With proper patch management and antivirus detection rules, organizations have the ability to vaccinate systems to prevent infection in the first place. As with the biological equivalent, this approach is effective but is limited to knowns and can be bypassed. Today almost all industrial control systems use commercially available operating systems, which means they face the same cyber threats as enterprise IT and consumers. While network segmentation and other security measures can help mitigate this risk, a fully effective security program should include comprehensive change management, including evaluating and applying software updates and patches. It is critically important to maintain up-to-date antivirus software and deploy patches frequently. In doing so, mass infection can be avoided by those preventable viruses, which serves as a foundation for a robust cyber defense strategy.
Taking an optimistic standpoint, the industry can draw the analogy of the current situation with COVID-19 and use this to provide practical examples of how to apply such cybersecurity controls. Referring to the triad of security controls (people-process-technology), it’s important to remember that people are critical to cybersecurity. And, it’s important to note that those “people” shouldn’t be limited to SOC analysts. Effective security applies to every single person employed within an organization. Explain cyber security controls in a way that is relevant to everyone in the organization. A significant part of the battle to improve cybersecurity is winning the hearts and minds of everyone in the organization. Bringing people onboard with the journey to security maturity eases the transition. With a culture of security, organizations will be exponentially more affective in strengthening their defenses.
Big Data analytics have been reported to have detected the emergence of COVID-19 nine days before the World Health Organization released its statement alerting people to the emergence of the virus. This shows the power and potential of big data and AI-driven analytics to detect anomalies. While this case is a biological novel virus, AI-based anomaly detection can also be provided to organizations today to immediately alert them to suspicious activity. This approach can be extended to provide visibility not only into the network behavior but also the behavior of the physical process by analyzing the process measured values – i.e temperature, pressure flow etc.
As an example, several years ago, a multi-use pipeline that transported oil and gas through North America was having allocation issues related to the volume of production reaching a refinery. An investigation found the problem was in fact a planned manipulation of the real production values. Without the precise behavior mapping and real-time monitoring that is possible with machine learning and anomaly detection tools, the attackers were able to access the pipeline system and gradually manipulate production allocations over time, taking a tremendous toll on the company’s bottom line. Supporting the organization with AI-driven analytics and response capabilities can be highly valuable as it can be used not only to improve cyber security defenses but can also yield significant improvement in availability and performance by providing additional capabilities such as predictive maintenance.
By practicing defense in depth, operators can increase the opportunity to prevent a widespread security pandemic in the form of malware infections and can restrict the movement of malicious attackers. This in turn will help narrow not only the rate of infection, but also the potential attack surface. In doing this it is possible to prevent widespread impact from low-level threats and significantly increase the likelihood of detection before any negative significant impact is realized. From the point of view of “threat meets opportunity,” in-depth defenses can clearly reduce the potential opportunities for attackers to gain a foothold in the network. It is possible to raise the bar, forcing attackers to have a higher level of skill to be able to leverage any security weaknesses present.