I hear “If it isn’t broken, then don’t fix it!” far too often in my in my career, not only as a cyber security professional. While there is an element of truth to not try and make unnecessary changes, it is impossible to ignore that humanity has not progressed to where we are today by resting on our laurels.
Speak to any cyber security professional and they will tell you the threat landscape changes by the hour and this is a never-ending battle.
Must you win all battles to win your war?
Same story different author
In my experience, every modernisation story starts the same way, it starts with us not doing maintenance and operational work when we should be doing it. While it is widely acknowledged that we cannot just stop production to reboot our systems and apply patches, it is often months and sometimes years before systems are updated. A security gap that gets wider by the hour.
If we deploy a new system, the time between testing and commissioning also leaves a void. That solution that was fully patched by your integrator in their factory is now out of date even before it is fully commissioned.
Some OEMs also mandate that only certain patches can be applied, mandating large parts of the operating system that cannot be scanned by Anti-Virus, leaving holes in our security defences which make the toes curl of any IT professional. Speak to someone in OT and they are fine with this approach.
Who is right and who is wrong?
I would say both depending on your point of view.
Obsolescence is the key to getting secure systems, right?
While assets are in place for decades, replacing this aging tech addresses the security issues, doesn’t it? I would suggest this is not the case. If the answer to that problem is to replace legacy tech with modern tech that we are going to ignore in the same way, we will simply be in the same place in a few year's time.
Often, this cycle will continue, if this is your story like so many then how do you address security issues?
The answer is in plain sight, yet is so often overlooked, I break this down with all my delegates who attend our NCSC certified Applied Security for OT engineers training course.
If you cannot patch your systems, then let’s take patching off the table, how else can we provide a more mature security posture. There is no single thing we can do to make our systems more secure; it is a symphony of instruments we play to make beautiful music. While we may be missing the bass drum, we have so many other instruments at our disposal that we can deploy and orchestrate to make our own classic.
Three little pigs
We all know the story of the three little pigs, the only one who was safe was the one who took the time to build his house out of bricks. For sure, if that wolf had come armed with tools he should have broken in, however in this fable the ones who made their house out of sticks and straw became pray.
Is this any different in a security context?
The first step to any project is getting the buy-in of stakeholders, once we have this agreement, we then have the backing of the business at the most senior level to deliver a program of change.
With any project, the hardest part is getting the required approval and meeting the regulations. In cyber security, the regulations are not always clearly defined, and most frameworks, standards and regulations only outline what should be done and what must be done. Broadly this delivers ambiguity to the incumbent which often leads to those ‘should’s’ not being done.
If you address this in your own internal governance detailing what is the minimum standards expected, then you create a vehicle and a security baseline that is expected to be implemented and managed throughout the project lifecycle.
We can even share this vision with our OEM’s and integrators, so they know what we expect and what we accept. Would you buy a house that had no glass in the windows?
While cyber security is a complex topic, why do adversaries and penetration testers gain access to systems that are supposedly secure? There is no single answer here, in my experience as a pen tester, there is often something that has been simply overlooked, poor configuration, missing security patch or foundational security has not been correctly applied. For the purpose herein, I will assume that physical security is sufficient (often this is not the case for most sites I visit), perhaps this is another piece I’ll write about later.
Passwords: Often too simple and reused, this is very simple to address by any organisation. If our HMI allow the use of RFID to authenticate operators, why aren’t we using this? If we also include a simple 4-digit pin number as well we’ve just provided 2 factor authentication.
Administrator Account: Does everyone need admin level permissions? I would strongly challenge this, yet the number of systems that I have worked on where this is the case makes the mind boggle. Only ever use the rule of least privilege.
Domain Admin: Why is this account used to log onto any system other than a domain controller? I know from experience that the argument is that its only ever used for administrative purposes on that server or workstation. My advice is simply don’t do it, ever. Have 3 accounts for administrative purposes, Workstation, Server and Domain. Have you ever thought how lateral movement and privilege escalation takes place?
Baseline Security: Windows is not secure out of the box, far from it, it has been designed to be backwardly compatible which is not a good thing from a security point of view. There are several baselines that can be used, CIS, DOD to mention a few, however the MSFT by Microsoft is a great starting point and guess what … everything pretty much works from the get-go.
Network: Our spine and nerve system for OT, we buy unmanaged switches for a multimillion-pound operations or buy managed ones and don’t manage them. There are so many bells, whistles and nerd nobs that we can deploy which once set need little to no changes but provide so much security for us.
Firewalls: Is the purpose in life of a Windows firewall in OT to be switched off? Take the time to learn the pattern of communications and build a baseline. This will stop a wave of exploits and attack vectors if correctly configured. As for edge firewalls, limiting north south traffic is a given, but what about east west? Take the time to deploy your border controls and zone your production into cells of operations. If the wolf breaks into your front door, stop them from getting into all the rooms.
Patching: Patch what you can, when you can. Don’t beat yourself up about being 100% up to date, not all vulnerabilities are equal, some may require more urgent attention than others. In the meantime, look at virtual patching that can protect assets, including legacy ones that simply cannot be patched.
Anti-Virus: Signature based solutions are only effective if they are kept current. Having this tool and not maintaining it is as good has having nothing at all. There are solutions we advise which are 100% AI which are used by the most sensitive government agencies, and yes, they are idea for OT when deployed correctly. I wrote about this back in 2020, the AI from 2015 is still finding zero-day threats in 2023.
Monitoring: It is impossible to secure everything, compromise will happen so make this detection easy. As a minimum your network should be monitored with the correct OT aware tools. You may not be able to stop all attacks, however you can at least know this has taken place and take steps to recover.
Backup: If you do nothing else then have the ability to recover back from disaster. Not all incidences are security related, it's more likely that a planned change will go wrong, or that 10-year-old hard disk will pick a time to fail at the most inconvenient point. If you cannot recover your systems, then you cannot continue production. Backups should also be tested; the first time should not be when you actually need to use them!
Furniture and Fitments
You can decorate your house as you wish to your personal taste, there are other solutions and approaches that are still needed to make your operations secure, how you do this is really down to your risk appetite, engineering time and skill and budgetary constraints.
Living the dream
This lovely house will need to be maintained but the foundations will be robust and continue to protect you and your family with minimal effort. With the odd lick of paint, and the odd adjustment this can be a place of beauty and security for your family.
At SolutionsPT we closely follow security trends, attending national events and share our experience with peers. We monitor industry challenges and review innovations within the IT market, selecting best in class solutions which are suitable for OT environments.
Our solutions are tested to ensure they are compatible with all the core products we offer so you can be assured they can successfully co-exist, saving you time and effort.
But before you buy solutions, can you address the security gap with technology you are ready have in place? Is your need just training and guidance?
Why not reach out and speak to one of our security professionals to have frank and open discussion on where you are on your journey and where you should be focusing your efforts. We never sell products; we sell you solutions.