Solutions

Solutions

Cyber Force Platform Deploy continuous security improvement
Elite Cyber Skills Development Dynamically develop elite cyber ops teams
Stack Optimizer Make key cyber ROI and governance decisions
Rapid Range The fastest way to build a high-fidelity cyber range
Cyber Score Establish benchmarks and gather evidence
Professional Services Accelerate deployment, development, integrations and readiness
Verticals

Verticals

Government Protect sensitive data
Global Cyber Defense Train the way you fight
Critical Infrastructure Keep critical systems available
Financial Services Build client trust and confidence
Insurance Safeguard your investments
Energy Protect the nation's power supply
Partners

Partners

Why Partner with SimSpace
Partner Types
Partner Program
Resources

Resources

Analyst Reports
Blogs
Calculators
Case Studies
Catalogs
Datasheets
Demos
Infographics
Videos
Webinars
Whitepapers
Company

Company

Leadership Enabling organizations to realize continuous security improvement
Locations SimSpace has a global footprint with offices around the world
Careers Find your career at SimSpace
Events Events, happenings and webinars
News In the news
Fresh Phish Cybersecurity with a side of humor
Request a demo
Solutions
Cyber Force Platform >
Deploy continuous security improvement
Elite Cyber Skills Development >
Dynamically develop elite cyber ops teams
Stack Optimizer >
Make key cyber ROI and governance decisions
Rapid Range >
The fastest way to build a high-fidelity cyber range
Cyber Score >
Establish benchmarks and gather evidence
Professional Services >
Accelerate deployment, development, integrations and readiness
Verticals
Government >
Protect sensitive data
Global Cyber Defense >
Train the way you fight
Critical Infrastructure >
Keep critical systems available
Financial Services >
Build client trust and confidence
Insurance >
Safeguard your investments
Energy >
Protect the nation's power supply
Partners
Why Partner with SimSpace >
Partner Types >
Partner Program >
Resources
Analyst Reports >
Blogs >
Calculators >
Case Studies >
Catalogs >
Datasheets >
Demos >
Infographics >
Videos >
Webinars >
Whitepapers >
Company
Leadership >
Enabling organizations to realize continuous security improvement
Locations >
SimSpace has a global footprint with offices around the world
Careers >
Find your career at SimSpace
Events >
Events, happenings and webinars
News >
In the news
Fresh Phish >
Cybersecurity with a side of humor
Request a demo

The increasing number of attacks against OT assets has not gone unnoticed by governments and organizations alike. In the United States, several government organizations in addition to training organizations and universities are working to equip cyber personnel with the tools and policies necessary to defend critical infrastructure and equipment.

Before diving into the mitigations under establishment, let’s first take a look at how OT assets are vulnerable in the first place. Attackers aren’t the only avenue for potential mishaps - companies must be willing to shore up their own policies and operational procedures in addition to building and utilizing industry best practices to ensure safe and reliable operations.

Before diving into the mitigations under establishment, let’s first take a look at how OT assets are vulnerable in the first place. Attackers aren’t the only avenue for potential mishaps - companies must be willing to shore up their own policies and operational procedures in addition to building and utilizing industry best practices to ensure safe and reliable operations.

OT Assets Can Be Vulnerable on Multiple Fronts

While attackers are a growing threat to OT systems, companies are also responsible for incorporating standard best practices to keep their systems safe. What kinds of threat sources exist in the modern OT environment? NIST SP 800-82r3 Table 13 lists several types:

 

Aversarial, Accidental, Structural, and Environmental

 

In addition, §C.2, Tables 14 - 20 list vulnerabilities and predisposing conditions inherent in OT systems that increase their attack surface. NIST’s findings are extensive; the points below give a high-level view of these conditions.

