Inside many industrial organizations today are numerous endpoint devices that remain untracked and unmonitored.
Most were deployed over decades of production operations. Consequently, many industrial organizations still don’t have clear visibility across information technology (IT) and operational technology (OT) operations, and those potentially exposed endpoint assets remain vulnerable to cyberattacks. When combined with the expanding connectivity of OT operations and the ongoing skills/resources shortage, these factors are contributing to rising industrial sector risks.
Although it may not be possible to close every single OT security gap, you can use a risk-based security approach to help quickly secure endpoints based on your organization’s most critical security gaps. Our four-step endpoint security checklist can help create a risk-based security plan tailored to help you strengthen your organization’s cybersecurity protections.
Step 1: Gain visibility across all endpoints connected to your networks.
As every cybersecurity practitioner knows well, you can’t protect what you don’t see. If you’re new to industrial cybersecurity, closing visibility gaps is a strong, foundational first step. Within this step, you should tailor protections to your organization’s unique requirements, which may require you to:
- Automate network asset discovery. An automated platform enables deep, real-time inventory of any device within a network segment; not just the traditional IP-based devices but including the lower-level ICS assets as well.
- Minimize disruption. Look for solutions that can perform deep asset discovery without impacting network availability or operational uptime.
- Review your network architecture. While security products will improve your security posture over its current state, having a proper network architecture is a foundational building block to enabling these tools to perform at their best.
- Deploy a centralized dashboard for endpoints. The dashboard will bring the most important data, such as unpatched endpoints, front and center.
- Get real-time alerts of suspicious activity. If an endpoint is accessing something it shouldn’t, you need to know immediately.
- Adapt insights to personas. C-suite executives will want high-level data, while engineers may need to drill down for more context.
- Go vendor-neutral. A vendor-neutral endpoint management system will provide a unified context for your risk profile.
- Think holistically. Strive to cover all systems — not just endpoints, top-level controls, and internet-facing devices. Holistic endpoint security focuses on all aspects of your environment, even down to the lowest IO level, and should consider additional factors such as lifecycle status, availability of spares, warranty and lead times.
Step 2: Prioritize gaps using a risk-based approach.
A risk assessment can help you identify and prioritize risks based on which ones may have the greatest impact on your organization. Some key measures you can take to assess and lower risks include:
- Determine what “good” looks like for each endpoint. Capture data such as endpoint access, programs/files commonly accessed, user accounts, and patch status to establish a baseline.
- Implement ongoing, real-time monitoring. Constantly monitor endpoints for deviations from normal behavior to identify threats quickly.
- Fine-tune security alerts to align with operational norms. Avoid alert fatigue by tuning your systems consistently based on normal behavioral patterns in your unique environment.
- Align with core regulatory standards. Ensure that your endpoint mitigation plan complies with industry and governmental requirements.
- Prioritize security gaps based on your biggest risks. Just because something is vulnerable doesn’t mean that your OT environment is. Use a risk assessment to guide your endpoint security priorities and drive down your overall risk, while minimizing the impact to your resources.
Step 3: Deploy additional network and endpoint protections.
Hardening your OT environment will add more defensive layers to help protect endpoints while boosting your overall security posture. Some options include:
- Implement a zero trust policy engine. Constantly and dynamically authenticate devices — from the inside and outside — before they can access the network.
- Segment your network. Network segmentation limits what threat actors can do if they penetrate your environment.
- Deploy a firewall. Firewalls protect your external network perimeter, keeping unauthorized traffic from getting in or going out.
- Create a secure enclave for critical data. Adding a firewall between your critical assets and your local area network (LAN) reduces the attack surface in the event of a threat actor gaining access.
- Create demilitarized zones (DMZs). Host applications that need to talk to the outside world — like a cloud-enabled endpoint detection and response (EDR) platform — in a DMZ to help prevent malicious access.
- Use firewalls in conjunction with a DMZ. This creates an additional safeguard if a threat actor penetrates the DMZ.
- Require USB security kiosks. Before connecting USB devices to your environment, scan them for threats at dedicated terminals.
- Plan for disaster recovery. Breach incidents are unavoidable in today’s threat environment. Prepare with a disaster recovery plan, including data backup, and test that plan regularly.
Step 4: Establish ongoing endpoint security processes.
Got your foundational systems and processes in place? Focus on improving and maturing your strategies next. Consider the following additional refinements:
- Inventory assets more often. The speed of attacks and the evolution of threats are rising incredibly fast. Quarterly or even monthly asset inventory may no longer suffice.
- Automate patch management. Take this tedious, time-consuming task off your SecOps team’s hands to improve efficiency.
- Monitor for threats 24/7. Threat actors never stop, and neither should you. Monitor threats around the clock with a platform like an EDR to help you act fast.
- Implement an incident response plan. The last thing that you want to do is figure out how to respond to an incident while you are in the middle of one. An incident response plan establishes a step-by-step process in advance. If your internal resources are constrained, engage a retainer-based incident response provider like Rockwell Automation.
- Improve the effectiveness of security awareness. Nurture a collaborative approach between your SecOps and manufacturing teams. Doing so will improve your security culture and give plant floor teams greater ownership of security.
Implementing traditional IT security measures alone is not sufficient for OT environments. OT systems have unique requirements, constraints, and risks that must be addressed through a specialized approach. While leveraging IT security best practices can be beneficial, it's crucial to adopt a holistic cybersecurity strategy tailored to the specific needs of your OT infrastructure.
Protecting OT endpoints, such as industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and other critical operational assets, requires a deep understanding of the operational environment, potential attack vectors, and the impact of security measures on system availability and performance.
In addition to deploying appropriate security tools and technologies, it's essential to establish robust policies, procedures, and governance frameworks that align with industry standards and regulatory requirements specific to your OT environment. This includes implementing measures such as network segmentation, secure remote access, patch management, and incident response planning.
Partnering with an experienced OT cybersecurity firm that specializes in industrial control systems can be invaluable in this process. A partner can provide expert guidance on developing and executing a comprehensive OT cybersecurity program that addresses the unique challenges and risk factors of your operational environment. Their expertise can help bridge the gap between IT and OT security, confirming that your critical systems are adequately protected without compromising operational integrity and resilience.
Reach out to Rockwell Automation here to help you keep up with the pace of change.