Operational Technology Visibility is the Starting Point for Improving Cybersecurity Outcomes
Visibility is the starting point for robust cybersecurity programs. Understanding your environment — including which assets are connected to the OT network, what unexpected traffic looks like, which vulnerabilities to prioritize, and which potential threats might be hiding — is a critical foundation from which you can build and mature.
Operational technology (OT) risks are on the rise, with more threat actors and incidents targeting industrial organizations each day. The Dragos ICS/OT Cybersecurity Year in Review revealed that ransomware attacks against industrial organizations increased 87% between 2021 and 2022. 437 manufacturing entities across 104 unique subsectors were attacked by ransomware in 2022. Dragos noted a dramatic increase in Ransomware as a Service (RaaS), where developers provide their offerings, complete with data exfiltration tools, to other criminal actors who use it to opportunistically attack organizations most likely to pay the ransom (and adversaries who stage the attacks split the profits with RaaS developers.) It can be difficult to identify ransomware groups behind these incidents because they use a cloud-based point and click interface, making it a low barrier to entry for criminals.
Manufacturers with limited visibility are easy targets for ransomware attacks
Limited visibility means that a facility is only monitoring the IT to OT boundary, and not the activity inside the OT network. Full visibility is achieved when network and device logs are centralized and can correlate various segments with network traffic analysis and asset inventories.
Visibility comes in various forms from asset visibility to data flow inspection, but it can be summarized as anything that increases the defender’s knowledge of their own environment. It often starts with asset inventory but must also include network monitoring and device logs.
During 2022, Dragos uncovered that 89% of manufacturers had limited visibility, making them easier targets for threat actors. Without adequate visibility, manufacturers won’t be able to secure their networks short term or prioritize future improvements for the longer term.
Visibility is related to three of the five critical controls for ICS cybersecurity identified by the SANS Institute, specifically: a defensible architecture, ICS network visibility and monitoring, and risk-based vulnerability management. The correlation between ICS network visibility and monitoring is obvious, but visibility also provides an increased understanding of the network and network components, which is a crucial aspect of a defensible architecture and vulnerability management.
Developing full visibility is a difficult process. Taking steps forward based on available resources to eliminate blind spots and progress the organization’s maturity is the developmental process of cybersecurity. Steps in this process include:
- Identify all crown jewel assets within the network and document their behaviors (data flows, protocols, user and service access)
- Monitor network traffic at network segmentation points between trust zones, especially between IT and OT networks and any DMZ, and internal to each OT zone
- Centralize all available data sources identified in the collection management framework and coordinate with a security operation center