Articles

Keeping your ICS Safe from a True Crime

October 24, 2022

How to Meet the Challenges Facing Industrial Controls Systems (ICS) with Automation

Do you know those True Crime stories that are so terrifying that they leave you sleepless at night? We know of only one thing scarier—something you can’t turn off when you’ve had enough: the security threats to industrial control systems (ICS).

ICS often operate software and hardware that directly control physical equipment or processes. Many of these systems have a high availability requirement and are also the foundation of our critical infrastructure, our crown jewels. However, industries such as utilities, transportation, finance, manufacturing, and oil and gas industries, we’re talking about equipment that can shut down lives and cause grave danger to humans and the environment. For this reason, third-party resources should be scrutinized to eliminate risk in the supply chain, which includes evaluation and confirmation of experience, skills, and knowledge before sharing access to critical systems.

In response to threats on critical infrastructure, the Director of DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), Puesh Kumar, says, “We have a strategic opportunity like we’ve never had before. We can address both climate risks by deploying clean energy solutions and integrating cybersecurity into those systems from the ground up. This is good for U.S. energy security and U.S. national security.”

The call is coming from inside the house—mitigating risk.

Operational technology (OT) controls the physical functions of organizations, while information technology (IT) controls their data. Many OT teams rely on contractors or vendors who need access to critical parts of the network to service specialized equipment, but they may not be aware of the inherent security threats.

In the OT environment, countless off-the-shelf, web-based, and proprietary applications can be running on a network, which can be daunting for system administrators. In addition, it’s not uncommon for ICS environments to contain some custom-engineered, in-house web-based software unique to the given system. These applications and services may not always follow a disciplined engineering development, test, and maintenance process, leading to application vulnerabilities that an attacker can exploit.

Though minor modifications may apply, regulations impacting OT include Center for Internet Security (CIS) controls and security protocols for software built by in-house OT teams. The same control even applies to COTS software sourced from vendors. The goal is to find vulnerabilities and shore them up. It may be the most significant thing you can do to secure ICS after it is built.

An ounce of prevention is worth a pound of cure—shifting left.

The most effective approach you can take to secure ICS is by baking security into the DevSecOps phase. The use of automation during the development stage “shifts cyber assurance left” along the development timeline, reducing the possibility for weakness and future breaches by adding security while the project is being completed instead of waiting until the final stages.

True to its name, DevSecOps emphasizes the need to incorporate security into every development phase. The obvious advantage of doing this is to identify potential vulnerabilities and work on resolving them sooner. But it also means that security becomes an organic part of the software development process—a conscious and continual effort.

Shifting left might temporarily disrupt your existing DevOps process workflow. Overcoming this might be challenging, but it’s a best practice to shift left in the long run if you adopt DevSecOps. By integrating and automating various compliance checks throughout development, organizations create an environment of continuous compliance built upon automated, integrated processes and workflows that promote compliance as a requirement, such as CIS, Security Technical Implementation Guides (STIGs), and other mandates.

Rounding up the obvious suspects—reducing siloes.

A third best practice is moving away from siloed, static approaches involving human error, like traditional Excel-based questionnaires, and using standardized data sets that can easily be shared consistently with the leadership team.

Automation can help significantly with everything from risk management to shifting left to monitoring and standardizing data. SteelCloud’s ConfigOS does it all in one product, and ConfigOS DashView can monitor your hardening compliance and dramatically reduce the time spent monitoring regulations impacting OT, like with CIS benchmarks. Getting compliant is difficult but maintaining that compliance posture is even more difficult. ConfigOS DashView leverages Splunk’s “Big Data” platforms to automate these processes and provide the organization with real-time awareness.

Having plans in place before disaster strikes—best practices.

Security best practices for highly regulated industries with critical infrastructure include shifting left, being vigilant about risk, and reducing siloes. Other best practices include:

Conduct regular, non-intrusive security assessments with third parties’ assistance to identify a greater diversity of vulnerabilities and attack vectors that can be used to breach the security of ICS systems.
Put the proper systems in place to manage the identity lifecycle and risk of third-party workers with the same or greater diligence as their employees.
Ensure security tools do not automatically deploy software. These tools should report and identify where security updates are needed but allow the OT team to deploy updates when it is safe.
Leveraging CIS benchmarks and controls to uncover vulnerabilities and fix them, so your system is secure and compliant. For the most part, CIS benchmarks mirror the proven STIG controls the government uses to keep our nation’s critical data safe from attack.
Using automation solutions like ConfigOS and DashView to simplify and strengthen your security posture, comply with CIS mandates and uncover areas of vulnerability so you can shore them up.

Keep these best practices in mind as you meet your CIS mandates. And keep up on the latest with SteelCloud. We are right at the apex of CIS, securing critical data and creating secure baselines that keep the bad guys at bay.

Share This Resource:

CIS Benchmarks / cis stig standards / FISMA / ICS / Industrial Controls Systems / information technology / operational technology / OT / OT highly regulated industries / regulations impacting OT / security postrue

CIS Benchmarks & ConfigOS Datasheet | SteelCloud Solutions Prev post

CIO Views Magazine Names SteelCloud’s COO, Brian Hajost, among the Most Influential People in Cyber Security Next post

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How to Meet the Challenges Facing Industrial Controls Systems (ICS) with Automation

The call is coming from inside the house—mitigating risk.

An ounce of prevention is worth a pound of cure—shifting left.

Rounding up the obvious suspects—reducing siloes.

Having plans in place before disaster strikes—best practices.

Resource Library

Recent Resources

Featured Resources

Visual Guide to System Hardening and Automation

How to Harden Systems Easily and Affordably

VIDEO: How to Overcome Budget and Staff Cuts with Automation

What We Do

Company

Support