Sectrio

Threats

Leveraging Tabletop exercises to Enhance OT security maturity

Leveraging Tabletop exercises to Enhance OT security maturity

Has your organization tested its OT security incident response plan in the last 6 months? Do you remember when you last checked your institutional OT security awareness levels? Are your OT security programs running in compliance with IEC 62443? If your answer is no for any of the above questions, then this article is for you. Why do we need to conduct OT security tabletop exercises regularly? Tabletop exercises help security teams play out scenarios to test various components of an OT security program including elements of governance, compliance and incident response. Such tests can be conducted without the risk of downtime to test the effectiveness of various response mechanisms and the role of people and processes in it. Download our TTX template now: OT Security Tabletop Exercise. The scope of an OT security tabletop exercise should ideally cover: Objective and definition: Identify and set specific goals for the exercise, such as testing incident response plans, improving employee communication, testing a specific aspect of OT security approach or identifying gaps in security posture that may hinder a coherent response to an OT security incident or event. Realistic scenario development in tabletop exercises involves: Who should participate in an OT security tabletop exercise? Ideally, any team that is connected with OT directly or otherwise should participate in these exercises. A tentative list of participants includes: What roles and responsibilities can be assigned to the participants during a tabletop exercise? The role of each participant should be clearly defined as per the scenario being tested. Suggested roles include: Understand and learn how you can benefit from assigning specific roles and responsibilities using the help of IEC 62443 and NIST CSF: OT Security Roles and Responsibilities How can an incident flow be developed during a tabletop exercise Any simulated/unfolding event can be divided into various parts such as: The performance of each aspect of the exercise should be evaluated in detail at a step/response level. Download your copy of the Facility Incident Response Plan and Checklist now! Essential factors for a successful OT security tabletop exercise What are the benefits of a tabletop exercise? The following are some of the benefits that institutions and teams can gather: 1. Improved OT/ICS and IoT incident response 2. Better cross-functional collaboration 3. Increased awareness of OT security risks 4. An opportunity to test the relevance and applicability of security controls, incident playbooks and policies 5. Enhanced crisis planning and management 6. Continuous improvement 7. Reinforce cyber resilience measures Through OT security tabletop businesses can continually evolve their cybersecurity strategies to face emerging OT threats thereby safeguarding and enhancing operational continuity and resilience. Book a consultation with our ICS security experts now. Contact Us Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

Leveraging Tabletop exercises to Enhance OT security maturity Read More »

