It’s not a matter of if, but when ……your plant gets hacked. How prepared are you for recovery?
In case you missed the announcement this week, some nasty vulnerabilities were found in a vendors wireless access point that’s frequently used in industrial environments. The device is a Wi-Fi Router designed for industrial use, providing Wi-Fi signals to plant equipment like sensors, engineering workstations, HMIs, laptops, even industrial controllers. Anyone chasing IoT or IIoT will have similar technology in place.
The vendor is Moxa, and the model affected is the AWK-313A, but that's irrelevant. Practically all manufacturers have had and will continue to have vulnerabilities exposed in their products. IT has tried to solve this for decades, but they still rely on streams of notifications highlighting new vulnerabilities in all of the products found in the enterprise.
As a result, IT ends up patching, patching and applying more patches. It's become the norm to discover that some software has been vulnerable to an attack for the past several years. It's become so normalized, that many times we forget to ask ourselves, "In all of the time I was vulnerable (since the installation of the equipment, not since the discovery of the vulnerability), did anyone take advantage of it? Did someone use that vulnerability to get a foothold in our plant?” The aforementioned vulnerability is within the perimeter security that we rely on the keep the bad guys out. That vulnerability, and many like it, allow attackers to completely bypass, hop over, tunnel through, or otherwise defeat the perimeter security. Scary stuff.
In the past 26 years of my career in cybersecurity, I’ve seen the defensive model change and mature. Originally, it was a lot of, “I don’t need cybersecurity”. Then after interconnectivity took off, it became, “Let’s build a solid perimeter”. After some time, it became apparent that the bad guys will always find a way to bypass the perimeter, so we increased our security by building a solid interior in addition to the solid perimeter. After even more time, we’ve now arrived in a world where we know there’s always a weakness somewhere, and as a result in large enterprises, every single day, they battle with virus outbreaks, malware infections, web server attacks, insider theft, DDOS attacks, etc. We’ve moved from a world where we believe we could always defend against bad guys to one where we’re in a constant state of recovery. At any given moment in time, in most very large enterprises, there is something bad happening, somewhere. It’s their ability to mitigate the threats, respond to incidents, build resiliency, and recover that keeps them alive.
How do we get that same level of cyber-resilience in the OT environment?
You’ll need an enhanced tool set that provides some key cybersecurity capabilities purpose-built for industrial environments. Knowing what’s in the plant is critical to increasing our cybersecurity posture.
1. Asset Inventory
Having an accurate Asset Inventory is the first step because you can’t secure what you don’t know is there. The Asset Inventory is the foundation on which we can build on. From an Asset Inventory, you should be able to determine the make and model, firmware version, OS version and patch level, and the programming/code logic existing on the devices. Furthermore, if your plant is using hardware modules on a chassis that contain more complex configurations like multiple CPUs, network cards, power supplies, I/O, etc, you’ll need a tool that’s capable of understanding those types of ICS infrastructure. Using this information, we can address several vital areas like risk management, vulnerability analysis.
2. Audit Trail
You'll need an audit trail of everything that’s taken place on the network. And we’re not talking just about a packet logging tool. You’ll need to be able to see who re-programmed what, from where, when, and how.
3. Visual Tool
Sometimes it's difficult to see the important insights when your starting point in a table full of data. Having a tool that can start graphically at a high-level and then dive into the details can help expand the staff that can leverage the tools. During recovery efforts, having more hands-on-deck is essential to successfully combating threats, it helps to have a tool with output that traverses the spectrum of staff that can assist in the effort.
By monitoring network traffic and parsing the proprietary protocols (i.e. CIP, Step7, etc.) as well as the common ICS protocols (Modbus, DNP3, etc.), you should be able to detect early Indicators of Compromise (IOC) so you can begin recovery earlier in the cyber kill-chain. This is worth its weight in gold; being able to mitigate the threat before damage is done.
Having a tool that can alert you when something new appears in your Asset Inventory, or when something communicates with another device in a strange way, or anything else at all that may appear as an anomaly can help to identify the early stages of being compromised. You should be able to identify the threat before it can further embed itself or move laterally within your environment.Recover Faster by Being Prepared
If the vulnerability previously mentioned doesn’t apply to you, consider yourself lucky to have avoided the storm, but don’t ignore the alarms. One day, your number will be called and you’ll find yourself in the middle of an outage, scrambling to patch, struggling to get visibility at the worst possible time –when you need it the most. As a resident of Florida, we can’t wait for the hurricane to be imminent to buy homeowners insurance, cover our windows, or secure our roof. It needs to be done beforehand, the same goes for proper cybersecurity and recovering from incidents.Recover Faster by Being Prepared
The key to being able to stay alive during a constant state of recovery is the capabilities of your workforce, the power of your tools, and how early you’ve implemented them and obtained full visibility into the OT environment. With the right synthesis, forensic capabilities and threat hunting in your OT environment can be an automated effort, resulting in quicker, more cost-effective recovery with less downtime.
Don’t wait until you’re dealing with a storm to start looking at tools. Right now, while it’s quiet, is the time to get moving on planning and building better cybersecurity capabilities.