Over the past few weeks, with the escalation of COVID-19, organizations around the world have been scrambling to institute work-from-home policies, to limit interpersonal contact. In industrial organizations, moving to remote working involves unique OT-network security concerns.
Given the level of access provided through remote connectivity, attackers are likely to take advantage of vulnerabilities to gain internal network access (see also this Radiflow blog post on the cyber threat landscape, including phishing lures and known cyber activity, facing critical infrastructure in the era of COVID-19).
Risk management in remote access
Organizational Considerations
Logistic and control for remote access: Employers need to provide employees with the technology they need to be productive, while making security a top priority. This could include equipping employees with dedicated company-owned computers, so they don’t use their personal computers which may have viruses or other malware; also, employees’ personal computers likely lack adequate resources and cannot be managed by the company’s IT department from IT and cyber security standpoint. In addition employers should consider maintaining an on-site presence of essential operations and cyber security staff to quickly handle issues that cannot be handled remotely. These issues can affect safety and physical security on production floor.
Instilling security awareness in remote workers: In addition to basic computing hygiene (e.g. phishing and password guidance), before full turnout to work-from-home practice employers need to train employees on additional cyber security topics especially those OT engineers that unused to work remotely – for example – securing work computer at home from children’s reach, prevention from saving locally corporate sensitive information, etc. All employees, and especially employees with high-value privileges to critical ICS asset, should be trained in avoiding social engineering-based risks (spear-phishing and other threats that take advantage of hot news topics, like Coronavirus themes at these days). Employees should be trained to detect spear-phishing emails coming from “corporate IT” with topics related to various technology and IT, e.g. password change requests, installation of new software for “secure” VPN access, new guidelines for login procedures, etc.
Preparing the IT department: as remote access needs dramatically change, organizations will likely be faced with employees and third parties attempting to set up services in an unapproved manner. IT departments should review their capability to support large numbers of remote access connections, run performance tests, and increase their support readiness for all remote workers.
Technology
Review your access policies: privileged users, e.g. domain/network administrators, should maintain separate remote access accounts and be prohibited from remotely accessing the OT network using their privileged credentials. Policies for staff remote access and for using dedicated equipment, as well as for enforce compliance with security policies should be created or reviewed. For example, unmanaged devices should be assigned limited access to data and resources (as in Microsoft 365 Conditional Access Policies that restrict unmanaged devices from accessing files or email attachments). Validating that these restrictions are upheld is critical for maintaining a proper trust environment. We strongly recommend separating and segmenting IT and OT user directories to prevent mutual compromise. Security staff should make sure that there is no “ghost” accounts in remote access servers, firewall policies are reviewed and updated.
Use only patched VPN software with multi-factor authentication: MFA should be required for all remote workers to prevent credential theft, brute-force attempts and phishing attacks. Enterprise can leverage already present 2FA infrastructure for IT workers to introduce it to OT related remote access. Hardware tokens, smartphone apps, SMS pushing – all these measures are better than simple user/password authentication. Legacy and unpatched VPNs should be considered in-scope when reviewing network connectivity authentication. For example, in Q4 2019 a ClearSky research team has detected Iranian threat actors that have been hacking unpatched VPN servers exploiting published vulnerabilities to plant backdoors in dozens of companies and organizations around the world. Experts have pointed out that the most successful and significant attack vector used by the Iranian hackers was the exploitation of unpatched VPN and RDP services.
IT-OT segmentation and end-point protection: IT-OT segmentation and firewalled zone separation should be upheld even in “normal” times, and especially during times of increased remote access connections. An endpoint agent should be used in OT network Windows-based machines to detect, protect and respond to malicious activity, and to harden devices to prevent attackers from gaining access to systems and escalating privileges. Local administrator rights should be limited. These solutions should be placed within the organization’s segmentation. In addition, a Windows firewall should be implemented and configured to block data from certain locations (IP whitelisting) or applications while allowing relevant and necessary data to pass through. These endpoint protection practices should apply also to computers which used to connect to OT networks remotely.
