Defending Against Industrial Control System (ICS) Cybersecurity Threats Part I: Detection
In this ever-changing world, the evolution of technology for enterprises and large businesses in Industrial Controls is growing rapidly. With a growing and changing cyber universe, the advancement of new technologies also comes with a laundry list of cyber threats.
Cyber threats in operational technology (OT) are increasing rapidly and in severity. The number of breaches that occurred in 2020 affected over 150 million people in the United States, and in 2021 so far we have had two significant attacks in the Colonial Pipeline as well as JBS Meat Processing.
A first step towards keeping ICS networks safe is recognizing when a cybersecurity attack is taking place, with detection. Any effort made to change, impact ICS without prior authorization can be considered an attack on an organization. Breaches can come in many different forms, from ransomware to malware to DDoS.
These attacks can come from a multitude of places including emails on the business system, unusual password activity, pop-ups, network outages, and unpatched software. Detection of risk is crucial to prevent and mitigate these incidents. This starts with detecting intrusions with tools like intrusion detection systems that will alert when the systems are under attack and/or at risk of becoming unavailable.
Effective cybersecurity defense programs start with knowing the assets that need to be secured. An important concept to remember is that you cannot protect what you do not know you have. A centralized platform that provides insight into the assets on the ICS network, as well as insight into what is normal, will enhance the organization’s security posture. Using the collected asset information allows for identifying software vulnerabilities.
Performing a GAP analysis of documentation and the protective posture will aid in identifying and prioritizing vulnerabilities. Determining gaps and risk factors, vulnerabilities, misconfigurations, poor security practices, and unreliable, unmonitored, and inadequately secured remote access of networks will require developing vulnerability/risk register. The risk register will be used to track and address risks.
Once the threats and vulnerabilities are detected, mitigation must be performed quickly, efficiently, and effectively. Proper network access control (NAC) should block unknown devices through whitelisting and improve the reliability of the OT networks ecosystems. Security controls should be applied using a defense-in-depth strategy. with the principle of least privilege across all assets and endpoints. Network segmentation needs to be governed by security requirements.
It is critical to have proper knowledge of ICS assets visibility of the networks. While detection is important, it is the first step to protecting ICS systems.
Implementing the above practices can enhance detection, leading to proper prevention. If you are dealing with critical infrastructure and its associated systems, we strongly suggest that the proper practices are put in place to both detect and prevent a breach. DMI offers a wide range of cybersecurity services, capable of securing and monitoring critical infrastructure and its systems. For more information, visit our website at DMInc.com. 
