How can you know for certain that your OT cybersecurity has been optimized? Apply two integrated principles: build it secure and keep it secure. These two principles complement each other and synergize to create and maintain reliable ICS security.
This week we’ll talk about the first step, ‘building it secure’ or making sure that your system’s foundational architecture is convenient and streamlined for security purposes. If we imagine your firm’s security posture as a bank building, building it secure refers to the bank’s architectural design:
- Where are the doors?
- Where are the windows?
- If there’s an emergency, how will your teammates get out or stay safe?
- Is it easy for a bad actor to take advantage of anything else in your building layout, for example exits that are hard to visually monitor?
When we’re building a secure network, concerns fall under two categories: ‘security architecture’ and then ‘risk assessment & security management’.
Continuing with the building analogy, security architecture refers to the shape and layout – for a network, this is its topology. A bank’s different areas are clearly separated and access to the vault only given on the basis of need, the same is true of a network that is properly segmented, and to maximize visibility banks usually have many windows. Network segmentation allows the network to be broken up similarly into easily-defended and high visibility zones. These zones are based strictly on which communication privileges each asset needs to do its job. This makes it much easier to spot malicious activity, which is often visible as unusual activity between zones, as well as making the network easier to defend with granular control of privileges.
Risk Assessment & Security Management
Risk assessment & security management allow the security team to define what can go wrong and then plan around those pain points. Risk assessment is done by identifying, analyzing and controlling risk factors, for example asset vulnerability. This is the phase where one creates awareness and makes a thorough list of where things can go wrong. In a building this would be noting where the doors and windows are, knowing what a bad actor might attempt to do, and knowing where employees can make mis-operations.
Similarly, in conducting risk assessment on an OT environment we would want to know which systems have increased vulnerability (unpatched or legacy systems), which systems have USB ports that need to be secured from the danger of insider-introduced malware, and which systems have internet access. We would also check for “intentionality”, or what needs to communicate with what based on each device’s operational intention. This information plays a major role during security management.
The second half of the second category, security management, is focused on deploying safety procedures based on the risk assessment. Similar to the way a critical bank asset such as the vault might be secured, Intrusion Prevention Systems (IPSes) are small security boxes that can be matched to mission-critical OT assets on a 1-to-1 basis. They have protocol sensitivity to understand what ingoing or outgoing traffic is normal or abnormal and should be allowed, as well as to act like a security guard and turn away unwanted access. There’s a reason most banks place entrances directly facing the teller desks and put a security guard nearby for good measure.
When you build your network securely, it’s important to use technology in your architecture that can be adapted to your business intention, and which is supported by full-time researchers to guarantee its security even as new malware and cyber threat methods are developed. Up-to-date signatures are crucial to threat defense, and some network defense-focused appliances, like EdgeFire, EdgeIPS, and EdgeIPS Pro, are designed with this in mind.