How to evaluate OT security program maturity

How to evaluate OT security program maturity

An OT security program can lead to better resource use, improved security operations, and tangible gains for the security posture of an OT operator. The benefits of running an OT security program include: At a fundamental level, an OT security program provides a strong foundation for an enterprise to adopt and scale up security measures. What is OT security program maturity? Based on various factors, an OT security program can be graded into the following tiers: Parameter   Mature OT Security Program Evolutionary/Evolving OT Security Program Early stage OT Security Program Score Clear delineation of roles and responsibilities All personnel across functions are clear about their roles and responsibilities. All employees are in alignment with the assigned roles for managing security collectively. Every team has a employee responsible for security. This delineation is clear within the security operations teams. The larger organization does not subscribe to the program or subscribes in parts driven by a compliance mandate or any other factor that originates from outside the organization. Security teams are solely responsible for security. In the event of an incident, the security team is held responsible.   Security measures are driven by a well-drafted security policy and a governance framework that is binding for all employees Yes. All teams and employees are governed through and are required to adhere to a security policy that may derive elements from standards such as IEC 62443 yet projects a distinct security mandate while incorporating cultural elements from the organization and its operational imperatives.  The policy clearly articulates the security requirements at all operational and asset levels. The policy is generic in nature without paying any attention to the unique institutional character of the organization. Compliance to the policy is also partial and episodic. There is no policy in place   Management and senior leadership are engaged in the security program and are active contributors  Fully engaged and security-sensitive management Management is partially engaged and does not track the program Management is not connected with the program in any way   Evolved incident response and disaster recovery mechanisms Followed in letter and spirit with clear protocols A mix of proactive and reactive measures are in place. Assets and data are at risk due to a potential for delay in intervention after an incident No measures in place   Risk assessment and gap analysis audit frequency Once every 180 days Once every 365 days Infrequent or performed in an adhoc manner   Institutional action on OT security audit findings Key audit findings are addressed within a pre-agreed time frame. OT security policy is modified to reflect major suggestions Audit findings are addressed but not in a time bound manner If an audit is done, then the findings are ignored or filed without any action being taken   Program coverage 100 percent across assets, infrastructure, services, process, sites and networks Partial Less or none   Security Operations coverage – asset visibility, vulnerability and patch management, secure remote access, SOC, hard segmentation of OT and IT networks Complete/100 percent Partial Less or none   Improvement in key security operations metrics such as MTTD, MTTR, number of events closed, percentage of false positives  over the last 11 months 30 percent 15 but less than 30 < 10 percent improvement   Has the program been evaluated by a qualified third party? Yes No No   How frequently OT security awareness programs run? Once a quarter Once every 9 months Only in October   Are crown jewels and legacy systems residing behind a DMZ? Yes Yes No   Strong anomaly and breach detection capabilities Yes Approaching strong but not yet there Weak or non-existent   Countermeasures in place around access controls and insider activity Yes Partial measures in place No   Cybersecurity risk in ICS environment is managed through strategic security planning and controls Yes Partial measures in place No   OT security assurance is arrived through risk minimization and management of risk exposure Yes Partial measures in place No   Lifecycle measures in place for each aspect mentioned above Yes Partial measures in place No   ICS controls derived from last OT security audit cycle implemented Yes Partially No   Secure design architecture and engineering compliance in place Yes Initial/rudimentary No   Microsegmentation implemented Yes No No   Calculating the score of your OT Security program To derive your OT security program effectiveness score, assign 40 points for each mature program parameter met, 20 for each evolving program parameter met and 5 or 0 (for each No) for every early stage program parameter met. For example for the parameter “Microsegmentation Implemented”, the following score will apply: Yes: 40 points   No: 0No: 0 For the “Secure design architecture and engineering compliance in place” parameter you can follow the below points scheme: Yes: 40 pointsInitial/rudimentary: 20 pointsNo: 0 points If your total score is above 650 points, then you are running a mature OT security program. Congratulations. If your total score is above 350 but less than 650, then you are running an evolving security program. Let’s ramp up. If your total score is below 350 points, then you have a lot of catching up to do. No matter where your OT security program is on the above scale, Sectrio can help you run a model and relevant security program that is also high on RoI. Talk to our OT security program expert now through a free consultation to figure out your next steps. 62443, NIST CSF, and NIST SP 800, talk to a Sectrio OT governance expert. Book a consultation with our ICS security experts now. Contact Us Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

How to evaluate OT security program maturity Read More »

Launching a critical infrastructure security program in 4 phases

Launching a critical infrastructure security program in 4 phases

As per the Cybersecurity and Infrastructure Security Agency (CISA), threat actors were still leveraging brute force intrusions, default credentials, and other unsophisticated attack methods to target internet-exposed operational technology and industrial control systems of critical infrastructure organizations. Organizations that are running their ICS infrastructure without adequate visibility into their networks and operations are especially vulnerable to such threat actors. So how can critical infrastructure operators respond to this emerging threat? The answer lies in launching a structured institutional OT security program with a strong foundation to improve and strengthen their existing OT security measures in a phased manner. Such an approach ensures asset assurance, and improved visibility into the outcomes of each measure and allows OT asset owners to move forward with more learning and knowledge. So what does a structured critical infrastructure OT security program look like? Now let’s look at each of these OT security phases in more detail. Phase 1: Understanding the present state of OT security in your Critical Infrastructure This phase includes conducting an IEC 62443-based OT/ICS Cybersecurity Assessment to determine the gaps and issues with the current OT security approach. The following aspects need to be highlighted in detail in the assessment: · You can use this IEC 62443 checklist for the above exercise. Phase 2: Implement security measures including those to secure infrastructure and detect threats In this phase, the measures designed to gain visibility, and protect networks and assets while securing them with various measures such as: Hard network segmentation between OT and IT networks Phase 3: Evaluate data and security measures (measure success) During this phase, all security management measures should be institutionalized through an OT Security Operations Center. The SOC should also have an incident response and management component either in-house or through managed means. An OT security audit is recommended at this phase to gather data on the effectiveness of the security measures and the impact of the OT governance and security policy in an integrated manner. This phase should cover: Phase 4: Channel the learnings from your OT security program Regular internal and external workshops to share learnings from all aspects of cybersecurity operations To learn more about a structured OT security program that incorporates IEC 62443, NIST CSF, and NIST SP 800, talk to a Sectrio OT governance expert. Book a consultation with our ICS security experts now. Contact Us Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

