Did you know that 99% of cyber incidents occur in the critical infrastructure and Industrial Control System (ICS) space through commodity systems such as Microsoft Windows.
As we look to understand cyber risk in the Operational Technology (OT) domain, let's take a look at a rough timeline of cyber incidents that involved traditionally and non-traditionally labelled critical aspects; note the Microsoft Windows icons where these commodity systems were reported as a key feature of the attack(s):
Figure 1: Timeline of Threats (Ron Brash)
As a response to the expansive nineteen (19) page report with fifty-four (54) vulnerabilities within Siemens' software, it's time we revisit this topic. For those in the vulnerability scanning and red-team crowds, it’s great fodder for marketing or making mince-meat of a poorly protected network.
But for those of us in the business of keeping societies’ critical infrastructure safe (i.e. utilities, electricity, water, energy, transportation, etc.), this chart of existing exploits coupled with the Siemens vulnerability release suggests we should examine products that are more than integrated threat feeds and network monitoring capabilities. After all, alerting is only the first step towards preventing widespread harm.
If you read between the lines, here's what else the vulnerabilities release says:
- Common malware and exploits can crawl around for decades due the presence of unpatched systems, and due to a lack of compensating controls where vulnerabilities cannot be fixed.
- Poorly secured commodity Windows systems represent one of the biggest risks an organization can face and provide attackers and automated software a platform to cause extended negative effects on an organization.
- Windows systems are implicated in many of the attacks and will likely remain an increasing vector to attackers, but also provide huge benefits to businesses. This will continue into the foreseeable future; they will not disappear anytime soon.
- Email and Windows infrastructure (i.e. Active Directory or FileShares) represent a privileged position for an attacker, and as such are a CROWN JEWEL to your organization. Their value is immense, and as such, you should protect them appropriately.
- Besides typical cyber hygiene such as backups, patching, and hardening, poor network segmentation and configuration was often a key factor in the SIZE of an incident.
- Applications are hard to secure so secure the systems hosting them. It is not rocket-science, and many options exist.
- In some, but not all, monitoring did detect an attack campaign under way, but the organization did not act and/or have the appropriate technology and processes in place to minimize the impact and ensure a swift recovery.
- There was an increase in attacks (intentional or not) on systems that enable OT activities in organizations, but so far, minimal amounts on actual controls due to effort and returns.
As an asset owner or decision maker, the highest value and Return on Investments (ROI) can be made from securely managing Windows or commodity systems through endpoint management solutions, and networks through an array of access control technologies. And this very much aligns to frameworks such as the NIST CSF, NERC-CIP, and also ISA/IEC-62443-x.
Figure 2: NIST CSF wheel (courtesy of NIST publications)
With considerations for end point protection technologies, it is important to contrast a trend with regards to the NIST wheel in IT and OT organizations. It is not a one-size-fits-all model, but it is a great place to start discussions surrounding an organization’s cybersecurity efforts and nomenclature. It can and should be adapted because operations are a completely different beast compared to enterprise tasks surrounding securely accessing data.
For example, in IT-based organizations with a fair level of cybersecurity maturity, there are often adequate security mechanisms and technology to perform IDENTIFICATION and DETECTION activities earlier in the cyber attack campaign.
In the OT world, this typically isn’t the case, and the effects of the attack are seen after it has gained a steady foothold or caused an event that rendered an impact with respect to a process or site’s Safety-Reliability-Productivity (SRP).
Endpoint management and network security drive effective activities for ongoing identification, security, prevention, and enables speedy response/recovery should an event occur.
"Intelligence is only useful if it can be verified and action can be taken on it."
If an organization has threat intelligence feeds as part of a network monitoring appliance, sold to them as an OT cyber security silver bullet, but cannot confirm the presence of an attacker, and does not have detailed asset inventory (i.e. how systems are setup, what is on them) nor have ways to patch systems identified as vulnerable, or protect them from user activities – what good is intel? (queue DarkReading – 5 reasons why threat intelligence doesn’t work)
It’s a self-feeding loop and the real value is extracted from intel only if an organization has widely deployed endpoint technologies and host management basics. After all, those Windows hosts are already there and being used to generate revenue. Keep them running safely to begin with, or ensure adequate training, resources and technology are in place to continue and restore operations sooner than later.
There is a diverse ecosystem of solutions that enable and work with a number of capabilities within the cybersecurity domain, but the actual risk reduction, initial value, and the compounding value of detailed asset management, endpoint protection, and network security are undeniably powerful and render massive ROI compared to other silver bullet, monitoring-only solutions.