The current unprecedented public health crisis has impacted nearly all populated nations. Governments all over the globe have mandated citizens to stay at home, working remotely where possible in an effort to curb the spread of infection. However, when it comes to our essential services and critical infrastructure, these large-scale industrial and production plants face the unenviable challenge of maintaining uptime and efficient production, irrespective of external factors.
Automation within industrial environments is now commonplace, due largely to the convergence of the data side of the business (traditionally the realm of IT) and the operational technology (OT) side (used to manage industrial control systems (ICS)). However, the more OT environments are integrated and connected to IT systems, the more closely both sides need to be managed. A security incident on either side — IT or OT — can compromise both systems and, if left unchecked, could impact production or even change a product significantly enough to make it dangerous.
The frequency and severity of attacks specifically targeting OT networks has been increasing each year. Clearly, there is a need to secure OT networks as we have in IT.
It’s imperative that those tasked with securing critical operations in these challenging times fully understand the new threat landscape, and particularly which security measures are needed to keep things running smoothly and safely. Here are some areas to consider and address:
OT vulnerabilities: With the number of malware threats to industrial systems on the rise, further extending the vulnerable attack surface in an OT environment, production and operational managers need to ensure they are aware of the threats faced. A further consideration is the risk of lateral movement, where an attacker gains a foothold in one infrastructure and then traverses across to the other – from OT to IT and vice versa. Organizations must pay attention to keep OT networks secure, as has been practiced in IT environments for years.
Errors and delays: A skilled or managerial worker should be onsite at all times in case of an unplanned, or emergency, situation. The reason for this is that there is greater risk of an error being overlooked, or negative knock-on caused by configuration changes, if someone unfamiliar with these complex environments alters settings. Automatic snapshots of the initial and changed state, or an automated trail of the configuration resets, must accompany any actions taken to rectify a situation. This will allow the changes to be reversed if required. It should also capture the identity of the personnel initiating the action, and the date and time stamp of the incident, to verify it was correctly authorised.
Another fallout could be a delay in responding to an alarm, triggering a chain of events with unknown consequences. Given OT / IT convergence, any delays and/or errors could impact either side.
Monitor for dubious activity: Following on from the points above, it’s also important to check for any unexpected changes that could be an indicator of compromise, or an active attack, at both the network, and device level.
Planned remediation: With remote working policies activated, the team responsible for remediation must be identified so they are ready to respond, should an alarm be triggered. This could be based on proximity, skill levels, planned escalation, and so on. The channel for alerts also needs to be worked out beforehand, whether it is SMS, phone, email or others.
Dashboard monitoring: All networks, devices, systems, and plants need to fall back into an integrated dashboard that allows full-scale monitoring of behavior. In case of alerts on the dashboard, the team can isolate the fault or intrusion and deep dive at a granular level to identify the nature of the compromise or threat.
We’re living through unprecedented times and the pandemic can create any number of challenging macro environment situations. But, at the end of the day, critical businesses must continue, operations must deliver, and the fabric of a nation must survive.
A deep macro and micro level understanding of how the operations are managed will provide the most sustainable solution to surviving to avoid security making the situation worse.