Mitigate OT security threats with these best practices

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Chris Sistrunk, Technical Manager in Mandiant’s ICS/OT Consulting practice and former engineer at Entergy, where he was a subject matter expert on transmission and distribution of supervisory control and data acquisition (SCADA) systems. In this blog, Chris shares best practices to help mitigate the security threats to operational technology (OT) environments.

Natalia: What tools do you use to monitor and govern your OT environment?

Chris: First, you can use the control system itself, which already offers some level of visibility into what’s happening. It looks like NASA control. Operators sit and watch the process all day. You can see what looks normal and what doesn’t look normal.

What’s new is not just looking at the system itself but at OT network security. Especially in the last five or six years, the focus has been on getting network visibility sensors into the control network. There are several vendors, like MODBUS, Siemens S7, and DNP3, out there that understand the protocols and have developed sensors that are purpose-built to analyze OT network traffic rather than IT traffic.

With a newer control system, it’s much easier. Many times, they’ll use virtual machines to manage OT, so you can put agents in those areas. If it’s a Windows 10 or Windows 7 environment, you can even use Microsoft Defender Antivirus and collect the Windows event logs and switch logs. If you don’t look at the logs, you’re not going to know what’s there, so you need to monitor behavior at the network layer using technologies like deep packet inspection (DPI) to identify compromised devices.

Natalia: What are some best practices for securing remote access to the OT network?

Chris: Number one, if you don’t need it at all, don’t have it. That’s the most secure option.

Number two, if you have to have it, make sure it’s engineered for why it’s needed and tightly control who can use it. It’s also important to make sure it’s monitored and protected with multifactor authentication (MFA) unless it’s just for read-only access to the control network, in which case it’s less of a risk. A lot of times, these OT equipment vendors require in their warranty contracts that they have remote access with full control and the ability to change configurations, which means you’ve given someone a high level of privileged access to your control systems.

Number three, have a process and procedure for when that remote access is used and when it’s turned off. You should at least know who was there and for how long, and who did what, using audit logs, for example.

I want to highlight that the Water ISAC, the international security network created for the water and wastewater sector, published a free document called 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. It’s a reminder to consider where remote access is coming from.

Natalia: What percentage of organizations are continuously monitoring their OT networks?

Chris: Today, it’s the exception, not the rule. The only ones monitoring are the ones that have to do it, such as nuclear companies, and the 3,000 or so largest electric utilities that are under North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP) regulation, as well as any companies that might have been attacked in the past. But even NERC CIP doesn’t require continuous network security monitoring, just monitoring event logs in a SIEM, for example, which means you can still miss stuff.

So percentage-wise, it’s not very many, especially in non-regulated sectors like manufacturing, pharmaceuticals, chemicals, oil and gas, mining, and warehousing and logistics.

Companies don’t like to spend money on security if they don’t have to. Unfortunately, it’s going to take an attack. We didn’t have electric reliability standards until we had two Northeast blackouts that affected millions of people in 1965 and in August 2003. After that, they said, “Oh, we should probably have some electric reliability standards.” When I started at the power company, one of the lineman safety instructors said, “Safety rules are written in blood.” The only reason why we have reliability rules is because we’ve had darkness.

Natalia: How can teams break down IT and OT silos?

Chris: Communication. It’s the only thing you can do. If you’re in IT, go take a box of doughnuts down to the operators and ask, “What are the pain points here? How can I learn more about what you do so I can understand and so you won’t slap my hand every time I say, ‘Please patch.’” They will be overjoyed that someone came and visited them to learn about what they do.

Generally, if an IT guy with a white hard hat that has never had a scratch on it comes in, operators think, “Don’t touch anything.” But if you build that trust and communication, that strengthens an organization, and you can start training and knowledge sharing.

Natalia: What should roles and responsibilities look like?

Chris: Now, anything that’s on a network, even in the control system environment, can report up through the chief information officer (CIO) or chief information security officer (CISO). Even in power companies, they’re putting everyone, even the folks who do SCADA for the power grid, under the CIO or CISO instead of under operations. At smaller companies, like water and wastewater, it’s still the old situation, where you have an IT guy and an OT engineer or operator. At larger companies, OT is coming through the IT organization under the CIO or IT is under the CIO and operations is still under operations, and the link is under the CISO. You might have security people in IT and security people in OT.

If you’re wondering whether the CISO should be responsible for both IT and OT security, it’s a simple answer. You can’t have enterprise-wide security unless you include OT. Security needs to be applied to it all, but go to a provider that says they provide enterprise-wide security and ask, “Do you know anything about OT networks in power plants?” “Nope.” OK, then, you don’t do enterprise-wide security. You’re not protecting what makes money.

Natalia: Should companies unify IT and OT security in the security operations center (SOC)?

Chris: I’ve seen it implemented as one unified SOC, but I’ve also seen two separate ones because if they have physically separate systems, they have to have physically separate SIEMs. For instance, a nuclear plant will have its own SOC, and corporate will have its own SOC. If a power company has a nuclear power plant, that plant will have its own SOC because it’s air-gapped and not connected to the outside world or the IT network. But if you have an oil and gas environment, it may have both combined into one.

There are pros and cons. If you have the money and the budget and the people, you can do it either way. Just put your people in a room, give them a lunch of pizza, and let them come up with the best solution. There are advantages of having a unified SOC. You don’t even need an OT-specific SOC analyst. Just have a good IT security person learn from the control engineers or operators, and then create those alerts, and do hunting, tool tuning, and rule tuning.

Natalia: What would you say to a board of directors to get them to prioritize OT security?

Chris: I’d keep it short and sweet: “What would happen if you couldn’t make hammers anymore?” If the CISO can’t answer that question, you know the person needs to gain that awareness. Do we have visibility of the network? Do we have offsite backups for our control systems? Do we have security awareness training?

Board members are not concerned with the latest and greatest advanced persistent threat (ATP), but they do care about risk to the business. They’ll say, “We don’t have any security because we don’t have enough people. If we don’t have security implemented, we have a small risk of having downtime.” If you talk to any manager, they’ll know exactly how much money they lose per day if production goes down. We look at business risk in terms of the equation: risk equals impact times probability. Since we don’t have enough data about cyberattacks in OT to have a probability, we tie cybersecurity to the risk register and substitute probability with exploitability. How easy is it to exploit? Can a script kiddie do it? Could my 13-year-old son do it?

If you’ve got an operating system exposed to the Internet, discoverable via Shodan, it is exploitable within minutes. What is the impact of that? If it’s in a chemical, pharmaceutical, food factory, or refinery, that’s a problem not just for downtime but more importantly because it could cause a safety or environmental incident. If it’s a temperature gauge, that’s much less risk. Companies will have a risk register for everything else, including natural disasters. They should have one for OT cybersecurity risk too.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.