For Better OT Security, Control and Monitor Your Environment


What are the top three pieces of advice you would give a CISO to make the plant OT/ICS environment more secure from cyber attacks?

Spencer Wilcox is an experienced ICS security leader who provides strategic direction to teams responsible for protecting the grid. He believes that controlling and monitoring network flows is key to improving ICS security. Wilcox suggests three measures chief information security officers (CISOs) can take to make the plant’s OT/ICS environment more secure from cyber attacks:

1. Instead of relying on a device-based strategy, aim for absolute control of your network flows. “This means not just TCP/IP communications but also protocols like DNP3 and Modbus that may not be visible to your traditional networking gear,” he says. Wilcox advises against using VPN tunnels, recommending that users be channeled through a jump server to take their actions on the network. “Having good logging and monitoring of remote access activities through a jump server is very important,” he adds. “That way, you can get attribution on who is taking those actions or where that outbound communication is happening or where that inbound communication is originating from.

Spencer Wilcox quote2. Limit remote access as much as you possibly can. It’s important to limit remote access to the instances and cases in which it is absolutely necessary. In doing so, you will reduce the potential attack surface that a malicious actor could exploit. Although it would be ideal to eliminate remote access altogether, that may not always be realistic. “Every one of your vendors is going to want to have remote access to be able to support their products,” Wilcox acknowledges, but it’s still best to keep a tight leash on the connections you permit into your ICS environment. Identify security threats moving within and outside your networks. “It’s critically important that you identify security threats moving in and out of your network as well as laterally within your network” Wilcox says. Security professionals can monitor devices to see if they’re operating as expected. “Once you’ve got a baseline, it’s really easy to detect if an asset suddenly throws an error or is doing something that it doesn’t normally do,” he says. In the near future, Wilcox envisions leveraging big data to understand what normal operations look like, accelerating the process of identifying anomalous events in the ICS environment.

3. Identify security threats moving within and outside your networks. “It’s critically important that you identify security threats moving in and out of your network as well as laterally within your network” Wilcox says. Security professionals can monitor devices to see if they’re operating as expected. “Once you’ve got a baseline, it’s really easy to detect if an asset suddenly throws an error or is doing something that it doesn’t normally do,” he says. In the near future, Wilcox envisions leveraging big data to understand what normal operations look like, accelerating the process of identifying anomalous events in the ICS environment.

This blog comes from the eBook Lessons Learned for Protecting Critical Infrastructure. Download the full eBook for more strategies from experts on the front lines of OT cybersecurity.  

Download » Lessons Learned for Protecting Critical Infrastructure  

 


Share this post


Comments

Comments
Blog post currently doesn't have any comments.