Starting the cybersecurity journey

Getting started on the cybersecurity journey involves asking some hard questions and being the aggressor and learning as much as possible about its strengths and especially its weaknesses.

industrial cybersecurity

LEARNING OBJECTIVES
  • Understand and know the questions companies need to ask about their cybersecurity plans and how thorough it is.
  • Learn about four steps companies can take to get an immediate head start on their cybersecurity plan.
IT/OT cybersecurity insights
  • Cybercriminals continue to thrive, targeting unprepared manufacturing and industrial companies. Proactive vulnerability assessments and robust security measures are essential to mitigate these threats and minimize impacts.
  • A comprehensive cybersecurity strategy includes regular vulnerability assessments, detailed cyber risk assessments and network evaluations. Identifying and prioritizing weaknesses helps in developing targeted remediation plans.
  • OT penetration testing and simulating real-world attacks is crucial for testing and improving cybersecurity measures. Aggressive and thorough testing ensures preparedness against cybercriminal tactics and enhances overall security.

Cybercriminals are still winning. They’re getting rich while people and companies struggle to keep up. Today, every manufacturing and industrial company is vulnerable to cyberattacks and most aren’t prepared. It’s not a question of if they’re going to be impacted by a cybercriminal, it’s only a question of when and how prepared they are.

The time has come to get out in front of the cybercriminals and do a better job of understanding where we are and what we’re facing. It’s time to take a closer look at our organizations and our infrastructures to understand our more serious vulnerabilities.

There’s no way we can stop cybercrime anytime soon. There’s too many cybercriminals and they’re too determined. However, there are ways to make it much harder for cybercriminals to attack and a lot harder for their attacks to be successful. Taking a long hard look at where we are and what we have is the right place for everyone to start and get serious about preparing for cybercrime.

Question the current cybersecurity plan

At this point, companies might be thinking they handle cyberattacks well. They haven’t suffered any significant cyberattacks or had any significant breaches. They are handling cybersecurity okay and plan to keep it that way.

If that’s the case, consider these questions and consider how well company cybersecurity measures are really handled.

  • How often is the installed base assessed?
  • How often is a supply chain assessment performed?
  • Have critical business systems and equipment been identified and prioritized?
  • How are remote access controls handled?
  • How are physical access controls handled?
  • Have demilitarized zones (DMZs) been implemented in the operational technology (OT) architecture?
  • How effectively are OT patches being managed?
  • Are OT data backup processes regularly tested and executed?
  • Are effective removable media security procedures in place?
  • Have OT security perimeters been fully implemented?
  • Are real-time analyses of security threats and alerts being performed?
  • Are all endpoints controlled and monitored 24/7?
  • How comprehensive and effective is employee security training?
  • Is there a converged information technology/operational technology (IT/OT) security roadmap available?
  • Are Common Industrial Protocol (CIP) certified products being used?
  • Is there comprehensive threat and anomaly detection in place?
  • Are there threat analysis, containment, and mitigation capabilities in place?
  • Can operations be restored quickly in the event of a cyberattack?

For most industrial companies, the answers to these questions may be mixed. Some answers are pretty good, many are only so-so and a few are dismal. If that’s the case, don’t feel bad because many companies are in the same boat. Consider these four ideas to get started and make some immediate improvements.

1. Perform a vulnerability assessment

The purpose of the vulnerability assessment is to find out what’s out there, especially the unknown components and identify potential vulnerabilities. Vulnerabilities might show up as unsecured network connections, unmanaged switches, unpatched legacy systems, or even business-critical systems that no one knows about that are unmanaged, unpatched, obsolete and vulnerable.

The vulnerability assessment needs to look at the full range of OT infrastructure including automation and control systems, network components including switches, routers, hubs and any other components part of the OT landscape. The idea is identifying vulnerabilities in OT systems attackers could exploit so companies can take steps to mitigate them and reduce the risk of a successful attack.

cybersecurity
While there’s no way to stop all cyberattacks, companies can make it much harder for cybercriminals to attack and for their attacks to be successful. Courtesy: Rockwell Automation

2. Perform a full cyber risk assessment

The next step after a quick vulnerability assessment is a full cyber risk assessment. The goal here is getting a comprehensive view of the complete organization with respect to cyber risks with the objective of strengthening the overall cybersecurity posture from top to bottom.

