APAC Operational Technology Operators Can Enhance Security with Industrial Cybersecurity Basics: Dragos

In the APAC region, industrial cyber security is still trailing behind businesses, but having some fundamental practices and a well-thought-out strategy is significantly better than having nothing at all, as per Dragos’ Director of Incident Response, Lesley Carhart.

Carhart advises that industrial technology operators of all sizes in APAC must acknowledge that they are potential targets, even from state actors aiming to extract information or position themselves for future geopolitical events. He also stresses the importance of implementing and testing incident response plans.

Enterprises Still Ahead in Industrial Cybersecurity Maturity

In countries like Australia, operators of industrial technology typically have a moderate level of security maturity. While they understand the strategic necessities and have begun enhancing their maturity, there are still various gaps to address, according to Carhart.

“While they might have initiated a plan, they may not have assessed it to ensure its efficacy. Often, there is a tendency to assume capabilities in cybersecurity, critical infrastructure, OT industrial environments without thorough testing,” Carhart explained.

Dragos has observed organizations implementing incident response plans and security monitoring, putting them miles ahead of those lacking such measures. Carhart emphasized the need for challenging assumptions and executing tactical strategies alongside strategic planning.

TechRepublic Premium: Get Your Incident Response Policy Today

Carhart noted, “Organizations may encounter obstacles such as assuming an updated asset inventory, comprehensive logging, or functional backups in the industrial environment.” She emphasized that while the enterprise environment has robust cybersecurity programs and capabilities, the maturity level significantly differs in the realm of OT, where practical applications tend to lag.

Key Challenges in Industrial Technology Security

Several obstacles hinder industrial technology operators from catching up with enterprises in terms of cybersecurity.

Improved Communication between Process Engineering and Cybersecurity Teams

Carhart highlighted a longstanding “misunderstanding” between process engineering and cybersecurity teams in the industrial technology sector. He pointed out that much of this issue stems from differing priorities and terminology.

SEE: The Impact of Cybersecurity Burnout on APAC Organizations

He explained, “Trying to enforce typical enterprise cybersecurity measures on process environments is impractical due to vendor constraints and equipment sensitivity, leading to challenges in modern security implementation.”

Technical Limitations Due to OT Equipment

Industrial technology heavily relies on controlled legacy equipment from vendors, restricting cybersecurity efforts due to OEM predominance.

Sensitivity of OT Processes and Equipment

Carhart mentioned that organizations managing industrial technology systems often face constraints in making security enhancements due to infrequent maintenance windows and the prolonged lifespan of equipment, sometimes spanning up to two decades.

“Implementing modern security controls or tools like XDR or EDR in process environments is unfeasible due to these factors,” Carhart added.

Top Threats for Industrial Technology by 2024

Operators of operational technology are confronted with three primary threats, each accounting for a significant portion of the risks identified by Dragos in developed nations.

Challenges of Commodity Malware and Ransomware

Industrial organizations are attractive targets for common malware and ransomware due to their vulnerabilities and critical functions, making them potential ransomware victims.

Carhart mentioned that while such malware may not directly affect processing equipment, they can disrupt operator interfaces crucial for monitoring safety issues.

In the OT 2023 Cybersecurity Year in Review report by Dragos, there were 13 ransomware incidents affecting industrial organizations in the country. For instance, a LockBit 3.0 threat targeting DP World halted land-side port operations for three days, highlighting the potential cascading effects of ransomware attacks on industrial operations and supply chains.

Insider Threats

Insider threats, even if unintentional, can have significant consequences. Misconfigurations or misunderstandings among workers regarding security measures can go unnoticed for extended periods, impacting critical equipment.

Advanced Threat Groups and State Actors

State-style adversaries pose another level of threat through activities like industrial espionage and reconnaissance, aimed at gaining insights or establishing access for future malicious actions aligned with geopolitical objectives.

“These groups maintain extensive databases for planning future attacks, leveraging their knowledge and access for strategic advances,” Carhart explained.

