Five critical components of effective ICS/OT security

It’s no secret that the industrial control system (ICS) attack surface is rapidly expanding. From advancements in business digitalisation, IT-OT convergence and IOT adoption to the ripple effects of escalating geopolitical tensions, organisations in critical infrastructure sectors must be positioned to combat accelerating ICS attacks that, in addition to forcing prolonged operational downtime, can potentially put people and communities at severe risk.

After all, there’s a clear differentiator regarding the nature of ICS/OT threats. Unlike traditional attacks against enterprise IT networks that are primarily rooted in monetary gain or data theft, state-sponsored adversaries often target critical infrastructure systems with the malicious intent to disrupt operations, inflict physical damage or even facilitate catastrophic incidents that lead to loss of life.

This isn’t fable or fiction – it’s our current reality. In early February, leaders of two US House subcommittees called on the US Energy Department to provide information regarding three nuclear research laboratories targeted by the Russian hacking group Cold River last summer. For a more high-profile example, take the Russian state-sponsored CRASHOVERRIDE incident of 2016, which manipulated ICS equipment through the abuse of legitimate industrial control system protocols to disrupt the flow of electricity across Ukraine’s power grid at the transmission substation level. As a result, a portion of Ukraine’s capital city, Kyiv, experienced a one-hour outage overnight.

The incident served as a microcosm to an evolving era of cyber risk, signifying the importance of trained defenders with engineering backgrounds who can effectively monitor ICS networks and actively respond to the pre-positing of attacks before impact. After all, a weak ICS/OT security posture can pose risk to public health, environmental safety and matters of national security. Just imagine if the Los Angeles, London or New York City power grid was cut off due to a successful ICS attack that caused irremediable damage, preventing recovery. We’re talking about millions of lives in jeopardy.

With that said, critical infrastructure organisations have an inherent responsibility to deploy a robust ICS/OT security framework that effectively protects their operational assets from sophisticated attacks. This isn’t a matter of merely meeting mandatory compliance minimums to avoid costly fines or steep regulatory penalties. It’s about leaving no stone unturned to protect people from the real-world impact of cyber crime – not only their own personnel, but those living and working in the surrounding communities from which they operate.

A balance in prioritisation is essential to effective ICS/OT security, as made clear by a recent SANS Institute white paper on The Five ICS Cybersecurity Critical Controls. Prevention bias is a common theme across the cyber security community. Between 60%-95% of the most well-known and utilised security frameworks are preventative in nature, but simultaneously fall behind in detection and response posture. As a result, many organisations invest as few as 5% of their resources to detecting, responding, operating through an attack, and recovering from compromises.

Considering both the volume and velocity of ICS-related attacks are rapidly increasing, even the most stringent prevention measures are bound to be bypassed. Organisations must be prepared for not if, but when that happens – integrating AI-enabled detection and response approaches that drive agile mitigation and recovery action. Adopting an ICS/OT security framework that encompasses the following five critical controls is key to achieving that balance.

1. ICS incident response: An operations-informed incident response plan is designed with focused system integrity and recovery capabilities to reduce the complexity of responding to attacks in operational settings. These exercises reinforce risk scenarios and use cases tailored to their security environment – prioritising actions based on the potential for operational impact and how to position the system to operate through an attack. They also enhance operational resilience by facilitating root cause analysis of potential failure events.
2. Defensible architecture: An effective ICS defensible architecture supports visibility, log collection, asset identification, segmentation, industrial demilitarised zones and process-communication enforcement. It helps bridge the gap between technologies and humans, reducing as much risk as possible through system design and implementation while driving efficient security team processes.
3. ICS network visibility monitoring: Due to the “systems of systems” nature of ICS attacks, it’s vital to implement continuous network security monitoring of the ICS environment with protocol-aware toolsets and systems of systems interaction analysis. These capabilities can be leveraged to inform operations teams of potential vulnerabilities to alleviate, aiding in general resilience and recovery to avoid costly or dangerous operational downtime.
4. Remote access security: Following the societal adoption of cloud-based hybrid work structures, adversaries are increasingly exploiting remote access to infiltrate OT networks. In the past, the primary attack path to an OT network was through that organisation’s IT network, but now threat actors can also leverage their entire supply chain ecosystem – capitalising on the IT network vulnerabilities of their vendors, maintenance personnel, integrators and equipment manufacturers. In turn, maintaining secure remote access controls is non-negotiable for modern industrial operations.
5. Risk-based vulnerability management: A risk-based vulnerability management programme empowers organisations to define and prioritise the ICS vulnerabilities that generate the highest level of risk. Oftentimes, they are vulnerabilities that allow adversaries to gain access to the ICS or introduce new functionality that can be leveraged to cause operational issues such as the loss of view, control or safety within an industrial environment. Adopting risk-based vulnerability management requires having controls and device operating conditions in place that drive risk-based decisioning during prevention, response, mitigation and recovery action.

For facilities struggling to get a handle on their own ICS/OT security programme, I recommend using the five critical controls as a starting point. These five aforementioned pillars can serve as a roadmap for critical infrastructure organisations to build an ICS security programme uniquely tailored to their own risk profile. And while the controls are, in fact, invaluable to ICS/OT security, their potency is still reliant on an organisational culture of alignment where the severity of cyber risk is understood and prioritised at every level – ranging from the board and executive leadership down to the frontlines of their security teams.

ICS/OT security must follow a team sport approach, combining the strength of agile controls and well-defined processes to keep pace with the accelerating nature of ICS attacks. With the right framework in place, critical infrastructure organisations can take proactive steps to drive their own defences against malicious adversaries.

If you are looking to find out more about ICS/OT security, explore the SANS ICS resources page here: https://www.sans.org/u/1qdc.