Endpoints: OT & ITLet's consider the mindsets of the two main bodies within an industrial company’s infrastructure, Informational Technology (IT) and ICS Operational Technology (OT), and how they view endpoints. IT is focused on the corporate side – typically Levels 4 and 5 (Purdue Model). These are business information and transactional systems commonly managed by the Chief Information Officer (CIO). IT endpoints are IP-based desktops, laptops, mobile devices, databases, application servers web servers, and often supply chains for contracts, order entry and accounting interactions. IT endpoints are highly dynamic with frequent updates and new additions connected with the internet and on the intranet. Given this dynamic environment, IT professionals are generally concerned with security for their IT assets, that is, the endpoints and access to those endpoints given the range of attack vectors here. ICS Operations (OT) systems also involve endpoints – many in a similar category. There are application servers, database servers, manufacturing systems, asset management, Human Machine Interface systems (HMIs), engineering workstations and, of course, Level 2 control systems. Every one of these systems has an OS, configuration/setup files, typically password-enabled access, and other factors. OT professionals are generally not especially concerned about security as they have specialized environments, protocols, communication channels, and proprietary hardware.
The Great IT A-Ha MomentI was recently at a conference where the focus was on OT & production systems. I was surprised to run into some IT security managers. When I asked them why they were at the conference, they indicated they needed to know more about these production systems because, ultimately, they would be responsible for their security. This aligns with their priorities versus those of an OT organization. OT’s focus is on control, monitoring processes and equipment in plant environments. Engineering and operational management typically manages them. Safety is the priority, closely followed by availability within industrial control environments. IT security values confidentiality as the top priority within the IT enterprise environment. OT includes an array of control systems, including:
- Programmable logic controllers (PLCs)
- Remote Terminal Units (RTUs)
- Intelligent Electronic Devices (IEDs)
- Distributed Control Systems (DCS)
- Supervisory control and data acquisition (SCADA)
- Human machines interfaces (HMI)
- Digital to analog converters (DAC)
OT & IT: Consider Endpoint Security MisconceptionsLet’s consider the vast range of endpoint security misconceptions that can lead us to great pains. "Anti-virus (AV) is just fine." While AV offers some level of endpoint protection, it requires regular signature updates and scheduled scans. Signature-based protection does not catch all attackers, and it is not appropriate for all endpoints. "Not all endpoints require protection." It’s a false sense of protection. Increasingly, endpoints are becoming connected or plugged in (like a USB drive), which constitutes an attack vector. "Endpoint protection can operate on its own." Security insight from both the endpoint and the network is required for a sophisticated attack. Understanding the source of the attack downstream, whether it is the network or email link, is critical to remediation. "Users operate most endpoints in a safe manner." The Human Attack Vector is one of the largest, and OT environments often times don’t consider the effects of operator error, social networking, and poor policy as influenced when an end user is involved. Endpoint protection must include user training on cybersecurity. Human error, whether inadvertently caused or through malicious intent, is a major source of attack vectors. "My endpoint connections to the internet are safe." Not in all cases, many older protocols to secure the connection have vulnerabilities. "Endpoint security ruins my user experience." Most endpoint security has evolved to minimize any performance issues. On the flip-side, what if your endpoint gets infected? It will more likely see some performance issues as a result of being infected. "Endpoint protection is the panacea." A comprehensive and integrated approach that considers the network and the endpoint will address most attacks effectively This is Tripwire’s philosophy for securing endpoints. For industrial organizations, basic endpoint security hygiene is the foundation of your cybersecurity. This includes:
- Knowing your endpoints. Have an inventory of assets, hardware, software, firmware, virtual and physical assets, and also have visibility into their configurations, OS, protocols, and communications, as well as who has access to them, when and for what purposes. This essentially defines key areas most often involved when a breach occurs.
- Understand the existing and documented vulnerabilities for any of your assets and the risk associated with your particular environment. (It’s unfortunate that many attacks came from known vulnerabilities.)
- Attain and maintain secure and authorized configuration on each endpoint. If a configuration is tweaked on your endpoint without proper reason or authority, there is reason to at least investigate if not believe there could be foul play.
- Find and discover any unauthorized changes in as close to real-time as possible. This will help determine as early as possible what process and policy failures may be present at best and potential malicious behavior at worst.