Threats against industrial environments are on the rise. Near the beginning of 2019, for example, Kaspersky Lab revealed that 47% of industrial control system (ICS) computers on which its software was installed suffered a malware infection in the past year. That was three percent higher than the previous year.
These digital threats confronting ICS systems come from a variety of sources including nation-state actors. Take Iran, for instance. Over the past several years, the United States Department of Justice has charged Iranians with hacking into U.S. financial institutions, accessing a dam located in New York State and using SamSam ransomware to prey on schools and hospitals. More recently, the Department of Homeland Security warned organizations that Iran could use digital attacks as a means of retaliating for the killing of General Soleimani by the United States.
The Need to Defend Your ICS Systems
Fortunately, industrial organizations can protect themselves against these and other digital threats. This effort should begin with them building an inventory of all devices that are connected to their environments. Having this type of inventory is essential to industrial organizations’ digital security, as it allows security personnel to monitor connected assets’ configurations, manage vulnerabilities and address unapproved devices.
In the absence of an asset inventory, organizations are essentially in the dark. As David Bisson wrote in another blog post for The State of Security:
Organizations can’t protect ICS devices, systems, and networks including those responsible for controlling critical infrastructures if they’re unaware of their existence. Otherwise, they simply use ignorance to assume that they’re secure, thereby placing them into a position of reacting to security incidents instead of proactively defending against them. Even if they are aware of these devices, industrial organizations can still expose themselves to risk by not consistently implementing security measures such as configuration controls.
Achieving visibility for industrial environments is harder than it looks, however. In a recent survey, eighty-four percent of participating ICS security professionals told Tripwire that they were concerned about adding new technology to their organization’s industrial environment. Part of the reason for this worry is the belief that organizations can’t achieve visibility over their operational technology (OT) networks without disrupting their business processes. Indeed, some organizations believe they need to actively look for their connected assets, a process that could interfere with those devices’ availability. As a result, the reason that visibility is impossible to achieve, and they simply stop pursuing it.
Passive Asset Discovery as a Way Forward to Increase Visibility
Organizations don’t need to risk disrupting their critical operations. They can simply invest in a solution designed to undisruptedly discover their network assets. Amongst those solutions, my personal favorite is a hybrid approach – which I will write more about in a future post, for now, passive discovery is a great start That being said, organizations need to do their due diligence in choosing a solution that fits their needs. They should, therefore, pursue the following recommendations:
- Use the vendor selection process to your benefit: Organizations should consider testing a packet capture of their network traffic in all the tools they’re considering. Conducting this type of test would help them evaluate a tool better than they otherwise could. In effect, the test would demonstrate the solution’s functionality with data that has contextual meaning to the organizations themselves.
- Involve the local OT teams in the vendor selection process. Choosing a vendor for a passive asset discovery solution is an important decision. It’s, therefore, crucial to keep everyone in the loop, especially those professionals who are responsible for the security and operability of their organization’s OT assets.
- Select from a vendor who has experience and a history of successful deployments. There are a lot of vendors in the passive asset discovery space. Even so, only a select few vendors have the know-how and support structure to enable complete success from the point of pre-sales through post-sales support.
Once an organization has selected a vendor, it’s important to deploy this solution gradually and not all at once. Kristen Poulos, vice president and general manager of industrial cybersecurity at Tripwire, agrees with this idea:
When it comes to deploying a strong passive asset discovery solution, don’t try to boil the ocean! If a customer has a large, multi-plant environment, implementing a passive asset discovery tool at a strategically selected pilot location is a great way to build momentum, show internal successes, and even make a couple of mistakes early instead of trying to roll out a solution over dozens of environments at once.
Introducing Tripwire Industrial Appliance
Organizations that are looking to purchase a passive asset discovery solution should consider going with a hardware appliance for maximum ease of use and rapid deployment. That’s where Tripwire Industrial Appliance comes in. This solution solves the visibility challenge for industrial organizations via continuous threat monitoring and advanced logging intelligence. It comes in two different versions: TIA-700, which operates on the harshest industrial networks via the use of an extended operational temperature range and conformal coating; and TIA-2400, a high-end enterprise-grade tool with high performance CPU and RAM to support large networks. Both versions use over 100 native industrial protocols to gather threat data that could jeopardize the safety and availability of organizations’ OT environments.
Want to bolster your organization’s passive asset discovery capabilities? Download this datasheet on Tripwire Industrial Appliance today.