Launching a critical infrastructure security program in 4 phases Read More »

Simple yet effective strategies to ensure robust OT Security

Simple yet essential cybersecurity strategies for ensuring robust OT security

At the heart of an OT security strategy lies the ability to clearly distinguish IT and OT security. Since both share tech, operational goals, and to some extent an enabling mission, it is easy to think of them as a single entity and worse – treat their security requirements in a unified manner. Once that is out of the way viz., an asset owner or OT operator can understand the differences between OT and IT security, an entity can prepare to initiate and deploy an OT security strategy. So can one go about formulating an OT security strategy? Let’s explore the answers. To secure OT environments, we need to put in place 7 critical controls 7 critical controls for a robust OT Security posture Now let’s look at each of these in detail. 24X7 monitoring of networks and assets OT networks and assets are often left unmonitored as they are considered to be of low value to hackers or other disruptive forces. Nothing could be further from the truth. Due to a lack of basic security measures, today ICS systems and OT networks are easily accessible from outside the infrastructure. This means that these systems can easily be accessed and manipulated from outside. History has shown that accessible systems are often used by threat actors to monitor and control systems and networks of interest. Secure Remote Access for Industrial Cybersecurity What is Secure Remote Access? It broadly refers to a multitude of security measures, policies, and technologies and access methods organizations use to enable access to devices, networks and applications from a location outside of the core network in a secure manner. Organizations should be able to enable designated employees to control OT remotely in a secure manner without being impeded by protocols or compromises on functional aspects. OT Incident Response Incident response includes measures to respond to a cyber incident in a structured manner while minimizing the incident’s impact. In an OT environment, this could mean ensuring the continuity of operations, prevention of lateral movement of threats, and minimizing the blast radius, if any. In OT environments, the OT asset owners often shut down the entire OT infrastructure in response to an incident and this is a standard practice. If a structured OT Incident Response plan with clear ownership of activities, response elements and assets is put in place, not only does the quality of response improve but also the learning from each incident. It also improves the ability to recover rapidly from an incident with appropriate levels of transparency in response. Vulnerability Management in OT Security OT vulnerability management is all about ensuring all vulnerabilities are discovered well before they are exploited. This includes Zero Days and patches for all OT assets to ensure that the risk of exploitation is kept at a minimum in line with risk tolerance, best practices, OT security policies, or with compliance mandates. Suppose your enterprise can figure out attack paths I.E., the most likely way in which an asset could be exploited. In that case, it becomes easier to break that attack path either by patching a vulnerability or by adding a vulnerable asset to a DMZ or a zone. Such zones as recommended by IEC 62443 can go a long way in improving the security level not just at an asset level but also at an enterprise level. Visibility into OT risk exposure Risk exposure is a function of vulnerability management, continuous threat detection, adoption of best practices, adherence to IEC 62443 and other applicable standards, and the level of visibility that asset owners/managers have on OT assets and networks. A risk exposure score can be calculated by assigning a score to security measures and deducting numbers for every unaddressed vulnerability or risk. By knowing the enterprise risk score, asset owners can work towards improving security measures, isolating assets or networks or practices for improvement through security intervention. Critical infrastructure operators can also track the efficiency of their OT SOC and decide on the frequency of OT risk assessment and gap analysis exercises. Defensible network architecture A defensible network is monitored, managed, governed, remedied, and operated with a minimal amount of risk. A defensible network should be run with ample degree of visibility and insights into risk exposure. It should enable the adoption of security measures of the highest order and permit the deployment of relevant security measures. A defensible OT network should be segmented with a layered defense-in-depth strategy that enables additional security to be provided to crown jewels or legacy systems. A defensible network architecture that translates into robust security practices on the network can thus translate into improved risk management at the enterprise level. Additional security for crown jewels Crown jewels have to be placed insider a DMZ or a zone with additional security measures. There are many ways to achieve this including microsegmentation. With additional security, crown jewels can be shielded from cyber incidents that impact the wider network thereby lowering the unit risk exposure for vital assets. Sectrio has turnkey OT security capabilities and is today securing some of the biggest OT operators across the globe including oil refineries, airports, railway assets, manufacturing plants, ports, and power plants. We have solutions, consulting, risk assessment, services, and SOC offerings that can be customized to your unique OT security needs. Interested in learning about specific measures for protecting your crown jewels? Learn more about Sectrio’s OT security solutions Talk to us, now. Learn more about how we can be a one-stop partner for your OT security journey. Book a free consultation with our Industrial Control System security expert to learn about the latest cyber risk minimization strategies and models. Book a consultation with our ICS security experts now. Contact Us  Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

