Cybercriminals are increasingly targeting critical infrastructure providers. Why? Because critical infrastructure downtime adversely affects more people where it hurts: food, water, electricity, oil and gas and water-wastewater. Threat actors targeting these industries can cause more downtime, damage and higher recovery costs. Cybercriminals will also perceive the potential for more ransomware payouts.
Cyberattacks against suppliers can send waves of disruption through an industry, causing extended supply chain shortages and days or weeks of lost or reduced production. Repercussions also include stolen intellectual property, serious litigation and even loss of life.
For companies creating a cybersecurity strategy for the organization or updating one that exists, it’s often difficult to know where to begin.
There are five areas of focus companies need to assess. These factors are based on work done in support of organizations of all sizes and guidance from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF):
- Identify: Many production environments have poor inventories, creating a major barrier to building a great cybersecurity program. Not knowing what’s connected to the network, whether it’s part of the industrial control system or a new type of productivity software used by an employee, means the team can’t secure that environment. First, identify, map and verify everything on the network. Determine vulnerabilities and initial risk posture. Companies should also review operations through a zero-trust lens, using a protect surface approach that prioritizes business-critical data, assets, applications and services (DAAS) in priority order.
- Protect: Once the team takes inventory and understands what they need to protect, it’s time to apply the right safeguards against the ever-changing landscape of cyber threats. Choose the types of controls that are in alignment with any compliance standards or security frameworks the company follows such as the NIST CSF. That includes multi-factor authentication, access control, data security, perimeter network deployment and micro- segmentation. Protective measures also include CIP product security, perimeter hardening, firewall deployment and patch management. These countermeasure controls help manage risk proactively and protect the data that’s essential to operations.
- Detect: Protecting industrial networks against cyber threats requires constant vigilance. It’s critical to have knowledge of all endpoints on the organization’s network from plant-floor assets to laptops, mobile devices, even security cameras or USB ports. The team also needs real-time visibility into how, when and where others are accessing or manipulating assets. Threat detection services can help monitor and detect these increasingly complex threats. These services offer visibility across all levels of the IT and OT environments, looking for malicious activities and offering real-time monitoring and deep network inspection across your assets. An OT security operations center (SOC) staffed with experienced security veterans, offers a unique pooling of talent, technology, and first-hand experience. It's often difficult to duplicate this cybersecurity protection expertise for the same cost by individual organizations. With the convergence of security operation tools in IT (SIEM/SOAR), these security tools will soon hit production environments, driving the need for automated response and triage, disaster recovery and response planning.
- Respond: If a security incident occurs, the team must respond immediately to address the threat before it spreads and causes greater damage. That’s why companies must have threat detection services in place to support effective risk management. Similarly, having a mature incident response plan or disaster recovery plan will achieve minimized downtime to restore production operations.
- Recover: The team’s top priority after a security-related downtime event is to get production up and running as quickly as possible. For this step, it’s important to use back-up and recovery services to keep near real-time records of production and application data. Having these resources in place will allow the team to resume normal operations quickly, shortening the recovery cycle. Once operations are running smoothly again, investigate and analyze the incident and identify the root cause. This analysis will illuminate ways to close security gaps and improve the organization’s security posture. It will also make the organization more resilient to any future threats.
Cybersecurity threats target organizations of all sizes, so organizations might want to engage an outside vendor to implement these five steps if they don’t have the team available in-house. The five steps offer a proven framework for creating or improving a critical infrastructure cybersecurity program. In doing so, the company can expedite and simplify its security strategy so the organization can focus on its top priorities.
Kamil Karmali, global commercial manager, cyber security, Rockwell Automation
