensive proactive approach that looks at the entire attack continuum is by far the best approach and the lowest risk.

There’s no easy button here. It’s a lot of hard work with no guarantees. However, given the risks and what’s at stake, this approach is the most effective and least risky strategy. It’s definitely better than the alternative.

John Clemons is a solutions consultant, LifecycleIQ Services; Tim Gellner is a system integration consultant; Vicky Bruce is global capability manager for network and cybersecurity services; all with Rockwell Automation. Edited by Chris Vavra, web content manager, CFE Media and Technology, [email protected].

View the original article and related content on Control Engineering