What’s the big deal with Cybersecurity?
It is no secret that networks and intelligent devices are advancing rapidly. While these developments allow us to obtain more and more information, they also present increasing cybersecurity threats. Unfortunately, many companies do not perceive cybersecurity threats as imminent and are delaying adoption due to the perceived high cost. In recent months, major adverse cyber events have shed light on some of these looming threats; however, they are seldom publicly reported.
North American electric utilities have taken notice of the increasing sophistication and threat of cyberattacks on our infrastructure. Unfortunately, these issues also affect utilities like natural gas and water that provide essential services that everyone needs. As a result, the North American Reliability Corporation (NERC), which ensures the safe production and transmission of electricity in North America, recently updated their Electricity Information Sharing and Analysis Center (E-ISAC) to include cybersecurity threats.
Similarly, the US National Institute of Standards and Technology (NIST) developed a Guide to Industrial Control Systems (ICS) Security for all industries. Nonetheless, we understand that these documents can sometimes appear dry and hard to navigate. Below are five steps to keep your company name out of the paper (or social media) for security breaches.
5 Steps to Secure Remote Systems
1. Identify ALL Users with Accounts & Credentials
Each organization has rules (usually from internal IT) for gaining access to its network. These rules are simple: Every user has a unique username and password and managed network access privileges associated with those credentials. In addition, some organizations enforce two-factor authentication with VPN dongles and regularly require users to change their passwords. This practice is almost universal for gaining access to email in the corporate world.
In contrast, when gaining access to a Control System or some other supervisory network, these same organizations abandon this best practice. For instance, allowing group usernames and logins like “Ops.” Organizations MUST treat these systems with at least the same rules. Ideally, all your organization’s critical control systems should comply with Microsoft Active Directory. In short, this is not something you can pass the buck to your IT department. As the system owner, you must take steps to protect your investment.
If you don’t want your name and your organization’s name on a billboard for a breach, don’t accept answers like “the vendor manages this system.” One infamous example is the Target data breach from 2013 (finally settled for millions in 2017). In this case, hackers gained access to the corporate network via the control systems vendor. Read more on the Target breach below.
2. Actively Protect Those Credentials.
Once each network and system has a list of users with the appropriate credentials, start managing them regularly. Most organizations already have tools for managing user passwords, SSH keys, and two-factor authorization for email systems. Use those tools to manage users across ALL networks and systems.
We often deal with this dilemma even in the Fortune 500 companies we support with our SCADA services. Just an inventory of networks spirals out of control. There are critical systems for Access Control through:
- Doors
- Closed Circuit Television (CCTV)
- Fire Life Safety
- Building Automation
- Leak Detection
- Waste Neutralization
- Hazardous Process Materials
- Ultra-Pure Water
- And more…
Yet despite the extensive infrastructure, management often fails to manage its users strictly. Good organizations tie their purchasing systems to access control and network user privileges. This process ensures that vendors don’t have physical or network access to the organization’s assets without a valid purchase order, appropriate insurance, and employee background checks.
3. Intentionally Manage Access to Critical Assets
Most companies enforce their business policies by requiring all user sessions to originate in their controlled domain. Often referred to as “locking down” a server or a gateway. Using this method, you can ensure that only authorized devices and users may access critical assets. By following this simple step, you can prevent intrusions into your organization’s assets, users, and devices.
Recent explosions of connected devices (phones, watches, cameras, etc.) can overwhelm an organization that neglects network security. Even guest wireless access to a network is a risk. The best organizations require guests to identify themselves and force their credentials to expire.
An organization’s internal IT team almost exclusively deploys extended detection and response (XDR) systems. However, they are rarely used to monitor the critical networks at a facility. These networks are the easiest to capture unusual access or lateral movement by their nature. Unfortunately, organizations rarely apply these tools until it is too late.
4. In God We Trust – Everyone Else Bring Data
Managing remote sessions becomes manageable if you restrict access to sessions that originate within the organization domain. However, a remote session that originates from outside the organization can be monitored live and recorded to prevent unauthorized activity.
In most organizations, vendors’ access to critical systems requires live monitoring (supervised by authorized users who observe sessions). Therefore, a high level of vigilance is typical. In addition, authorized users who host these sessions must receive additional training and tools to mitigate unwanted changes in software or configuration.
Another strategy is to partner with vendors and bring them into your network like employees. In this strategy, vendors are subject to internal employees’ exact (or even more stringent) training requirements and credential management requirements. For example, many of APT’s large customers provide APT employees with laptops they configure themselves. These laptops come complete with a rigorous onboarding process capable of providing support from within the network.
5. Guard the doors – Analytical Monitoring
Even after implementing all the steps above, it’s astounding to see how many organizations fail to ‘guards at the doors’ to their critical networks. With hundreds of solutions available, network access and session logging are mature, low-cost businesses. Nevertheless, over two-thirds of recent intrusions that submitted data for analysis admittedly had zero monitoring of users or sessions.
Analytical tools are vital to capturing data and detecting abnormal network access or movement through your network so your application is safe and available when you need it most. Unfortunately, organizations that would never leave a door unlocked hire security companies that often have a blind spot when it comes to network access. Consequently, they could allow access to anyone with free-range access to their data and network assets.
APT 4 Cybersecurity
As a critical system integrator for utilities and demand-side customers, Applied Power Technologies, Inc (APT) has been protecting critical systems for reliability for over twenty-five years. We provide Cybersecurity services to customers who need high availability for their systems and don’t want negative publicity from a system failure. Act now to solve problems while they are small before someone outside causes a big issue for your organization. Contact an APT professional today.
Andrew E Taylor, PE