Simple yet essential cybersecurity strategies for ensuring robust OT security Read More »

10 steps for reducing ICS asset risk exposure

10 steps for reducing ICS asset risk exposure

The level of asset risks that OT operators are exposed to varies according to industries and the asset security management practices that they have adopted. Assets lie at the heart of almost every security measure an OT operator adopts. So it is essential to get your asset security strategy right in order to minimize your overall risk exposure. What are the practices that can help improve asset security and reduce risk exposure? Let us explore the answers. 10 steps for an improved OT or ICS asset security Step 1: Determine the unique security requirement for each asset The first step towards improving asset security involves understanding the unique security level required for each asset. An asset could require a higher level of security because of its mission-critical nature when it comes to business or because it is a legacy system or because it has an unpatched vulnerability. Thus, an asset threat index for determining the security levels for each asset on the shop floor cannot be a static one. It has to be dynamic to account for the forces that are shaping the asset risk levels in an organization. Step 2: Put a policy in place for managing security during procurement We have seen that in many cases, security challenges emerge much later after the installation of the device and in some cases, the OEM does not respond in time to address those issues. By having a policy in place, the vendor can be made to provide a higher level of security assurance to the customer. Further, the procurement team including the end users can then use this policy as a guide to request more information or place security conditions that need to be fulfilled before or after procurement as the situation demands. Step 3: Conduct a Security Acceptance Test each time a new asset is added No asset should be added to the infrastructure without conducting a Security Acceptance Testing. This testing should be done in a manner to verify: The bill of materials can also be checked to ensure that all components have been derived from verified entities and the documentation is in order In case, any doubts emerge on the asset at a later stage, a fresh test can be conducted at a later stage. Step 4: Use a mix of OT Security standards for handling assets You can read more about this in a previous Sectrio blog post on OT asset security. In that article, we do an in-depth analysis of the relevant standards that you can follow to improve asset security and to benchmark your internal security measures. The most common standards that you can rely on are IEC 62443-2-1, IEC 62443-4-2:2019, IEC TS 62443-1-1, and various NIST CSF categories. Such an approach helps develop a best-of-practices approach to secure assets with the best possible set of security measures. Access Sectrio’s compliance kits to learn and understand more about these standards. Step 5: Train to raise actionable awareness in Industrial cybersecurity Each employee should be aware of best security practices and company policies when it comes to asset security. OT operators must ensure that their employees are trained in best practices and operate with a high level of security sensitivity and responsibility. You can read on how you can train your employees on OT security here. Step 6: Periodic ICS risk assessment and gap analysis The recommended cycle for an OT Security risk assessment and gap analysis for an OT critical infrastructure operator is once every 6 months. Non-critical infrastructure OT operators can do a risk assessment exercise at least once every 9 months. Here are the essential factors to keep in mind when conducting an OT security risk and gap assessment: The report that is generated from such an exercise should be actionable with each security issue prioritized for remediation with recommended timelines The assessment should be conducted by an independent vendor More information is on how you can do a comprehensive OT risk assessment and gap analysis is available here. Step 7: Focus on patch discipline Every patch should be applied within a certain period as dictated by an OT security policy. If the patch is not deployed for any reason, then step 8 should be followed. Know more about Sectrio’s Patch Management program Step 8: Deploy OT micro segmentation As opposed to network segmentation, OT micro segmentation involves the creation of zones to house critical and/or legacy assets with an added level of security. The extra layer of security comes from the additional controls that are deployed in the zone. Assets in this zone will be allowed to transact only certain approved interactions with the rest of the network. Micro segmentation enables the adoption of a true zero-trust approach for security. Microsegmentation also enables the prevention of lateral malware movement in case of a breach. More information can be found here. Step 9: Improve ICS asset visibility Knowing what your assets are up to at all times is an important need. The asset inventory should be maintained in an automated manner with all assets and their behaviors being accounted for. Asset visibility is a baseline OT security need. Step 10: Talk to a Sectrio Asset Security expert. Our asset security experts are trained in both the security and functional aspects of industrial assets. They can help you determine: Book a free consultation with our Industrial Control System security expert to learn about the latest cyber risk minimization strategies and models. Book a consultation with our ICS security experts now. Contact Us  Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

10 steps for reducing ICS asset risk exposure Read More »

Why is Chinese threat actor APT 41 in a tearing hurry

Why is Chinese threat actor APT 41 in a tearing hurry?

