Defense-in-depth: a proven strategy to protect industrial assets

Aug. 17, 2022
"The first step to any effective OT-security program is building alignment between executives, business leaders, IT and operations."

World Wide Technology recently released its WWT Research: Security Priorities Report, identifying five priorities for building security into the core of one’s business and moving confidently into the future. 

My thoughts…

The convergence of industrial-automation assets with traditional IT networks introduces a new world of cyber-threats and vulnerabilities with serious implications for both business and public safety.

Security measures have not historically been included in the development and maintenance of operational technology (OT). Until very recently, there were few security vendors or solutions tailored to industrial environments. For many organizations we work with, these systems that have been in operation for years without being subject to the same upgrade and replacement cycles used in IT.  Many standard IT security tools, like a simple port scan, can cause industrial control systems (ICS) devices to stop working permanently.  

The bright side is that OT-security solutions are becoming more robust. Still, many industrial leaders and their IT counterparts are playing catch-up and struggling to collaborate effectively on security. 

The first step to any effective OT-security program is building alignment between executives, business leaders, IT and operations. Start by bringing key stakeholders together to establish a clear understanding of business line requirements and critical-system interdependencies. You’ll need frequent and clear communication between OT, IT and engineering. 

I recommend a defense-in-depth strategy, which layers various techniques and methods to cover security vulnerabilities. It’s impossible to deploy all security controls at once. With your security working group, identify your biggest vulnerabilities and prioritize your efforts to address your most pressing risks. Below are some effective tactics to consider:   

1. Ensure the physical safety of ICS assets. Unlike traditional IT assets, ICS assets often reside in remote and unmanned locations rather than a locked data center. A physical security plan for ICS asset protection should contain provisions for access control, intrusion detection, situational assessment, communication and response.

2. Implement an IT/OT segmentation strategy. An IT/OT segmentation strategy separates ICS networks from enterprise networks to prevent bad actors from entering enterprise networks to access ICS devices. This segmentation model can integrate with an IT/OT integration demarcation zone (DMZ) for management tools, security tools and jump hosts, and can establish security zones to ensure devices are logically isolated to allow only required communications.

3. Implement network access control. Take segmentation a step further by using network-access control (NAC), which requires a device to be authenticated and meet certain requirements (e.g., up-to-date patches and current antivirus signatures) before accessing the ICS network.

4. Use multi-factor authentication. While most ICS devices can’t support the implementation of multi-factor authentication (MFA), this can still be a viable tool. A jump host that requires MFA can help prevent unauthorized access and direct connections from a lower-security network into a higher one.

5. Automate asset discovery. Automated asset discovery in the ICS environment makes it possible to inventory, baseline, map and continuously monitor ICS networks to detect changes. This also provides a way to monitor for security-related patches and firmware updates, enabling the system administrator to have a much higher level of awareness of the state of systems.

6. Use antivirus software. Antivirus (AV) software can be used on systems like supervisory computers or human-machine interfaces (HMI) that run standard operating systems (e.g., Windows). AV software typically works by comparing files to known malware signatures and/or performing heuristics (i.e., behavioral analysis) to identify code that resembles malware. Files identified as malware are then cleaned or removed.

7. Safe-list-approved applications. Safe listing allows a predetermined list of applications to run and prevents any application not on the list from running and introducing an attack vector.

8. Find potential security breaches using network monitoring, intrusion detection and threat intelligence. Network monitoring provides anomaly detection and warns system administrators and operators to take remediating actions on time. It can also be configured to automatically filter malicious or unauthorized traffic. Threat-intelligence services provide identified threat signatures, indicators of compromise and discovered zero-day vulnerabilities to aid in the detection and response to anomalies and threats.

9. Create a change-management program. Ultimately, a good change-management program ensures all changes are properly submitted, tracked and approved, and helps in the correlation of changes with detected ICS-network anomalies.

By Enrique Martinez, technical solutions architect—OT Security, World Wide Technology