In recent years, demand for improved endpoint protection has exploded. Modern Endpoint Threat Detection and Response (EDR) is the latest cybersecurity trend having emerged because of new, more advanced, and targeted threats. Endpoint protection solutions leverage modern behavioral, host-based protection primarily to detect zero-day exploits. Many EDR solutions also include more traditional anti-malware protection including anti-virus (AV), anti-spyware, anti-ransomware, and might also offer personal firewalls, application control (whitelisting/blacklisting), vulnerability management, patch management, and secure configuration management.
Which Endpoints Need Protection?
So how do you define an endpoint? This term is used by many and in different ways. Some consider an endpoint to be the system with which an end user interfaces; such as a desktop, laptop, tablet, smartphone, or specialized mobile device (i.e., bar code reader). This is probably the most common interpretation in corporate Information Technology (IT). I hear others discuss storage devices being endpoints because they are the end of the journey for data and the “end point” where data resides. Network-focused administrators often refer to switches, routers, and hubs as endpoints. It seems that anything with an operating system running on it might be considered an endpoint.
But what about the industrial endpoints that exists in Process Control Networks (PCNs) in an industrial facility? There are two classes of industrial endpoints that need protection. There are IT-centric endpoints in the PCN, and there are production-centric endpoints. The IT-centric industrial endpoints are found in Level 2 and Level 3 (of the Purdue Model) and include network devices, operator stations, configuration stations, servers, and SCADA systems. These systems and their underlying operating systems are TCP/IP connected and tend to exist primarily on top of standard Windows® and Linux® operating systems. These IT-centric endpoints are a mere 20 percent of the total industrial endpoints that exist across the PCNs.
The other 80 percent of the industrial endpoints are the proprietary, production-centric endpoints at Level 1 and Level 0 where you find an extensive variety of software, firmware, and hardware components that exist in proprietary Distributed Control Systems (DCS), Advanced Process Controllers (APC), Programmable Logic Controllers (PLC), Remote Terminal Units (RTU), Intelligent Electronic Devices (IED), and Safety Instrumented Systems (SIS). These production-centric endpoints are the systems that control process. If someone gains control of these systems (or they are unintentionally misconfigured), physical damage, environmental harm, personal injury, lost production, and steep fines can result. Not to mention injury to brand and possibly stock price!
IT-Centric Endpoint Protection Alone is Not Sufficient
What type(s) of endpoint protection should you choose to protect production continuity, ensure safety, and sustain compliance? I contend that most technology solutions out there today provide “industrial endpoint protection” that only protects a fraction of existing industrial endpoints – workstations, routers, switches, etc. What about the controllers or the smart field instrumentation that are responsible for monitoring pressure or moving a valve?
IT-centric technologies protect the traditional IT-centric endpoints that exist in a PCN, which does add value. But it is not enough.
Protect the Industrial Endpoints That Matter the Most
Threat actors include well-funded nation states that either have the capital and sophisticated technology needed or hacktivists that have the will to persevere. The number of public incidents is certainly growing, and so are the number of unpublicized incidents.
To minimize the likelihood of operational outages or safety incidents as well as the risk of becoming another news headline, you must protect your production-centric industrial endpoints.
With Board of Directors level attention on cybersecurity, ICS cybersecurity leaders now have strategic and budgetary approval to invest in greater protection of their most critical assets. The important next step is to prioritize the class of endpoints that are in many ways the least secure.
What are you doing to protect your industrial endpoints?