Since June 1st 2024, Chinese frontline threat actor APT 41 has been linked to as many as 63 events globally. These include attacks on Taiwanese research agencies in August and attacks on the shipping and logistics, utilities, media and entertainment, technology, and automobile sectors in countries such as Taiwan, Thailand, Italy, UAE, Spain, the United Kingdom, and Turkey in July. The group is known to have successfully penetrated networks connected with critical infrastructure in as many as 29 countries as of this year. The group has registered a whopping 900 percent rise in its presence this year as measured by the IOCs recovered from various events analyzed by Sectrio’s Threat Research team.   So why has APT 41 turned hyperactive in 2024 and what does this mean for critical infrastructure operators around the world? Let’s find out. Background of APT 41 APT 41 has been a group reserved for carrying out the most sophisticated attacks on few of China’s chosen geo-political rivals. Hitherto, this group had a mandate covering the G7 countries, India, South Korea, Taiwan and Vietnam. As things stand, APT 41 is assigned the best talent, weapons, and exploits to work with, thanks to its ranking by the Chinese Ministry of State Security as a frontline cyber intelligence gathering entity. Read now: The Complete Guide to OT SOC Periodically, the group is split for administrative (and/or project) reasons. The splinter groups are assigned strategic targets to pursue only to be merged with APT 41 once the target data is acquired or the project closed. It is believed that APT 41 also covers several shadow groups working under the direct tutelage of senior members such as Dalin Tan and Qian Chuan. Such groups do not have any direct affiliation with the MSS and their operations are channeled through APT 41 and they may even be on the direct payroll of APT 41. [You can read more about APT 41 in our comprehensive intelligence note on this threat actor presented in our Threat Landscape Report 2024] As per Sectrio’s Threat Research Team, APT 41 also runs an intelligence crunching operation that churns out intelligence of very high quality that is shared directly with the CCP leadership. This intel is also used to shape the geopolitical responses of China in addition to being used to shape specific long-term military and diplomatic interventions as well. The strategic importance of the intelligence gathered by APT 41 and recent moves by many APT 41 target countries offers a clue on why APT 41 is in such a hurry to target multiple critical infrastructure operators. We will get there in a minute but before that, it is important to understand what has changed in the last few months. Rising legislative attention on critical infrastructure security         In the last few months, many countries have enacted legislation on Industrial Control System/OT cybersecurity. These legislations mandate cyber risk and gap assessment, deployment of OT Security Operations Center (SOC), better reporting and asset visibility and enhanced monitoring of OT/ICS networks. There is increased scrutiny on critical infrastructure operators and regulatory bodies are also conducting surprise checks on various entities to check their preparedness levels to deal with cyber risks and threats. Penalties are in order as well. Many critical infrastructure entities are also conducting security acceptance tests on systems and assets to ensure they are free of backdoors and that they do not leak any data or have security issues that could compromise the device or networks connected to it.  This coupled with regular IEC 62443-based risk and gap assessments is helping critical infrastructure operators scale their security posture and bring it closer to the levels of risks these entities are exposed to. So how does this impact APT 41 and its operations you may ask? The answer is simple. With security measures intensifying, the MSS understands that its window of opportunity for exfiltrating data and maintaining a menacing presence through APT 41 will diminish considerably in the days to come. There is certainly a growing realization among the bosses at APT 41 that they need to hurry up. This hurry has led to APT 41 and its sister actors The sense of urgency has also led to errors across geos revealing its modus operandi as well as the measures it is using to breach networks and maintain surveillance. APT 41’s attempts to plant reconware have been exposed in multiple instances including two times in the recent past when APT actors tried to engage a decoy infra in an apparent surveillance bid. What the future holds for APT 41? It is too early to say but one can assert arguably that APT 41 will continue to evolve its tactics and tools in the future with more funding and talent. This is something that won’t change in the days to come and APT 41 may even reduce or increase the targets in its crosshairs depending on the mandate given by the MSS. APT 41 is an evolved threat actor and if its past track record is anything to go by, we may very well be witnessing a new phase in its evolution. It also serves as a test bed for new and emerging threat actors to test new breach tactics as well. MSS may even reconfigure the group by adding newer players to keep the group going. Talk to us to learn how your crown jewels and assets can be protected through a custom-built ICS security plan. Contact us now! Learn more about an IEC 62443-base cyber threat and risk assessment for your infrastructure. Book a free consultation with our Industrial Control System security expert to learn about the latest cyber risk minimization strategies and models. Book a consultation with our ICS security experts now. Contact Us  Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

