How to assess and address network vulnerabilities

We all know that information-technology (IT) cybersecurity experts are frequently updating and patching the organization’s network, computers, laptops and all devices that are exposed to the Internet. Obviously, this activity is incredibly important for compliance with the confidentiality-integrity-availability (CIA) triad, as applicable for IT operations. However, industrial-control-system (ICS) or operational-technology (OT) experts know well that every modification—hardware, software, application program—represents a risk to the operation safety. Consequently, they are not seeking to comply with the CIA triad or any of its rotated versions, such as IAC or AIC, but they must take a proactive action to comply with the safety-reliability-productivity (SRP) triad.

Also read: Postured to forge the digital future

After reviewing and understanding the principal differences between protecting the IT network and protecting the ICS-OT network, it’s important to conduct a detailed assessment of the ICS-OT architecture. During this process, we shall answer these questions:

• Is the ICS-OT zone directly or indirectly exposed to external networks?
• Does the industrial operation represent a safety risk?
• Does the ICS-OT include unresolved cybersecurity vulnerabilities?
• Are built-in measures capable of reducing the known impact?
• Can exploitation of known vulnerabilities risk lives, cause damage to machinery, cause an operation outage or reduce the productivity?

Understanding these topics may lead to a critical management decision related to urgency of deploying a corrective action and patching a known vulnerability.

Identify the level of risk

Prior to deciding about the patching, it’s important to assess the risk of the ICS-OT operation. If the ICS-OT system is managing the operation of a chemical plant, water-treatment plant, refinery or combined-cycle power plant (CCPP), the risk to lives of people is high. On the other hand, if the system is monitoring the pressure along water pipes or performing a collection of data from utility meters, the risk is extremely low. The extended formula for calculating the risk level (R) takes into consideration four factors:

• P—factor for probability of occurrence
• I—factor for the level/severity of the impact
• V—factor for unsolved vulnerabilities
• D—factor for exiting defense measures, which assures the operating resiliency.

The calculated risk will obviously dictate the level of urgency for corrective actions.

R=I*P*V/D

ICS-OT network exposure

If the industrial zone is directly exposed to the Internet, the ICS-OT network can be seen on the Shodan website. If the ICS-OT is connected to an IT zone, which is exposed to the Internet, the IT attack might also compromise the ICS-OT operation by exploiting an unpatched vulnerability.

On the other hand, if the industrial zone is strongly isolated from the IT zone, using a unidirectional data diode or other strongly protecting appliance, attackers might perform only an internally generated attack, which requires physical access to the facility where the ICS-OT system resides. Lighter physical security—lack of guards, simple cameras or simple door locks —might encourage the attacker to initiate an internally generated attack. On the other hand, if the IT operation is not strongly protected and people are not trained to deal with social media risks, attackers might start with penetrating to the IT zone and in a next step compromise the barrier between the IT and ICS zones.

Known vulnerabilities

Vendors of industrial hardware and software often publish identified, reported and detected vulnerabilities and ask users to perform the recommended correction. However, can the responsible ICS-OT expert install them right away, similarly to what their IT peers are doing? The answer is “no” because modifications in the ICS-OT zone might risk lives, cause malfunction of industrial machinery or lengthy operation outages. Consequently, prior to deploying any modification, the team responsible for the ICS-OT Operation must ask:

• Might an attacker access the critical component or zone and exploit the vulnerability?
• Might exploitation of the vulnerability risk lives or cause severe damage to the plant?
• Which attack vectors might be activated to access the critical ICS component or zone?
• In case of indirect exposure via the IT zone, how strong is the segregating appliance?
• What is the probability factor that an adversary might initiate an attack against the plant?
• Is there an adequate safety instrumented system (SIS) installed to eliminate a severe impact?

Receiving answers to all of the above questions is not easy and requires involvement of an expert who understands the specific industrial process and cybersecurity solutions. The team may decide conducting a typical risk-management process may help reach the decision:

• The plant may suffer just a minor impact and the organization may accept the risk.
• The plant owns cybersecurity insurance, which covers the expected damage caused by an attack.
• The organization may decide to take a risk-reduction action by degrading the productivity.
• The plant manager may instantly stop the operation and implement the patching process.

Schedule the patching

Taking the above considerations, the plant management may decide to delay the patching process or schedule it during a weekend or a holiday without interrupting the operation. However, if the risk is high and alternative options are not possible, management may decide to stop the plant operation and immediately conduct the patching process. The decision must be taken during a collaborative discussion with ICS and IT cybersecurity experts, industrial process management experts, finance and legal teams and senior management.

Safety first

It’s important to remember that operation safety must always be the top-priority goal for industrial facilities, and none is allowed to delay a corrective action if a vulnerability might risk lives or cause severe damage, which might lead to a lengthy shutdown. According to ISO 27001-2013 Section 5 Paragraph 1, the CEO and the senior management are responsible for cybersecurity, which includes cyber defense compliance according to CIA and SRP triads as applicable.