Respond to growing OT vulnerabilities with endpoint systems management

A recent cybersecurity advisory alert details the Top 15 Common OT Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

By John Livingston August 3, 2022
Hardening acts by remediating known vulnerabilities, by positioning the system to reject certain classes of attack, and by documenting system activities. Courtesy: Maverick Technologies

Cybersecurity insights

  • Managing your OT systems, maintaining ICS asset inventory, updating software, enforcing multi-factor authentication and leveraging OT monitoring systems are among the recommendations and best practices suggested to deter various security threats from infiltrating ICS devices and critical infrastructure.
  • Key challenges (e.g., tracking patch relevancy, patch approval by vendor, operational risks, lack of staff and resources) of patch management cause organizations to fall behind on software patching. This can prevent organizations from achieving CISA’s fundamental mitigations.
  • CISA emphasizes the execution of the fundamentals of OT security practices and awareness of both old and new security risks. Focusing on the core principles of preventing cybersecurity threats remains a priority, rather than the excitement of every new cyber-threat headline.

A recent cybersecurity advisory alert details the Top 15 Common OT Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited. There have been multiple other releases about topics such as the Industroyer2 threat, emerging risks due to the Russian-Ukraine conflict, the newly discovered malware and Incontroller, which is an advanced type of malware targeted specifically at industrial control system (ICS) devices.

The increase in threats to operational technology (OT) environments has pushed the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) to issue warnings about cyber-actors’ willingness to conduct malicious cyber-activity against critical infrastructure by exploiting internet-accessible OT assets.

In 2021, cybersecurity authorities from the U.S., Australia, Canada, New Zealand and UK assessed a malicious cyber-actor’s aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber-actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets.

While there has been a string of alerts and buzz around naming the various threats, the recommendations remain the same: Manage your OT systems through core security fundamentals.  The recommendations all play the same fundamental tune around CISA’s ICS Best Practices.

They center around areas such as:

  • Maintain an ICS asset inventory of all hardware and software
  • Update software using a risk-based assessment approach to determine which assets should participate in the patch management program
  • Implement allow/white listing on HMIs and workstations
  • Isolate ICS/supervisory control and data acquisition (SCADA) systems from corporate and internet networks using perimeter controls
  • Disable unused ports and services on devices
  • Enforce multi-factor authentication for remote access
  • Change all passwords on regular basis and monitor password status
  • Maintain known-good backups
  • Protect systems with strong anti-virus and other endpoint detection capabilities
  • Implement log collection and retention
  • Leverage OT monitoring solutions to alert on malicious behaviors

These are all about what we call “OT Systems Management”. This phrase encompasses these fundamental elements of OT security – from asset inventory to endpoint management of vulnerabilities, patches and configurations, etc., to managed network segmentation as well as controlled access, and eventually monitoring and recovery.

While these alerts are absolutely valuable in raising awareness of the community, they can cause confusion if not read thoroughly and understood for the recommendations being made. We often receive calls about the latest alert because an organization is chasing down a specific threat or particular threat actor or malware that has recently been seen in an ICS system somewhere.  To be clear, it is critical that we as an industry know about these emerging threats, and CISA has contributed greatly to the awareness of these threats.

However, it is key that organizations read down to the bottom of these releases to that section that includes recommended mitigations or actions.  That section is what really matters – what can you do as an organization to address these threats.  And in that, the message is consistent – OT systems management. The consistent application of fundamental security controls.

While it would be great if every OT operator had advanced beyond these fundamentals, the truth is that most are still working on these core elements. It is there where we believe we must focus as an industry.

As one example, many industrial organizations do not actively manage their OT endpoints. In many cases, they do not have accurate inventories of what those endpoints are. If the inventory exists, there often is a lack of actively managing those devices whether that be patching, hardening configurations, updating passwords and updating firmware, etc.

Some may have original equipment manufacturer (OEM) vendors that come on some basis to apply operating system (OS) patches and application patches for that particular OEM application set. But all too often, we who come in after that patching process, find in looking at the output of the Verve Endpoint Management platform that those patches left many critical vulnerabilities either because those patches did not include other application software on that device or OS patches that were not approved but solve critical vulnerabilities.

In our 2002 ICS Advisory Report, we found a 47% increase in CVE’s in ICS-CERT advisories between 2019 and 2020. In our 2021 summary report about to be released, we found another 59% increase in the number of ICS vulnerabilities, but most organizations do not have a comprehensive, vendor-agnostic patch management program.

OT systems management includes the development of an ICS-specific patch management effort.

The key challenges with patch management:

  • Tracking what patches are relevant for a specific device
  • Knowing if the patch is approved by the vendor – as well as end-of-life software or systems no longer supported by the vendor
  • Challenges of required re-boots to apply patches in ongoing process environments
  • Operational risks from patches that may disrupt operations if not tested appropriately
  • Devices requiring firmware updates that may have knock-on effects on other parts of the system require an overall system upgrade to accomplish, etc.
  • Lack of staff/resources to manage the process

It’s no surprise organizations are always a step (or two or three) behind on software patching and spend valuable time in the weeds manually tracking and managing the patching program.

Patching is only one part of this overall OT systems management effort. See the whitepaper on patch management here.

That one example demonstrates the challenges in achieving those fundamental mitigations that CISA lays out.

OT systems management requires the “operationalization” of security. The great news for ICS practitioners is that if we can “operationalize” security, operators understand how to execute. Controls engineers and production personnel live every day by improving the operations of their plants. They have metrics, targets, specific quality improvement plans, 6-sigma or other lean principles, balanced scorecards, etc. The world’s base of industrial operators continually improves productivity each and every year through operations improvement programs.

If instead of considering cyber security as a place only for people with advanced cyber expertise, and started to operationalize it into a series of fundamental tasks which can improve each and every day, we can start to apply lean and other principles to improve performance.

But if we let the latest headline and new threat name distract us from those fundamentals at the bottom of those CISA alerts, we can lose the thread of the overall mission.

Each of these alerts should be seen not as “new news,” but as a reminder of what CISA and others have been saying for years – execute on fundamental OT security practices. If we do that, we will be addressing old and new security risks at the same time.

– This originally appeared on Verve Industrial’s website. Verve Industrial is a CFE Media and Technology content partner.

Author Bio: John Livingston leads Verve Industrial's mission to protect the world’s infrastructure. He brings 20+ years of experience from McKinsey & Co., advising large companies in strategy and operations. Recognizing the challenges of greater industrial connectivity, John joined Verve Industrial to help companies find the lowest cost and simplest solutions to their controls, data and ICS security challenges.