Tales From the Road: If Your Networks Can Talk to Each Other, You’ve Got Gaps
Industrial control systems have a big job to do for a single facility’s OT environment – but if you’re operating multiple facilities spread across the U.S. or the world, those systems have a far larger workload, and the security risks inherent in their function get larger too.
What no critical infrastructure or industrial corporation wants is for a bad actor to be able to infiltrate multiple networks after gaining access to just one. But if you have poor network segmentation, that’s exactly what they can – and will – do.
Networks Can Be Friendly – But Not Too Friendly
What our team looks for in any OT environment is whether the different networks have gotten a little too friendly. If your corporate network can talk freely to your industrial plant network, you’ve got a security issue…or many security issues.
And that security issue is improper network segmentation.
Data sharing within industrial control systems is important of course – you need to share information from your plant with your business operations to manage your supply chain and other operational processes. But there’s a right way to share data – and then there’s the way that invites bad actors to move through your OT environment undetected.
DirectDefense consultants recently conducted a security architecture assessment for a global corporation to uncover weaknesses in the OT environment. It is a sizeable engagement involving multiple facilities across multiple different countries.
What they found was improper network segmentation that was putting the company’s critical infrastructure at risk of a breach. And critical infrastructures in particular are prime targets of security breaches because of the nature of their work. Disruptions can cause massive ripple effects that in a best-case scenario impact day-to-day operations and in a worst-case scenario could impact public health or safety. The proliferation of ransomware attacks also puts data-reliant companies right in the crosshairs as threat actors are going to greater lengths to steal data for a big payout.
For the purposes of this blog post, we’re going to focus on two findings from our security architecture assessment that are critical for corporations to be aware of when it comes to proper network segmentation.
During our evaluation of our client’s Manufacturing Execution System (MES) application authentication mechanisms, we uncovered a lack of identity and access management (IAM) procedures, as well as other weaknesses within the MES that put both the individual facilities and the entire organization at risk.
We also identified a pretty common issue for ICS security – poor communication. OT and IT departments often fail to properly communicate with each other due to a lack of trust and training, which is problematic for security. Add to that a lack of visibility because of poor segmentation that hamstrings even the best of OT security tools and you have a recipe for a very bad day.
In a nutshell, our client was leaving its networks vulnerable to unauthorized access, increasing the risk of undetected lateral movement and data compromise.
And you might be, too.
Wouldn’t You Like to Know Who’s On Your Network?
Identity and access management solutions ensure that only authorized users can access the data and resources on your organization’s network with the right level of access. It applies not only to employees, but to vendors, contractors, and remote workers, among others.
Our client’s MES application and authentication mechanisms demonstrated a lack of integration with any IAM solutions, meaning their networks were at risk of unauthorized access. This vulnerability is particularly problematic because of vendor relationships, especially in the manufacturing space where specialized equipment requires third-party maintenance and monitoring.
Vendors often request remote access, and organizations often don’t realize that they don’t actually have to grant that access (it’s your network – you make the rules!) or that granting that access leaves them vulnerable to an attack.
Adding to this lack of authentication were other issues that included:
- Poor password protections
- Shared credentials among multiple users on the OT team, which can provide network access to unauthorized users and make it difficult to determine what activities preceded a security incident
- MES computers with internet access that did not need to be connected and should only have minimal application installations
- Minimal or no requirements for usernames, passwords, or PINs to enter an MES application
- A small software company (fewer than 5 employees) wrote the translation software powering the main data flow from the Process Control System (PCS) to the MES. In the event of the software company’s acquisition, closure, or a breach, there is a potential backdoor to our client’s large corporate network. This also creates a single point of failure without the client having access to the source code or at least a repository
- A lack of network and system monitoring of the OT environments. Even with proper OT monitoring tools, the networks are not segmented to allow them to function properly
All of these vulnerabilities make it easier for a threat actor to infiltrate a network, and with poor network segmentation to boot, they’re also able to move freely throughout the entire networked environment.
Network infiltration puts all of your information and data at risk, and for critical infrastructure companies like our client, any operational downtime, system tampering, or process interruptions can cause significant and widespread issues.
The Disconnect Between IT and OT
The second major security issue that we uncovered and that plagues many organizations is a communication disconnect between IT and OT.
