Attackers will continue to attack industrial control systems (ICS) because they can get the biggest “bang for their buck.” They want to disrupt critical infrastructure either for financial gain or to cause social chaos. Threat modeling gives organizations a way to reduce cybersecurity risk without leading to costly system outages.
A beachhead product is any technology connected to an operational technology (OT) environment that directly communicates with or is adjacent to the internet. These products are just a hop, skip, and a jump to the OT environment. If threat actors establish initial access to this product because the organization has poor network security, then they can use it as a launching point for additional attacks.
Most ICS or OT environment attacks start when threat actors gain access to a beachhead product. In fact, it’s difficult to think of an attack on these environments that did not go through one of these products.
Beachhead products create a perimeter layer that organizations need to focus on. Human machine interfaces (HMIs), like engineering workstations, are perfect examples of the risks beachhead products create. Users log into their HMIs remotely, so that they can see how well the manufacturing processes and equipment are functioning. However, if threat actors infiltrate that device, they can move laterally through the network to the programmable logic controllers or other sensors the HMI device connects to.
The challenge companies face is securing OT environments by reducing threat actor beachhead access is difficult.
Identifying the class of products connected to OT environments is a primary challenge organizations face. Many asset owners lack up-to-date asset inventories.
OT is fundamentally different from enterprise IT in many ways. Enterprise IT leaders have been able to put tools in place for the last ten or fifteen years. They have automated tools that can collect and aggregate data, giving them visibility. In OT, many processes remain manual, meaning that security leaders lack the same degree of telemetry. Many of the technologies are ten or fifteen years old, often running legacy and proprietary protocols. Traditional network sniffers can’t identify them.
In OT security, the traditional network sniffer might detect that something is running on the network, but it’s basically a black box. The security team can’t identify the device nor can they identify the software or firmware version. This means that the security team can’t use traditional automated solutions to control or protect the device.
Even if OT owners know the devices connected to the network, they may lack visibility into network architecture or additional endpoints talking to the connected OT devices.
Segmenting networks helps mitigate risk. Most of the time the OT plant engineers are creating the network segmentations, and the organization may lack dedicated cybersecurity resources. If they do have a security team, it’s likely controlled by the enterprise IT department.
This problem creates a circular “lack of feedback” loop. The security team is unable to detect new devices while the OT plant engineers may be adding new devices. The asset inventory becomes outdated, and then the network segmentation may no longer fully secure the environment.
Although some scanners for OT environments exist now, they can be cost prohibitive for two reasons. First, they are expensive to purchase. However, if they could reduce risk as the organization scales, the security benefits might outweigh the costs.
Additionally, OT environments are often fragile. Connecting the scanner to the OT network can lead to expensive system or device downtimes. For instance, an install that takes down a plant floor costs real revenue for that downtime.
Even if the organization manages to deploy a scanner, running active scans creates another outage risk.
Even penetration testing creates a revenue risk by potentially leading to system outages. The question many OT security experts need to answer is: “How do I assess system vulnerability without breaking anything?”
Until recently, threat modeling was another “inability to scale” issue. Validating controls with threat modeling at the level three layer of the OT architecture gives organizations the ability to identify inherent risk within the processes. This gives them a way to understand how threats propagate through level three so that they can secure beachhead products without worrying about costly OT downtimes.
OT security teams need solutions that help them test and retest these level three security risks. Asset owners rarely have the budget to have an external penetration testing team come in and test that entire environment. By leveraging threat modeling and virtualization, security teams across the IT and OT environments can verify and validate the controls at that level.
Investing in threat modeling enables better visibility. By running a ransomware emulation, an organization can understand where beachhead products increase risks and identify loose connections between devices they may not know exist.
Megan Samford, VP, Chief Product Security Officer (CPSO) for Energy Management at Schneider Electric, is a security executive with focus on industrial control systems security, critical infrastructure protection, and risk analysis. In her role at Schneider Electric, Megan is responsible for driving the product security strategy and program for Schneider Electric’s Energy Management business. During this time, Megan became the first female CPSO for a major industrial company without first being a CISO, and is currently the only female CPSO in this space.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.