These five basic steps should be included in a full cyber risk assessment:

  1. Get deeper into the details of the OT landscape and vulnerabilities by looking at specific attack vectors and specific weaknesses.
  2. Evaluate the entire risk profile by assessing the potential impact of attacks and prioritizing the risks and vulnerabilities.
  3. Re-evaluate the effectiveness of existing cybersecurity protocols and look for areas of weakness and opportunities for improvement.
  4. Review the industry standards and regulatory compliance requirements looking for weaknesses and areas for improvement.
  5. Implement specific remediation measures targeted at the identified risks and vulnerabilities based on the priorities identified.

The full cyber risk assessment is not for the faint of heart. If it’s done right, it will probably uncover some serious weaknesses. That’s the point, though. The goal is identifying vulnerabilities in the OT landscape which attackers could exploit. Doing this helps companies take the steps necessary to remediate them and therefore reduce the risk of a successful attack.

Part of the full cyber risk assessment is prioritizing the risks primarily based on their potential impact. Risks with little or no potential impact are low priority. Risks that have the potential to shut down the plant or even the entire business must be addressed. By addressing the highest priority risks, companies can reduce the likelihood of a successful attack and reduce the impact if a successful attack occurred.

The ultimate idea here is to ensure business continuity by identifying these potential risks and developing specific strategies to remediate these risks. The goal is to ensure that successful attacks are much less likely, and the impacts of a successful attack are much reduced.

3. Perform a full network assessment

Many companies have OT vulnerabilities, such as OT systems that are unpatched, legacy, unsecured, or obsolete. And that’s just the ones known about. The OT network is just as important and just as vulnerable. If a quick vulnerability assessment or a full cyber risk assessment identifies the OT network as a particular source of risks, then a full network assessment might be in order.

There are several results companies will want to achieve with a full network assessment:

  • Create an inventory of major network components including switches, routers, and firewalls.
  • Establish a baseline comparison of the physical, logical, and security-based elements against the relevant industry standards.
  • Perform a detailed review of the physical network infrastructure against Information and Communications Technology (ICT) standards.
  • Evaluate all key aspects of the network.
  • Develop specific recommendations and remediation plans to address the network and infrastructure challenges identified.

4. OT penetration testing

It’s one thing to perform vulnerability assessments, full cyber risk assessments, and even network assessments. However, performing OT penetration testing is what will put all the hard work to the test and reveal which cybersecurity strategies work and which ones don’t.

The goal is to execute some ethical hacking along a wide range of attack vectors with the purpose of penetrating the OT environment. Companies need to test the effectiveness of their cybersecurity strategies. By simulating real-world attacks, along a wide range of vectors, they can assess their OT systems, firewalls, intrusion detections and prevention systems, and all other aspects of the OT landscape. With the results being either the successful prevention of the simulated attacks or the identification of some vulnerabilities that were probably thought to be covered.

There’s nothing like putting the cybersecurity strategies to the test. It’s amazing how few companies do stringent OT penetration testing. Most perform basic tests and leave it at that. The key here is to attack the OT landscape just like the cybercriminals by using every tool and trick available and hold nothing back.

This approach shows how well the cybersecurity strategies work and what is required to create an OT environment that significantly reduces the risk and impact of successful attacks.

Companies need to be the aggressor in the cybersecurity battle

The bottom line is still simple: Cybercriminals are winning and industrial companies are vulnerable. However, there is a lot that we can and should be doing to reduce the risk and impact of a cyberattack. However, it means getting started and looking at the OT landscape from a broader perspective. It means doing some things different and not settling for the status quo.

The cybercriminals are using every trick they have, and we need to turn the tables on them and take the offensive. We need to get smarter about cybersecurity and not rely on a business-as-usual approach. With a secured infrastructure and daily vigilance, we can reduce the risk and impact of cyberattacks. At the very least, companies need to get started and these ideas and suggestions can help serve as a good starting point for the cybersecurity journey.

Vicky Bruce is global capability manager for network and cybersecurity services; Tim Gellner is a system integration consultant; John Clemons is a solutions consultant, LifecycleIQ Services; all with Rockwell Automation. Edited by Chris Vavra, senior editor, WTWH Media, [email protected].

View the original article and related content on Control Engineering