Regardless of their size, all industrial organizations can become targets

When faced with a real-world cyber incident, industrial operators are often taken aback. Carhart mentioned that they tend to merely complete checklists for audits or regulatory purposes. In such scenarios, they may have never simulated or planned for an attack.

Anyone can fall victim to an attack, as Carhart cautioned. She stated, “Numerous cases have shown where individuals were unprepared, assuming they were immune to an attack and therefore never formulated a response plan.”

The appeal of targeting industrial organizations varies

Based on Dragos’ experience, small organizations are often targeted due to being vulnerable to criminal entities seeking easy gains from multiple targets. Carhart added, “They also attract state actors as they serve as potential test subjects against larger corporations or as gateways to bigger entities.”

Larger companies might believe they are shielded by substantial cybersecurity teams and budgets. However, dealing with a massive architecture can pose challenges in conducting thorough cybersecurity measures, especially when unaware of all network components. Planning and monitoring across multiple industrial sites can also be exceptionally difficult, according to Carhart.

Guidance from Dragos on handling industrial cyber security incidents

Carhart advises that the primary action critical infrastructure operators should take in preparation for a cyber incident and subsequent response is to have a “well-documented plan.” This is necessary because security incidents tend to occur at inconvenient times.

She explained, “They often happen at moments like 5 pm on a Friday or 2 am on Christmas. This is because operations are usually minimal during these periods, enabling better observation and detection of ongoing activities.”

“Moreover, malicious actors operate when there is less surveillance. Therefore, having a prepared plan is crucial as situations can escalate rapidly, causing panic, especially in smaller organizations under pressure from senior executives,” she emphasized.

Clarity on response actions and contacts

Organizations, as per Dragos’ recommendation, should clearly define their incident response procedures. This could involve seeking assistance from government support organizations, cybersecurity firms, or other organizations with established mutual aid agreements.

TechRepublic Premium: Enhance security responses with our security response policy

Carhart highlighted the importance of having a plan in place. She stated, “It could involve identifying sources for affordable or pro bono support, having an internal well-trained incident response team for operational technology, or maintaining a retainer with cybersecurity companies like Dragos or competitors. The key is to be prepared.”

Five stages to enhance industrial cyber security hygiene

Robert M. Lee, the CEO of Dragos, co-authored a whitepaper in 2022 titled The Five ICS Cybersecurity Critical Controls, outlining methods for industrial organizations to establish cyber risk mitigation strategies for their Industrial Control Systems and operational technology.

Carhart suggested that implementing basic security practices, as outlined by Dragos, could significantly reduce the number of incidents in infrastructure environments. She stated, “These recommendations play a vital role in enhancing defense capabilities, depth, and the ability to detect malicious activities beforehand.”

The whitepaper proposes five essential recommendations:

Specialized ICS incident response

Having a specific incident response plan for ICS is recommended to address the unique operational requirements. Organizations need to conduct exercises simulating risk scenarios tailored to their specific environment to reinforce preparedness.

Defensible infrastructure

Opting for defensible architectures is crucial to minimize risks while supporting the efforts of human defenders. These architectures should promote visibility, log collection, asset identification, system segmentation, and establish “industrial DMZs” as buffer zones.

Constant monitoring of ICS network visibility

Lee and Tim Conway advise prioritizing continuous network security monitoring of the ICS environment, utilizing protocol-aware tools and systems to analyze potential risks to the control systems and provide early warnings.

Securing remote access

Organizations should identify and manage all remote access points and destination environments. Implementing on-demand access, Multi-Factor Authentication (MFA), and jump host environments within secure segments can enhance control and monitoring of access points.

Risk-focused vulnerability management

Understanding the digital control systems and devices’ operating conditions is crucial for risk-based vulnerability management decisions. This knowledge can guide decisions on patching vulnerabilities, implementing mitigations, or monitoring for potential exploit attempts.

About Author