OT visibility and monitoring, especially of remote access protocols: Intrusion detection and security monitoring are the backbone of enterprise security programs. IDS (Intrusion Detection System) sensor management ports should be used to monitor all remote connections to OT networks and external networks (enterprise networks, the Internet or other external network) to provide monitoring to the entire IT and OT operation. This refers particularly to anomalous connections over RDP, SSH or VNC. OT network monitoring should also take into account detection capabilities of IT attacks which are pretty common also within ICS environment and exploit unpatched systems and software and lack of proper security controls.
Processes
Prepare your SOC for multiple alerts: Security Operation Centers (SOC) and monitoring teams should be available to manage the increased number of alerts, sort them by risk (based on a robust risk scoring process) and detect false positives. Consider adopt your alert and escalation procedures and its hightly recommended to get assistance from OT production expert who is familiar with updated policies for remote access to ICS environment. Consider increasing your monitoring team headcount.
Refresh and update IR procedures: Establish andor refresh the internal incident response process, including procedures, key staff members and tools. Be aware of any potential cascading effects of a cyber security breach due to ad hoc measures such as VPN and remote access. Unlike normal times, not every remote access connection should trigger an investigation – that would be impractical. We also recommend to review your procedures for reporting incidents to your sector, national or governmental CERT ’s .
Backup & recovery plans: In an time of increased threats to remote access connectivity practices and ransomware attacks, effective data backups in conjunction with a comprehensive disaster recovery plan are the best defense. However, as ransomware attackers could encrypt your backups, they need to be protected – with no viable backup, desperation will drive the organization to pay ransom. Make sure to refresh your data recovery procedures and consider to perform “dry” drill in order to learn lessons and be sure it will work during the real incident.
Radiflow Solutions for Threat Detection, Monitoring and Risk Reduction:
Radiflow’s iSID Industrial Threat Detection and Monitoring System and iRISK Industrial Risk Analytics Platform, working in conjunction, provide a complete toolbox for network visbility, real-world (business-driven) risk assessment and ongoing threat detection and network monitoring.
iSID – Industrial Threat Detection: iSID enables non-disruptive monitoring of distributed SCADA networks for changes in topology and behavior, using multiple security packages, each offering a unique capability pertaining to a specific type of network activity: Network Visibility, Cyber Attack, Policy Monitoring, Anomaly Detection, and Maintenance Management. iSID provides simple rules-based monitor and management of remote connections – you can observe remote sessions in real-time, actively manage user access requests based on purpose, length, and frequency, and easily terminate sessions. This can markedly reduce the risk of both internal and external exploitation, including third party exploitations, without introducing costly or burdensome barriers to productivity.
iRISK – OT Security Posture Assessment (Visibility & Recommendations): iRISK automatically generates a full risk-status report detailing network properties, overall risk score, extent of risk introduced by devices and protocols, likelihood of lateral threat movement between business processes, and potential attack paths. Remote connections are clearly listed along with each connection’s traffic volume, full explanations and recommendations. You can also see the number of connections, protocol type, and details about all the devices at risk.
iSEG – Radiflow ruggedized gateway provides industrial deep-packet inspection firewall capabilities combined with IPSEC VPN over landline and cellular interfaces in order to achieve secure VPN remote access to sensitive production environments. iSEG includes Authentication Proxy (APA) which grants authenticated user access to predefined devices and functions, all fully logged.
Available Support from Radiflow
Radiflow is committed to protecting our customers’ networks and OT assets during this global event. To this end, we offer a number of services to help you deal with threats on your network, at no charge:
Free OT security posture assessment
Free consulting for designing a secure remote access system in particular and designing ICS/OT security architecture in general
Free 3-months iSID license to monitor your OT network
If you have any cybersecurity concerns, if you have experienced an incident or for more information, please contact us. We’re here to help.
Given the level of access provided through remote connectivity, attackers are likely to take advantage of vulnerabilities to gain internal network access.
Apr 08, 2020 | Radiflow team