Why is Chinese threat actor APT 41 in a tearing hurry? Read More »

Leveraging IEC 62443 for securing critical industrial assets

Leveraging IEC 62443 for securing critical industrial assets  

IEC 62443 is a gold standard when it comes to cybersecuring industrial infrastructure. In addition to that, a encrusted approach can be adopted using IEC 62443 and NIST CSF to provide an added layer of cybersecurity to critical assets. How can that be done, let’s find out.   Three IEC 62443 standards can be considered for overall infrastructure protection. These are:  Also read: The Complete Guide to OT SOC IEC 62443-1-1 defines seven Foundational Requirements (FRs) which include:  Now lets take a look at the relevant NIST CSF recommendations.   Under NIST CSF, we can look at these aspects that are specific to critical assets:  NIST CSF Core Function Categories   Action specific to critical assets   Identify   Asset Management  Protect   Access Control   Detect   Anomalies and events   Respond   Respond to events appropriately   Recover   Plan recovery to minimize business impact  When we overlay the applicable IEC 62443 standards on NIST CSF for critical assets, we can derive a more comprehensive approach to securing these assets.   Levels for securing critical OT assets according to IEC 62443 and NIST CSF   Applicable standard   Derivative for critical asset protection   IEC 62443-2-1 and NIST CSF category identify   1. Define what critical assets are and the level of security they need  2. Maintain a current list of critical assets as per this definition 3. If required, assign a checker (a second pair of eyes) to ensure adherence to the requirements and to enable QA for the quality of security assigned to the assets.   4. Ensure a mechanism for updating the asset inventory  5. Ensure clear asset ownership for critical assets   IEC 62443-4-2:2019, IEC TS 62443-1-1  and NIST CSF category protect   1. FR: Identification and authentication control (IAC) 2. Deploy controls that align with the principle of least privilege 3. Ensure authenticated use with one credential per user  4. Ensure maintenance of logs for user sessions  5. Develop and publish an asset fair use and access control policy  6. Deploy a stringent version of all the above controls for critical resources   IEC 62443-3-3 and NIST CSF category protect and/or detect  1. FR: Identification and authentication control (IAC) 2. Deploy controls that align with the principle of least privilege 3. Ensure authenticated use with one credential per user  4. Ensure maintenance of logs for user sessions  5. Develop and publish an asset fair use and access control policy  6. Deploy a stringent version of all the above controls for critical resources   IEC 62443-2-1 and NIST CSF category detect   1. All critical asset owners to have an unambiguous understanding of anomalous events within and beyond what is flagged by a monitoring solution  2. Have playbooks for handling such events including communication and event categorization 3. Events to be mapped to impact and response mechanisms to be triggered   IEC 62443-2-1, IEC TS 62443-1-1 foundational level: timely response to events NIST CSF category respond  1. Ensure timebound response to events as per event priority  2. Ensure means to deal with false positives  3. List of key stakeholders to be informed to be maintained and updated along with key actions for each set of stakeholders  4. All responses should be documented along with deviations, if any  5. Ensure testing of responses through stimulated events along with potential outcomes and business impacts if responses fail   All the above from IEC 62443 and NIST CSF category recover   1. Have all the recovery mechanisms in place  2. Constantly monitor infrastructure for risks and state of recovery mechanisms  3. Ensure system integrity levels support recovery means   Also Read: A Buyer’s Guide to OT/ICS Security Solutions Learn more about leveraging IEC 62443 and NIST CSF to secure critical infrastructure. Talk to our compliance consultant.   Talk to us to learn how your crown jewels and assets can be protected through a custom-built ICS security plan. Contact us now! Looking at checking your ICS environment for IEC 62443/NIST CSF/NIS2 compliance? Connect with our Compliance and Governance expert.    Book a consultation with our ICS security experts now. Contact Us Learn more about our ICS security solution and its capabilities around asset inventory, vulnerability management, threat management, and compliance.    Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

Leveraging IEC 62443 for securing critical industrial assets   Read More »