Historically, trust between OT and IT teams has been hard fought because the needs of each department are so different. IT might need to deploy a patch to company software that requires taking operations offline, but OT’s top concern is uptime, so that interruption doesn’t sit well.
We see many instances where basic software patching isn’t conducted for years on end because OT isn’t concerned with it and doesn’t communicate with IT about how to get it done. Part of our mission with critical infrastructure companies is to establish a routine for security maintenance that makes both teams happy; for example, patching during a routine maintenance outage each quarter preceded by testing and preparation to support it.
Communication is all the more crucial in a critical infrastructure environment because of remote access either by third-party vendors or engineers and maintenance technicians within the company.
If IT and OT don’t have a security strategy for remote access, your organization becomes highly vulnerable. IT should be aware of all activity – when and from where every login occurs, what tools were used, and how they were deployed, as well as every keystroke and software screen. Only with this level of information can information security determine what activities preceded a security event.
While this level of communication isn’t typical, we aim to bridge that gap through job shadowing and cross-departmental training, among other tactics.
Network Segmentation for Tighter Security in OT Environments
OT environments face inherent security challenges because they function differently than an IT environment. The operating systems are often incompatible with traditional security tools and software, the network is sometimes not configured for monitoring, and visibility tools may not be set up properly or use the same communication protocols as the OT environment.
Poor network segmentation is common in manufacturing environments but occurs across many industries. The risk it poses can be significant – if one system gets compromised, it can impact all of your networks, and anything you’ve done to protect them individually is useless. This includes commonly overlooked systems like physical security badge access or surveillance cameras as well as building controls such as smart elevators, lighting, and HVAC.
Federal regulations have helped critical infrastructures implement better network segmentation, particularly in the energy sector, but it remains an issue for companies of all sizes.
Our priority is helping critical infrastructure organizations set up the right security controls to put their data in the right place, establish rules around data access and protection, and implement monitoring to inspect traffic and be alerted whenever there is suspicious activity.
In addition to improved network segmentation and implementing access control solutions, we also provided our client with a series of other actionable recommendations:
- Controlled Vendor Remote Access: Vendor contracts should always include specific access requirements, credentials and access control policies, and all vendor activities should be monitored and tracked to ensure compliance.
- Patching & Vulnerability Management: All systems, including legacy and proprietary control systems, should have regular patching procedures that are permitted within the environment and are designed to minimize disruptions.
- Access Control & Shared Credentials: Implement role-based access controls to eliminate shared credentials and deploy two-console authentication methods to minimize shared account use.
- Enhanced Visibility & Monitoring: Invest in visibility tools for monitoring OT network traffic and creating a baseline against which to measure anomalous behaviors. Consider hiring an expert team with a 24/7 SOC like DirectDefense.
- Third-Party Risk: Identify and mitigate third-party risk by assessing the security posture of vendors and making sure custom software is security tested and when dealing with small vendor partners, utilize a source code repository.
Of course, different departments and operations need to communicate, often across locations both domestically and globally. We ensure it’s happening safely and securely so the only people accessing your organization’s critical data are authorized and accountable.
Attackers Don’t Slack, and Neither Should You
One thing we know for sure is that attackers will always be attempting to infiltrate networks to gain access to critical information and data.
If they’re not stopping, you can’t either. Keeping your organization secure with network segmentation helps alleviate other security vulnerabilities that allow bad actors to gain access to your networks in the first place. Whether it’s poor password protections, lack of user authorizations, or out-of-date software in need of patching, our team can identify the primary risks leaving your organization open to a breach.
DirectDefense consultants have experience working in OT spaces, including energy, manufacturing, water treatment, engineering, and hardware. This expertise helps our clients in three primary ways:
- We understand there can be a disconnect between OT and IT, which is why we don’t do anything during our assessments to impact uptime or the functionality of the OT environment.
- We know how industrial control systems are built and how to program them properly to maintain operational efficiency while sustaining a security program.
- We are highly involved in the regulatory bodies that provide governance around critical infrastructure operations and SCADA system security and can advise on the latest requirements.
Hiring an MSSP to review the network security within your OT environment will keep bad actors out – and ensure there are no interruptions to facility uptime.
To protect your organization from malicious attackers and make sure they can’t move freely throughout your entire networked environment. Click here to get started or call us at 1 888 720 4633.