Cybercriminals threatened and took advantage of multiple industrial control systems (ICS) and operational technology (OT) environments in the last several months. Attackers latched onto a sensitive piece of the technology stack on U.S. companies, highlighting how vulnerable industrial organizations are.
Almost two-thirds of advisories issued without patches for ICS/OT also had "no practical mitigation advice," leaving organizations to fend for themselves, according to Dragos' 2020 Cybersecurity Year in Review report. Companies will also ignore advisories for their lack of "environmental context" or usefulness, and 43% of advisories have errors in them.
When vulnerability scan reports become overwhelming, companies struggle with appropriate prioritization. Depending on the technologies or services companies use for vulnerability alerts, strategy differs among security executives on how to address risk. The common thread to vulnerability prioritization is understanding OT environments through and through.
Here is how three security leaders discover, assess and manage vulnerabilities:
Know the whole environment
Within Berkshire Hathaway Energy, there are 10 locally operated companies providing 28 states and international regions with electricity, transmission distribution and natural gas and liquefied natural gas. "But security, and the concerns around security risks are prevalent across all of those organizations," Michael Ball, vice president and chief information security officer at Berkshire Hathaway Energy, said during the webcast.
Each of those businesses within Berkshire Hathaway Energy's portfolio house different security solutions depending on the purpose of the technology. There are also cases of manual processes, which complicates rapid-fire assessments and verifications. "We struggle — we're not where we want to be," Ball said.
Because a cyberattack on information technology systems (IT) can threaten OT operations — similar to what happened to Colonial Pipeline — Ball focuses on "consequence management" to understand how a bad actor could potentially make the leap from IT to OT. "Our biggest challenge is we must know everything in our environment," he said.
When traditional IT security operations uncover an issue, they directly contact the "the people that know the systems that touch the buttons," which is typically IT technologist, Ball said.
However, with OT, "you'll have some technologists there, but oftentimes, it's your operators that know when an alert is something to be worried about," Ball said.
Don't rule out tradition
Vulnerability detection solutions should provide insight into what weaknesses are in current OT, systems or third parties. Energy company Boardwalk Pipelines isn't necessarily comfortable using active scanning methods, so it uses traditional methods of vulnerability awareness — reporting and information sharing platforms, including Information Sharing and Analysis Centers and United States Computer Emergency Readiness Team.
Most of the time the alerts navigate remediations at perimeter levels. But "everyone knows, the closer you get to remediate vulnerabilities at the actual control or device, the better it is," James Sumpter, vice president of IT operations and security of Boardwalk Pipelines, said during a webcast hosted by Dragos on Thursday.
"Scanning our ICS network was not necessarily a safe option in all cases. We've tried; we've used the tools before that have caused problems," Sumpter said. Manual assessments tend to prolong remediation efforts and threaten prioritization. Flat vulnerability reporting, without the context of industry or devices, does not aid internal analysts with how to prioritize remediation.
"It's not an overnight achievement, but we're looking at it as, what do we have today? How are we doing with it? And what do we need to do to change?" Sumpter said.
As industrial "killzones" evolve, new threat metrics and opaque visibility are challenging security teams, Sumpter said. "The traditional vulnerability scanning systems pose a significant risk to the temperamental nature of those industrial controls," which is partially why Boardwalk is focusing on IoT-related security.
Cross IT-OT questioning
With digital transformation at Koch Industries, the autonomy between facilities is fading. "That's been a big concern of ours," to not have visibility in areas Koch wants, particularly in the chemical industry sector, Shon Gerber, chief information security officer at Invista, a subsidiary of Koch Industries, said during the webcast.
Koch has automated processes for some vulnerability alerts with some manual operations in the mix too. "Someone calls up in the middle of night, and the servers are responding for whatever reason. And that part, you then have to go chase that fish," Gerber said.
The Colonial Pipeline hack, where the company froze its OT environment during a ransomware attack on its IT environment, was a wakeup call for businesses. Koch's investment arm has an stake in Colonial Pipeline.
IT teams are "active partners with our operational folks," Gerber said. With that partnership, the questions the business needs to address include:
- What is our incident response plan?
- Do the IT and OT teams know what they need to do?
- Have the teams worked this process before?
- Do we have a business continuity or disaster recovery plan in place?
- If backups are the perceived solution to an attack, are we aware of the impacts of it?
Koch has struggled with IT/OT communication. "In the past, we've had one guy, and this one guy knew everything about OT and everybody went to him," said Gerber. But today, the network knowledge of this "one guy" reaches across to the IT organization.