ICS Security strategy for manufacturing

ICS Security strategy for manufacturing

With increasing attacks on OT/ICS infrastructure and the rising need to secure industrial output, the focus on ICS security has never been greater. Beyond attacks, manufacturers are also reaping the benefits of higher asset and network visibility and zoning elsewhere. So how can manufacturers go about putting in place an OT security strategy that is relevant, current, and failproof? Let’s explore the answer.   The need for an ICS security strategy  Many confuse an ICS security strategy with an ICS security policy. The two are quite different from each other. For starters, an ICS security strategy informs and guides an ICS security policy. ICS security strategy is also more focused on deriving a framework and structure for managing the ICS security needs of a business.   Also read: The Complete Guide to OT SOC A well-articulated and clearly defined ICS security strategy will work to establish and extend the overall value of a business from a cybersecurity investments and outcomes standpoint. Such a strategy should be carefully constructed to respond appropriately to changes in operational environments, network and asset dynamics and compliance requirements. Many components are involved in developing a relevant and useful ICS security strategy. These include vision, objective setting, budgeting, intervention planning and resource allocation and success tracking.   Vision for an ICS security strategy   Defines the direction the organization wishes to take as far as cybersecurity is concerned. A vision can be defined by the organization leadership with the involvement of all stakeholders. The vision should define a vision for ICS security for the organization in the future. A vision is important for drawing a higher level of commitment and teamwork from all stakeholders and should also consider the evolutionary forces at play that could shape and define ICS security in the future.   A good vision statement inspires confidence and cyber resilience in equal measure.    Objective Setting for an ICS security strategy This involves developing various aspects of the vision and turning them into security objectives for the company. Objectives for a sound ICS cybersecurity strategy can be drawn from standards such as IEC 62443 or NIST CSF or even NERC CIP. Sectrio recommends using a combination of these standards to draw the best-of-breed objectives for your corporate strategy.   IEC 62443 standards for example can be used to draw objectives around asset owner responsibilities, supply chain security and risk and gap assessment. Similarly NIST CSF can be used for risk management while NERC CIP can be (broadly) used for developing asset centric security objectives. While NERC CIP is focused on energy and utility companies, the following standards and requirements can be considered for guidance for developing strategic ICS objectives Budgeting, intervention planning, and resource allocation involved in an ICS security strategy No security strategy can succeed if it does not cover budgets and interventions. It is advisable to have objectives inform interventions that inform budgets and resource allocation. In many organizations, budgets inform interventions and resource allocation. How can one know if the budgets are adequate? If all the interventions suggested are covered through the budget allocated, then the budget can be considered sufficient.   Also Read: A Buyer’s Guide to OT/ICS Security Solutions One can also think of spending in a staggered manner starting from covering priority needs first and then leading into the areas needing less attention. Note: a compliance requirement could change the dynamics here.  The following areas should be considered in this phase from an intervention standpoint:  Tracking the success of your ICS security strategy  Tracking the success of the strategy is also essential. Otherwise, a strategy can turn into a corporate document hidden away in a remote stash of files on some unknown server. In an ICS environment, success could be measured based on the following parameters:  Interested in learning how your business can evolve a comprehensive ICS security strategy with the right tools? Talk to us.   Looking at checking your ICS environment for IEC 62443/NIST CSF/NIS2 compliance? Connect with our Compliance and Governance expert.    Talk to us to learn how your crown jewels and assets can be protected through a custom-built ICS security plan. Contact us now! Learn more about our ICS security solution and its capabilities around asset inventory, vulnerability management, threat management, and compliance.   Book a consultation with our ICS security experts now. Contact Us  Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

ICS Security strategy for manufacturing Read More »

Securing the OT supply chain

Securing the OT supply chain, ensuring third-party vendors adhere to cybersecurity best practices 

