In July 2021, the White House established a voluntary initiative for industrial control systems (ICS) to promote cooperation between the critical infrastructure community and the federal government. The fundamental purpose of the initiative was “to defend the nation’s critical infrastructure community by encouraging and facilitating the deployment of technologies and systems that provide threat visibility, indications, detection, and warnings” to enable effective responses in industrial businesses against evolving cybersecurity threats.
The memo further elaborated that “we cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems.”
A crucial aspect of any effective cybersecurity plan, particularly for critical infrastructure, is having visibility into the assets that need to be safeguarded. The consequences of a breach can be catastrophic, making it essential to identify all digital and physical assets in your network as the first step in mitigating cybersecurity risks. Both NIST and NERC acknowledge the significance of visibility for meeting compliance standards.
The many aspects of visibility
Visibility refers to being aware of your environment or the activities taking place within that environment. According to NIST, identifying your assets is the initial step toward achieving clear visibility. This means that if you are unaware of what you own, protecting what you don't know you possess becomes impossible. It is essential to note that the visibility of assets extends to people and their actions. Visibility is not limited to the presence of machines and flashing lights; it also involves determining who has access to essential resources.
Another approach to improving visibility is gathering enough data from target networks and systems and then analyzing it to turn raw information into valuable insights. This helps to eliminate the noise and make the information more helpful. It's important to note that the level of visibility will vary depending on the organization. If the organization doesn't have an adequate inventory of assets, the value and effectiveness of this process will be reduced, emphasizing the importance of having an accurate list.
To ensure better visibility, it's crucial to have a clear understanding of the software components that make up your applications. On average, a software product consists of 135 components, and 90% of these components are open source. However, each component may have its vulnerabilities that can pose a risk. For example, with a Software Bill of Materials (SBOM), an industrial company can keep track of these vulnerabilities and ensure the safety of its software components.
Having solid visibility is crucial for compliance and awareness. Without it, it's challenging to comprehend the risk posture of ICS networks. This makes threat detection uncertain, and organizations struggle to choose the best controls to comply with expanding regulations.
The foundational components of visibility
Considering the above, we can conclude that there are three crucial components in a visibility program, which are closely interdependent:
- Asset visibility: Provides the framework around which vulnerability management and threat visibility can be conducted. Without understanding which assets are deployed within an environment, and what is installed on those assets, it can be nearly impossible to know where to look for flaws, let alone active threats.
- Threat intelligence: Offers valuable data to help vulnerability management programs prioritize remediation efforts based on the likelihood and impact of an exploit.
- Vulnerability management: Provides insights into flaws in the industrial environment, which can be used to prioritize threat mitigation.
By integrating all three components, end-to-end visibility is achieved, which can be used to drive effective and efficient incident response. This visibility allows for analyzing infrastructure changes and provides forensic records to reconstruct threat activity, enabling more straightforward response and recovery efforts.
Selecting the correct industrial visibility solution
In the IT domain, asset visibility, threat intelligence, and vulnerability management are also essential aspects of maintaining visibility. However, regarding industrial settings, the risks and considerations are vastly different. The path to achieving industrial visibility requires a different approach.
Unlike IT, where the most significant risks are related to confidentiality, integrity, and availability, industrial environments face physical safety risks and the potential loss of critical infrastructure such as electrical grids, water systems, safety systems, pipelines, and plants. This means that a cybersecurity program for industrial settings needs technologies and processes that are specifically designed for this environment. The information gathered needs to be relevant and valuable without jeopardizing the stability of industrial processes.
With its industrial cybersecurity hardening solutions, Tripwire can help provide visibility and reduce operational risk for the potential impact of industrial cybersecurity events. To learn more, check out our Guide to Navigating Industrial Cybersecurity.