In the digital age of the 21st century, securing our critical infrastructure networks, systems and data is of vital importance. Recent breaches capturing national news interest demonstrate that for many organizations, a lot of work needs to be done to protect vital systems from both targeted and non-targeted attacks. Fortunately, today’s organizations can take proactive steps to prevent damage to their businesses, brand, customers and bottom line.
The five steps below provide a foundation to managing risk through providing real-time threat prevention:
1. Gather Detailed Information First
Any agency, no matter the size or mission, should first gather data and intelligence to understand vulnerabilities and mitigate risk. Unfortunately, often organizations fail to make even basic preparations and lack proper planning, including having an accurate and up to date asset inventory, which contains the types of deployed systems such as servers, client devices, and networking equipment; and, when practical, the locations of these systems and information about their base images.
Another piece of critical decision-making information is the business impact analysis. It is vital that decision makers understand that not all deployed assets represent equal risks. Some assets are intrinsically more valuable than others. Also, in some cases, assets are dependent upon other assets.
Almost certainly, critical infrastructure owners will have one facility or a group of facilities that is more critical to the organization’s mission than others. Individual systems within those critical facilities will also have stratified risk profiles. Without having this data, organizations will be unable to make informed decisions about their cybersecurity programs and priorities.
2. Identify Quick Wins
After an organization creates a high-level plan that outlines the resource allocation each business area will receive, it can then begin determining the most effective strategy for reducing cyber risk. In general, creating an architecture that supports a proactive approach to cybersecurity will be the best place to begin.
The difficulty, however, is that most legacy IT and industrial control systems (ICS) deployments require substantial modifications to support an active defense. Re-architecting a network can be costly, especially if equipment and hardware is outdated. In addition, many older vendor systems are not capable of handling these types of upgrades and will require a cost-prohibitive replacement.
A skilled cybersecurity practitioner, whether in-house or outsourced, will have the ability to identify the so-called ‘low hanging fruit’ – in other words, those items that provide the largest reductions in risk relative to the cost of their implementation.
3. Focus on the Day-to-Day
With a cybersecurity architecture in place, an organization can start to focus on the mechanics of operating and maintaining its security programs. Key areas of interest here are patch and configuration management. In many cases, security patches and configuration management tools are inapplicable or ineffective to use in the ICS environments operated by many critical infrastructure companies. This problem often leaves practitioners perplexed as to how they can perform these ‘routine’ tasks, and frequently results in these tasks remaining undone.
In a fundamental sense, though, all the data that is needed to perform patch and vulnerability management is readily available in the ICS environment, and can be collected and analyzed through passive means.
The key to success in this area is to create detailed procedures that are customized to the individual environment and can be followed by operational personnel who do not have specialized security expertise, along with the use of patch and configuration management tools.
4. Invest in the Education of Your People
The human element will always be a weak link in any security program. However, most human-introduced security errors and vulnerabilities are preventable through education.
The key areas to focus on in the IT and ICS environments are removable media and roaming laptops. One of the most attractive threat vectors in these environments is the introduction of an attack through a thumb drive or an engineering workstation that connects directly to the process control network.
Often, the inappropriate use of personal thumb drives and mobile workstations comes down to the simple fact that the operator or engineer did not know there was anything wrong with the behavior or that it could impact the organization’s security. Additionally, education will empower an organization’s employees to make proactive decisions about their behavior. Also important is that it will help invest them in the process and encourage them to participate in training.
5. Start Today
The task of retroactively adding security to a long-deployed IT and ICS environment may seem like a daunting task. However, all too often organizations suffer from ‘analysis paralysis’ and elect to follow the path of inaction, and that is often the most costly path of all.
As the old saying goes, a “journey of a thousand miles begins with a single step”, and it is critical that organizations remember that security is a journey and not a destination. IT and business executives at these organizations need to take the lead in making sure their organizations are moving toward an enhanced security environment—and in order to keep up with the attackers, they need to start today.
To ensure that efforts are not delayed, it’s best to seek advance buy-in at the highest levels of the organization. CEOs, CFOs and boards of directors understand what is at stake. But they need to be reminded that a proactive approach to security is essential, and that simply crossing their fingers and hoping they won’t get a breach, or adopting a reactive approach following a breach is not a viable strategy.
High-profile data breaches and the ever-increasing complexity of protecting critical infrastructure leave many to assume that successful attacks are inevitable. This belief is not only incorrect, but it can also prove to be costly in terms of money and time on the part of business and technology leaders. A reactive approach to security is no longer a viable security strategy in this day and age - too much is at stake to focus solely on detection after the fact.
Fortunately, critical infrastructure organizations today can employ the above steps to better mitigate and manage risk. Moreover, real-time threat prediction, and prevention protection is now both a reality and a strategy. Using artificial intelligence and machine learning, versus a reactive model to endpoint protection, addresses the deficiencies of antiquated tools such as signature-based ‘legacy’ security systems. If organizations can block threats in real time, pre-execution, before they cause harm – then why not do so?
Visit www.cylance.com/criticalinfrastructure to learn more about how you can protect your organization.