3-part strategy for mitigating IIoT risk
- By Mark Ramsey, Gary DiFazio
- Oct 22, 2019
In a previous column, we determined that all federal agencies are vulnerable to the potentially debilitating effects of an industrial internet-of-things system breach in their day-to-day operations, but that few are aware that such systems exist. Recognizing that IIoT is a new environment to understand and secure, there are three steps to developing a risk mitigation strategy.
Step 1: Gain visibility
It’s important to begin by reducing uncertainty and increasing visibility by understanding the infrastructure components and therefore what must be secured. When agencies have holistic visibility into their entire network, inclusive of IIoT, they can create and maintain an asset inventory, manage communication patterns between devices, see network topology variations, identify rogue assets, outline configuration changes and provide vulnerability context -- with data, not guesswork. To gain this visibility agencies must:
- Understand and document all network communication between the IIoT and the agency IT network.
- Understand and document all remote access into the IIoT network, i.e. contractor access with dialup modems, VPN and cellular connectivity.
- Create and update asset inventory information with the vendor, make, model, serial number and firmware version of hardware as well as versions of installed software.
- Create and maintain a network topology diagram.
- Understand what industrial protocols are communicating between what assets. Isolate this industrial protocol traffic to networks segmented from agency IT networks.
- Understand how assets and devices are configured and if those configurations are changing.
- Identify what vulnerabilities are present in the environment and prioritize remediation based upon risk profile.
- Implement a centralized log management solution so that events from different types of equipment and applications can be correlated to pinpoint abnormal or malicious behavior.
Step 2: Implement protective controls
Protective controls help prevent or mitigate the impact of undesirable outcomes. Ensuring network segmentation between the agency IT network and the IIoT is a great first step. This denies all unauthorized network communication through the use of firewalls or access control lists on networking devices.
Another effective protective control is system/device hardening according to established configuration guidelines such as the National Institute of Standards and Technology's SP 800-53 by which:
- All services are disabled that are not explicitly needed to run the industrial process, i.e. disable insecure protocols like telnet, which does not encrypt traffic.
- Cybersecurity features such as logging, SSH and SNMPv3 and other features are enabled.
- The device/system is checked for proper configurations, i.e. change default passwords and enable password management (length, strength, complexity, etc.).
Overall, fundamental protective controls can include:
- Network segmentation, both between production zones and between key mission-critical systems/devices such as programmable logic controllers (PLC) and remote terminal units.
- System and device hardening to meet industrial standards or best practice guidelines like NIST SP 800-53 and NIST SP 800-82. Devices like human-machine interfaces, PLCs, engineering workstations, historian software and industrial networking devices should also be hardened.
- Centralization of all remote access with strong authentication by creating a separate, protected “DMZ” for all of these connections and implementing multifactor authentication for users.
Step 3: Continuous monitoring
The third step is to implement continuous monitoring. Just as Supervisory Control and Data Acquisition systems help optimize and control building automation systems, agencies need a SCADA-like cybersecurity solution to help optimize and control visibility to IIoT cybersecurity events and ensure protective controls are operating correctly. This is not a one-and-done activity -- it must be performed continuously because automation systems get increasingly sophisticated and the threat landscape continuously evolves.
Industrial cybersecurity SCADA monitoring helps continually answer the “How do I know” questions, such as:
- How do I know if device/asset configurations are changing and if those changes put the device in an insecure state or misalignment with technical build specification?
- How do I know if operational baselines (the configuration of a device or system that is specific to the environment it is running in) are changing?
- How do I know if a device is at the brink of a failure?
- How do I know if a rogue asset or protocol is now present on the network?
- How do I know if the system's vulnerability risk profile has changed?
Agencies that can answer all of these “How do I know” questions will be able to keep their industrial process running without interference from cybersecurity events and mitigate the introduction of new risk from the industrial environment to the agency’s IT network.
While most agencies are just starting to explore how to implement cybersecurity strategies for operational technology environments, IIoT is quickly expanding into every sector, enabling organizations to analyze and share data that makes operations exponentially more efficient.
Even if an agency doesn’t manage radioactive waste and its buildings aren't included on the Department of Homeland Security's critical infrastructure Government Facility Sector list, it still runs IIoT systems and technologies that could have a devastating impact on the agency mission and key objectives if compromised. The time to implement visibility, protective controls and continuous monitoring is now -- every minute that agencies wait is a minute that leaves their networks vulnerable to a host of costly threats.
Mark Ramsey is federal civilian sales manager at Tripwire,
Gary DiFazio is strategic marketing director, industrial cyber security, at Tripwire.