Third-party vendors and OEMs do have a significant role to play when it comes to the overall risk exposure of an enterprise. In complex ICS environments with multiple OEMs and point solutions, it is easy to lose track of hardware and application origin. This could lead to the emergence of supply chain security issues linked to backdoors, unauthorized usage data sharing or a cyber incident linked to a vendor. It is therefore essential to address the security challenges linked to third-party vendors early before the risks linked to them manifest.   What are the other benefits of deploying robust supply chain cybersecurity practices?  Compliance mandates/standards and supply chain security   The IEC 62443 series of standards reference supply chain security directly and indirectly. IEC 62443-4-1 for instance calls out the need for an inventory of components from third-party suppliers. It also recommends establishing a security measure to identify and manage the security risks associated with third-party components.   Aldo read: The Complete Guide to OT SOC As per IEC 62443-2-4, service providers need to have the ability to maintain a component inventory register for reference. The register should include asset serial numbers and information on asset components associated with the service being provided.   Article 21 (2) of the NIS2 Directive of the European Union requires Member States to ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems, which those entities use in the provision of their services.   NIS2 Directive also requires essential and important entities to deploy “appropriate and proportionate technical, operational and organizational cybersecurity risk management measures and to follow an all-hazards approach”. While there could be disagreements on what constitutes appropriate and proportionate measures, it is clear that the directive is asking entities to ensure supply chain risks are addressed in the best possible manner. Also Read:   How to get started with OT security While management, the National Institute of Standards and Technology (NIST) talks about cybersecurity principles that can be adopted to address supply chain security issues. These OT Security supply chain guidelines include:  New Zealand’s National Cyber Security Centre (NCSC) has produced a guidance document for business leaders and cyber security professionals to better understand and manage the cyber risks in the supply chain. The document identifies the following steps to be undertaken by enterprises and entities to improve their supply chain management practices:   UK’s National Cybersecurity Center has also brought out 12 principles as part of its supply chain security guidance. It proposes a set of 12 principles to help establish effective oversight of the supply chain. The principles for OT security supply chain are arranged under 4 phases viz.,   OT Supply chain cybersecurity best practices recommended by Sectrio   Interested in knowing how to reduce your supply chain risks in line with IEC 62443 and NIS2? Talk to us now for a free consulting session.   Talk to us to learn how your crown jewels and assets can be protected through a custom-built ICS/OT cybersecurity plan. Contact us now! Learn more about our ICS/OT cybersecurity solution and its capabilities around asset inventory, vulnerability management, threat management, and compliance.   Book a consultation with our OT/ICS cybersecurity experts now. Contact Us  Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

Securing the OT supply chain, ensuring third-party vendors adhere to cybersecurity best practices  Read More »

Exploding pagers and the new face of asset-centric warfare (1)

Exploding pagers and the new face of asset-centric warfare  

Attacks on critical infrastructure  The explosion of the Soviet gas pipeline in 1982 was one of the first well-known instances of critical infrastructure being targeted through a software modification that contained a hidden malfunction. In this instance, the Soviets were stealing Western technology and the CIA slipped the flawed software to them without their knowledge. While the explosion itself didn’t cause any fatalities, it did cause some damage to the Soviet economy as per Washinton Post.      With the intensification of hybrid warfare, we have seen multiple attacks on ICS-based critical infrastructure in Europe and the Middle East. These attacks were designed not just to destabilize the systems but also to cause a major kinetic impact. No systems or assets are out of bounds today. State-backed actors from countries like North Korea are not just after technology and revenue but also act as conduits for other countries to infiltrate the critical infrastructure of their adversary nations.   Read more: Buyers guide to OT/ICS cybersecurity solutions A case study   In a recent instance, Sectrio’s Asset Research Team uncovered an anomaly in hardware supplied to a critical infrastructure operator. In this instance, same OEM supplied was supposed to supply the same hardware to two divisions of the same business. However, the hardware supplied to one entity, when examined, showed a deviation that was found to enable a backdoor communication with an obscure server using a now obsolete protocol that was sparingly used in the 90s.   The OEM in this case claimed that the anomaly was a generational remnant from an old version. How it made its way to only one piece of hardware and not the other is a question that was not answered to our satisfaction. The hardware belonged to the same batch and even had sequential serial numbers adding to the mystery.    This could be a genuine error but it is an error that could potentially be exploited by a bad actor.   Supply chain challenges As the Lebanon episode clearly showed, OEMs now have to ensure the integrity of their hardware well beyond their shop floors. ICS/OT operators should also watch out for anomalous behaviors and risky interactions that could jeopardize operations and plant safety levels. One way of offsetting these challenges is to ensure the systems undergo Security Acceptance Tests (SAT) along with Factory Acceptance Tests (FAT). This will ensure the integrity of the assets and call out any security issues before they are added to the infrastructure.   A ‘maker-checker’ approach is the way to go.   Recommended cybersecurity measures to risk-proof ICS assets  While IEC 62443 and NIST CSF-based risk assessment and gap analysis is a good place to start, the outcomes of such an assessment can and should be used across the enterprise to improve security posture. Here are some of the other steps that can be taken to secure ICS and OT assets and infrastructure:  Talk to us to learn how your crown jewels and assets can be protected through a custom-built ICS/OT cybersecurity plan. Contact us now! Book a consultation with our OT/ICS cybersecurity experts now. Contact Us  Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

Exploding pagers and the new face of asset-centric warfare   Read More »

Scroll to Top