Policy and Procedure

  • Inadequate organizational ownership of risk assessments
  • Lack of configuration management policy
  • Lack of adequate access control policy

Architecture and Design

  • Inadequate incorporation of security into architecture and design
  • Control networks used for non-control traffic
  • No security perimeter defined

Configuration and Maintenance

  • Hardware, firmware, and software that are not under asset management
  • Poor remote access controls
  • Vendor default passwords are used

Physical Vulnerabilities

  • Unauthorized personnel have physical access to equipment
  • Lack of backup power
  • Unsecured physical ports

Software Development

  • Improper data validation
  • Installed security capabilities are not enabled by default
  • Inadequate authentication, privileges, and access control software

Communication and Network Configuration

  • Data flow controls are not employed
  • Firewalls are nonexistent or improperly configured
  • Authentication of users, data, or devices is substandard or nonexistent

Sensor, Final Element, and Asset Management

  • Unauthorized physical access to sensors or final elements
  • Unauthorized wireless access to sensors or final elements
  • Inappropriate segmentation of the asset management system

What’s Being Done About This?

Cybersecurity risk is often measured by two factors: impact and likelihood. OT systems typically control critical processes and infrastructure - in other words, disrupting the availability or safety of these systems creates a high impact event. In addition, as more systems are connected to internal networks or even the internet itself, the likelihood of attacks against these systems only continues to increase. Has anyone taken notice of this, and, if so, what’s being done to quell the rise in incursions?

Illustration of connected systems.

Fortunately, major advancements in training and policy from both the government and a variety of commercial sectors are advancing the protection of OT systems. The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has assembled a prolific catalog of materials pertaining to this cause. ICS Training is available online or in-person and includes topics such as “Operational Security (OPSEC) for Control Systems”, “Cybersecurity with IT and ICS Domains”, and a two-part series on “Mapping IT Defense-in-Depth Security Solutions to ICS”. As an added bonus, CISA repeatedly states on this page that there are no tuition costs for these courses. In addition, CISA has a specific focus on industrial control systems where anyone in the community can discover a variety of resources, partnerships, training, information exchange, and a host of other topics. It is well worth the time to visit the previous link and explore the wide range of offerings from CISA.

Before moving to the commercial sector, a few more resources offered by the government are worth exploring. The U.S. Department of Energy (DOE) offers the Operational Technology Defender Fellowship in which OT-related security managers have the opportunity to participate in a 12-month program designed to bolster their acumen in managing OT systems. This program is hosted by Idaho National Laboratory and provides managers with a wealth of information and contacts to assist in their cybersecurity efforts for the company in which they work. The National Security Agency (NSA) and CISA have offered a Cybersecurity Advisory named “Control System Defense: Know the Opponent” aimed at assisting operators in stopping malicious ICS activity and reducing OT exposure. A final resource to peruse is a bulletin titled “Improving Security of Open Source Software in Operational Technology and Industrial Control Systems”. As open source software (OSS) proliferates in the OT sector, it is important to understand how both the developers and users can effectively mitigate risks and bolster defenses.

Illustration of resources

The government isn’t the only entity providing training and resources for OT cyber defenders. The SANS Institute provides intensive training and a host of blogs and whitepapers on ICS cybersecurity. In addition, GIAC, an affiliate of SANS, offers respected certifications such as the Global Industrial Cyber Security Professional (GICSP), the GIAC Response and Industrial Defense (GRID), and the GIAC Critical Infrastructure Protection Certification (GCIP). The ICS Cybersecurity Conference is another great resource not only for training but also for learning from and partnering with industry peers to continue the march towards OT systems security.

Conclusion

Finally, universities have been offering degree programs specializing in this field, such as the Industrial Cybersecurity Engineering Technology program from Idaho State University or the Cyber-Physical Systems Track at Georgia Tech.

In this post, we’ve taken a look at both the multifaceted vulnerabilities inherent in OT systems and what’s being done by various security organizations to mitigate these vulnerabilities. Adversaries are definitely a key threat vector for these systems; however, vulnerabilities exist across multiple domains. Luckily, both government agencies and commercial organizations are taking bold, bespoke steps toward securing OT infrastructure.

Thanks so much for reading this post; we look forward to seeing you next time!
Blog bySimSpace
SimSpace
SimSpace
SimSpace is the leading innovative cyber security platform for enabling risk reduction through operational quantification, testing and training. No other organization has SimSpace’s depth of experience in creating high fidelity cyber ranges with unique user and adversary emulation techniques.