Forward-looking organizations realize they need the same level of aggressiveness to protect assets as they have done for COVID-19 risk reduction. A three-pronged strategy on securing essential infrastructure is highlighted.
COVID-19 created the greatest disruption to manufacturing since World War II, and its implications on control system cybersecurity will be as dramatic. Forward-looking organizations now realize they need the same level of aggressiveness to protect their assets as they have used to lower risk from COVID-19. A three-pronged strategy helps close the cybersecurity gap to ensure essential infrastructure continues to operate in the new normal.
COVID-19 is one of those “exogenous shocks” that accelerates the pace of change overnight. For the past 15 to 20 years, control systems have evolved to greater connectivity and use of commercial off-the-shelf components, more recently referred to by brands such as “Industry 4.0” and “IIoT.” The change of pace, however, is evolutionary rather than revolutionary. These initiatives require organizational change, technical proof of concepts, capital investments, upgrades to control systems, etc. All of this takes time.
Then COVID-19 happened. Suddenly, within the course of four to six weeks, organizations found remote management of facilities became a necessity.
To maintain safe operations, on-site staff has been reduced to essential employees, delaying or remotely conducting cybersecurity tasks. Remote access into industrial facilities has grown more in the past six months than in the past six years as travel and onsite access was restricted. While organizations had discussed the benefits of remote access and monitoring for years, the COVID-19 crisis forced their hands, whether ready or not.
It will be difficult, if not impossible, to put the genie back in the bottle. Because the economic disruption has lasted longer than anticipated, new business processes become more ingrained, leaders become invested in new approaches, test cases and proofs of concept now exist and the status quo shifts. What was seen as a short-term fix has become a permanent change.
COVID-19 also is driving a long-term shift in strategy of where production will happen. Long, complex, global supply chains are giving way incrementally towards onshoring critical components. As the economy recovers, industrial organizations must invest in new capacity to manufacture domestically. These facilities will likely push the boundaries of “connected industry” or “Industry 4.0” using the model of the pandemic operations as a guide.
ICS/OT cybersecurity: Promise, peril
Some may argue COVID-19 was a necessary catalyst to achieve the promise of a more efficient industrial base with digital manufacturing, with McKinsey and others estimate the $1 trillion opportunity of digital and connected manufacturing. However, this pandemic also highlights the industrial control system and operations technology (ICS/OT) security perils shifting to digitalization without the proper infrastructure in place. Control systems are normally “insecure by design.” They are not designed, as modern information technology (IT) systems are, with an assumption that they will connect with the outside world and the cyber threats that exist. They often do not receive the same rigor of security management as IT systems such as regular patching, system hardening, configuration management, backup requirements or anti-malware.
As more commercial off-the-shelf components are introduced into control systems, the vulnerabilities present in these systems now extend into industrial facilities. A planned shift to greater connectivity would have balanced the promise of these initiatives while making necessary changes to protect companies against cybersecurity risks.
COVID-19 also forced many organizations to shift to remote management with limited onsite staff. In the immediate term, the explosion of remote access opened these systems to threats from targeted attacks and collateral damage from ransomware.
Reducing onsite staff also limits the bandwidth to manage these devices securely. To the extent that control systems are managed for security, it often is done by onsite personnel who manually patch or update anti-virus or conduct backups. These security maintenance tasks often are de-prioritized in a world of limited onsite resources.
In many cases, industrial cybersecurity was approached as building very high walls between IT and OT systems to limit the possibility of accessing these “insecure by design” systems. Now, due to COVID-19, a gate was created and more organizations have been allowed through that gate. At the same time, it reduced the protection of the assets within the gate, which is not a great security recipe.
Use a three-pronged approach to protect critical infrastructure assets
To secure these connected systems, it is not enough to just monitor the network access; we must manage the endpoints inside the walls as well. As connectivity expands and remote access increases, endpoints are now more accessible than ever and, unfortunately, the onsite capacity to manage and secure these assets has declined. To ensure the security of critical infrastructure, a new approach to OT systems management is needed, mirroring IT systems that have been exposed for years. A three-pronged approach to control system endpoint management is a good starting point.
- Develop real-time visibility into the risks and security status of all operational assets. While it’s true you can’t protect what you can’t see, securing an asset requires a different mindset. Users need to go beyond knowledge of its existence to determine whether the asset is at risk and if the security deployed is active and up to date. This includes knowing all of the underlying software and firmware of the device, the criticality of that device to the process, the patch levels and vulnerabilities present, the status of key security controls such as anti-virus or whitelisting, backups, the configuration security, whether the device is protected by a well-configured firewall, etc. Successful organizations take this 360-degree view of their asset risk to manage endpoints.
- Think global: Scale security analysis globally. ICSs cannot be protected by leaving security to site-level resources when fewer resources will be onsite. By the same token, prioritization requires controls system knowledge to understand potential risks to operations. A centralized database is necessary across all sites and assets need to enable cross-vendor analysis of risks and potential remediation strategies. This insight enables risk remediation playbooks to be distributed for deployment, producing efficiency and consistency in risk prioritization and remediation planning.
- Manage security onsite. Effective industrial security requires management, not just monitoring, and that engages the knowledgeable experts onsite. As stated above, many of the risks to control systems are due to a lack of security systems management. Too often, organizations stop at monitoring because the alternatives for endpoint management are either inefficient (manual) or risky (IT systems management automation tools).
Organizations now have a third option: OT systems management tools built for control systems offer the same automation capabilities, but within the control of the local control engineers. These tools automate processes such as patching, configuration and software management, user and account management, and backups, but are locally-controlled so they are deployed at the appropriate time and within the proper testing sequence to ensure reliable operations.
COVID-19’s disruption created shockwaves through life and presented an existential threat to many individual businesses. Critical infrastructure faces unfamiliar territory and new risks brought on by a sudden shift to remote work and greater cybersecurity threats. Organizations must accelerate their OT systems management efforts to keep pace. The three-pronged approach can help protect critical infrastructure.