Automation within industrial environments is now commonplace, due largely to the convergence of the data side of the business, traditionally the realm of IT and the operational technology, OT side used to manage industrial control systems, ICS. A security incident on either side — IT or OT — can compromise both systems. It is imperative that those tasked with securing critical operations in these challenging times fully understand the new threat landscape. Here are some areas to consider and address:
With the number of malware threats to industrial systems on the rise, further extending the vulnerable attack surface in an OT environment, production and operational managers need to ensure they are aware of the threats faced.
A further consideration is the risk of lateral movement, where an attacker gains a foothold in one infrastructure and then traverses across to the other – from OT to IT and vice versa.
Errors and delays
A skilled or managerial worker should be onsite at all times in case of an unplanned, or emergency, situation. The reason for this is that there is greater risk of an error being overlooked, or negative knock-on caused by configuration changes, if someone unfamiliar with these complex environments alters settings.
Automatic snapshots of the initial and changed state, or an automated trail of the configuration resets, must accompany any actions taken to rectify a situation. This will allow the changes to be reversed if required. It should also capture the identity of the personnel initiating the action, and the date and time stamp of the incident, to verify it was correctly authorised.
Following on from the points above, it is also important to check for any unexpected changes that could be an indicator of compromise, or an active attack, at both the network, and device level.
With remote working policies activated, the team responsible for remediation must be identified so they are ready to respond, should an alarm be triggered. This could be based on proximity, skill levels, planned escalation, and so on. The channel for alerts also needs to be worked out beforehand, whether it is SMS, phone, email or others.
All networks, devices, systems, and plants need to fall back into an integrated dashboard that allows full-scale monitoring of behavior. In case of alerts on the dashboard, the team can isolate the fault or intrusion and deep dive at a granular level to identify the nature of the compromise or threat.
We are living through unprecedented times and the pandemic can create any number of challenging macro environment situations. But, at the end of the day, critical businesses must continue, operations must deliver, and the fabric of a nation must survive.
- Production and operational managers need to ensure they are aware of the threats faced.
- With remote working policies activated, the team responsible for remediation must be identified.
- Automatic snapshots of the initial and changed state, must accompany any actions taken to rectify a situation.
By Maher Jadallah, Regional Director Middle East, Tenable.