With the gas shortages stemming from the ransomware attack on the Colonial Pipeline Co. still fresh in our minds, coupled with the fact that most cybersecurity efforts tend to focus on IT assets like servers and workstations, efforts to spotlight key factors of industrial control system security are receiving more attention than ever.
A study of 312 security professionals, conducted by Tripwire (a cybersecurity technology supplier) found that 99% of security professionals report challenges with the security of their IoT (Internet of Things) and industrial IoT devices, and 95% are concerned about risks associated with these connected devices.
Tim Erlin, vice president of product management and strategy at Tripwire, said, “In the industrial space specifically, more than half (53%) said they are unable to fully monitor connected systems entering their controlled environment, and 61% have limited visibility into changes in security vendors within their supply chain.”
Because the actors behind a cyber-attack tend to take the path of least resistance, the majority of cyberattacks that occur are not highly sophisticated, Erlin said. “In most cases, practicing basic security hygiene, adapted for the environment, is the most effective way to protect against major cyber events.”
Following are four basic hygiene principles, suggested by Erlin, that can help harden critical systems against a cyber-attack:
- Visibility: Increased connectivity of control systems requires that we expand the notion of visibility. A complete and up-to-date inventory of all the devices in your environment is the most basic starting point for securing them.
- Secure configuration: Once you know what’s in your environment, you can work to make sure everything is configured securely at the onset. A misconfiguration in your environment is like leaving the front door unlocked for an attacker. Finding and addressing misconfigurations can dramatically reduce the risk of compromise.
- Managing vulnerabilities: Vulnerabilities are flaws in a system that an attacker can take advantage of to gain access or make changes. Addressing vulnerabilities in control systems may require strategies other than applying a patch, such as network segmentation.
- Incident response: Planning a response before you’re in the middle of a crisis is important. This includes determining who should be involved, what their roles should be, and how information will be communicated. It also means ensuring that you have the technical tools to understand what happened. Log data from the systems involved and change detection data can decrease incident response time.
“The cybersecurity market is full of advanced technologies that promise to stop the most sophisticated attacks, but evidence shows that a consistent focus on these basics pays off,” said Erlin.
Leaders relevant to this article: