OT/IoT Security – Start From a Never Trust, Always Verify Mindset

OT/IoT Security – Start From a Never Trust, Always Verify Mindset

Brian focuses on cyber threat intelligence, vulnerability risk management, and industrial control system security. His role is to help organizations do three core things: identify, assess, and prioritize cyber and physical threats; prepare for emerging attack vectors; and reduce cyber risk in enterprise IT and operational technology (OT) environments.

I wanted to get Brian’s take on how critical infrastructure and industrial operators are embracing digital transformation, securing their OT and IT networks, and mitigating the risks and vulnerabilities associated with them. I also wanted to find out what he thinks are the best opportunities organizations have to defend themselves against cyberattacks. Here’s what Brian had to say.

Q: Historically, many security experts have addressed the needs of IT, IoT and OT networks separately. As companies embrace and drive their digital transformation, what recommendations do you have related to securing OT and IoT networks? How do you see cloud, OT, IT, and IoT cybersecurity solutions fitting into the future?

A: Security and risk professionals should be considering Zero Trust strategies to mitigate risk in our hybrid IT/IoT/OT/cloud environments. Starting from a ‘never trust, always verify’ mindset will limit the impact of breaches wherever they occur. Regarding the cloud, enterprises – especially security – resisted it for a while. OT will largely lose that battle, too, except for very sensitive areas like nuclear power generation. There is simply too much value with the analytic capabilities of cloud services from OEMs and security vendors.

I see a day when an enterprise can view all their assets regardless of where they exist or what they are on a network map. And security pros will be able to manage cyber risk holistically across all domains and facilities.

Q: The SolarWinds supply chain attack was the most notable attack of 2020, and provided threat actors with direct access to a variety of organizations and their systems. With all the risks associated with the supply chain, what can organizations do to reduce risk and improve their supply chain resiliency?

A: SolarWinds is probably the most sophisticated intelligence operation known to the public. It is the outlier. The resources needed to detect the evolution of this campaign are unavailable for all but the top 0.1% of enterprises, if that. Therefore, we must build resilient security architectures that will prevent the commoditized breach techniques and tools and limit the impact of events like SolarWinds.

Enterprises should again take a Zero Trust approach to IT operations and security tools like SolarWinds. Limit access to systems, applications and networks, to only the vendor or consultants who need access to them. Then, when the next compromised software update is downloaded, the threat’s communications will be blocked.

Oldsmar water facility’s treatment system
An attacker leveraged the TeamViewer app to remotely access the Oldsmar water facility’s treatment system in Florida. To learn more, read our blog: Hard Lessons from the Oldsmar Water Facility Cyberattack.

Q: Attacks on critical infrastructure are persistent and pervasive and can have a massive impact on everything ranging from business processes to revenue to human lives. The Oldsmar water facility incident is just one recent example. In the future, what can we do better to protect our critical infrastructure and how do we reduce the impact of these risks as much as possible?

A: We need a comprehensive strategy for protecting critical infrastructure. There is space for governments to increase regulations in critical infrastructure. NERC CIP could be a model for other critical infrastructure like water treatment systems. The American Water Infrastructure Act is brand new. Oldsmar is in the smaller category and was not required to submit the risk and resilience assessment or emergency response plan at the time of the breach. The AWIA appears much less prescriptive than CIP at this moment. But compliance will only get us to a set of minimal standards.

Our supply chain is vulnerable to malicious actors and interruptions due to weather and geopolitical events. Governments have a role to play here also. The last U.S. administration issued an executive order banning the procurement of hardware from risky countries for the electric grid. But upon initial review, it adds complexity to the related NERC CIP regulation on supply chain risk management.

Q: When it comes to cyberattacks, particularly with state-nexus actors, there has been significant focus on attribution … who is responsible for the attack. Does the source of the attack matter or change the response plan? When it comes to keeping infrastructure cyber-resilient and ensuring better business continuity, where is your energy best spent?

A: Few stakeholders can make use of attribution. For example, CISA recently shared all the unclassified information it has regarding the SolarWinds campaign except “one small piece related to attribution and frankly, that [piece] is not going to help a single network defender improve their security.” 1

Critical infrastructure asset owners and operators can best spend their precious resources on limiting the impact of any breach – state-nexus or not – via Zero Trust strategies and have a consistently tested incident response plan.

Q: The recent shift for people working in corporate locations to their home offices poses several challenges for security teams and companies. What are some of the risks associated with remote access and what steps can organizations take to improve their cybersecurity posture going forward?

A: Many enterprises cobbled together remote access solutions with the onset of the pandemic. Regarding Oldsmar, TeamViewer was likely a rapid solution procured and set up without the normal architecture and security reviews. Oldsmar had already upgraded to a more secure remote access solution but had failed to decommission the temporary TeamViewer solution.

To prevent breaches like Oldsmar, continuous asset inventory is a must. With a Zero Trust strategy enterprises are uninstalling or turning off unused, unnecessary hardware, software, and features to reduce the organization’s attack surface. Furthermore, with a Zero Trust strategy, we highly segment user accounts to reduce risk of stolen credentials.

Securing Your IoT Devices – Context Does Matter

New technologies that drive business productivity and power our society continue to emerge, but they also introduce unknown challenges to critical infrastructure efficiency, reliability and cybersecurity.

Understanding the context of the risks these devices present is essential to successfully and sustainably mitigating them. It’s the responsibility of cybersecurity professionals to advise business stakeholders on the best path forward.

If you’re interested in learning more, check out the on-demand webinar below, where Brian and I discuss how to approach securing IT/IoT/IIoT/OT assets as components of your industrial control system (ICS).