Steps for effectively reducing ICS Cybersecurity Attack Surface

Written by PHOENIX project on 29. 09. 2022.

Awareness of weaknesses, prioritization of risk and layered defenses can reduce the attack surface and limit disruption, enhance predictable operations and lower business risk.

Steps for effectively reducing ICS Cybersecurity Attack Surface

The term “attack surface” is security jargon for the sum of your security risk exposure. It is the aggregate of all known, unknown, reachable and potentially exploitable weaknesses and vulnerabilities across an organization.

As Operational Technology (OT) systems containing industrial control systems (ICS) used in building controls, transportation controls, have become more connected for achieving greater efficiency and effectiveness of production, these are now the “new frontier” of the attack surface, which have expanded exponentially in last years.

All organizations, regardless of industry, have an attack surface and combined with the general growth in attacker activity, companies, have realized the critical importance reducing this, to identify, prioritize and minimize the potential threat vectors in their network environment.

Especially those who manage energy and having OT and ICS systems, this concept is especially critical to review. Awareness of weaknesses, prioritization of risk and layered defenses can reduce the attack surface and limit disruption, enhance predictable operations and lower business risk.

Reducing OT/ICS Attack Surface is a process focused on following key elements:

Discovery of connected devices

It is most important part of the process and means the ability to see all “corners of the world” of your attack surface. It includes the discovery of unknown assets, unknown connectivity (both actual flows and potential flows due to misconfigured network devices), software, configurations, users, etc. Is clear that an asset can’t be managed if you don’t know it exists. Most enterprises have a surprising variety of “unknown unknowns,” such as assets housed on partner or third-party sites, workloads running in public cloud environments, IoT devices, abandoned or deprecated IP addresses and credentials, services enabled by Shadow IT, and more. Legacy tools and processes can easily miss these attack surface assets, but they can be found quickly by a modern solution using the same sophisticated reconnaissance techniques as attackers.

One method is to go out and look for known and unknown internet-facing assets manually, but this would soon lead to an enormous task. Older script-based methods for doing attack surface discovery aren’t suited for the complexity and dynamism of network environments today; they’ll find devices and applications running behind a network firewall, but they won’t account for cloud infrastructure, and this leaves a hole in ability to manage cyber risks effectively.

Modern attack surface discovery solutions can deploy new intelligence techniques along with advanced crawling and scanning of far-reaching corners of the networks and could be able to find inactive apps and shadow assets that previously had zero visibility into or information about.

As in OT/ ICS systems may consist of a wide array of assets serving a variety of different purposes, this process should be able to be applicable even for modern set of assets which has integrated Industrial Internet of Things (IIoT) monitors to collect data on the performance and condition of the network, but also for older assets which may have been in service for decades, remaining reliant on 30-year-old software that was designed by a company that no longer exists or that can’t be updated without voiding service contracts, or might be outfitted with extra devices that were installed during an emergency situation years ago and never deactivated.

OT/ICS systems are way more difficult to perform asset discovery. Its components differ in age, purpose, complexity, level of sophistication, and level of compatibility. Moreover, they’re all likely to be critical to business continuity. That is, they probably can’t be taken offline without interrupting operations to an unacceptable extent. In the case of our theoretical pipeline company, for example, stopping crude oil flows to apply an emergency patch might help forestall a cyberattack, but it might also result in lost revenues, declarations of force majeure, or lawsuits over breach of contract. Additionally, the stakes of cyberattacks on OT systems are usually different. If malicious actors interfere with IT networks, companies will lose data, trade secrets, and money. But if malicious actors interfere with OT networks, workers, this will face health and safety risks, and supply chains will be disrupted.

One way to do this in OT/ ICS environments is to set up an asset discovery program that has the right mix of active and passive identification.

Active identification, also known as ‘standard asset discovery relies on software or network-based sensors to scan or ping the network to identify connected devices. By nature, this may slow or disrupt your OT systems, which can be an issue for time-sensitive industrial control systems (ICS).

Passive identification, which tends to be the preferred method, listens to the asset data that exists in the routers, switches, and firewalls at the network layer, as well as data historians, HMIs, DCSs, and SCADA platforms deployed in various control systems. Usually, these are paired with asset or log management and security tools to aggregate and correlate all of the data from these various sources to create a complete asset inventory, with little impact on the environment.

These findings get presented in the form of a comprehensive asset inventory will provide a true view of network environment from the outside. The discovery and asset inventory together build the foundation for attack surface monitoring, which can rapidly detect risky changes, weaknesses, or vulnerabilities emerging in any of your external assets.

Assessment of discovered devices

For each device it should be performed a complete risk assessment that includes all elements of the discovery – users and account access, network access, software and hardware vulnerabilities, missing patches, insecure configurations, etc. Please note that is not a solution to just make these assessments once. Every day it continues to grow as you add new devices, users, workloads, and services. As it grows the security risk grows too. Not just the risk of new vulnerabilities, but also misconfigurations, data exposures or other security gaps. It’s important to assess all possible attack vectors, and it’s important to do it continuously to prevent your understanding from becoming outdated.

Adding more context to create a risk profile

This adds an overlay of criticality, usage, owners, etc. to create a risk profile of the asset as it relates to an attacker’s perspective. Because not all attack vectors are created equal, business context and ownership are vital parts of attack surface management. However, legacy tools and processes don’t typically provide context in a consistent way, making it difficult to prioritize fixes. An effective attack surface management approach requires information such as IP address, device type, whether it is in current use, its purpose, its owner, its connections to other assets, and possible vulnerabilities contained within it. This can help your security team prioritize the cyber risk and determine if the asset should be taken down or deleted, patched, or simply monitored.

Make a prioritization of risks based on attacker view

From Attack Surface perspective it prioritizes risks based on the attacker’s perspective using the above information. The eventual result is a risk score that takes into account the various elements to prioritize actions.

The list of potential attack vectors you discover is almost certain to be more than your security team can validate and your IT team can possibly remediate. That’s why it’s important that were collected all context to determine where to focus the remediation teams’ efforts. Use of criteria such as ease of exploitation, discoverability, attacker priority and remediation complexity, in addition to business context help ensure you prioritize the most urgent risks.

Define and apply remediation measures

The consistent hardening of security is directed by the prioritization in the prior step. This includes comprehensive actions such as network protection, patching, hardening, etc. Once attack surface is mapped it can then begin the work of remediation in order of priority. To make remediation as effective as possible, it’s a best practice to find ways to facilitate (and even automate) information handoff from the tools and teams that understand the risks and their priorities (typically security operations teams) and those teams responsible for doing the work of eliminating them (IT operations teams). Sharing business context and how-to-fix information streamlines the process and helps establish trust.

Maintain and keep up-to date entire process

Perhaps the hardest part of the entire process, is the ongoing updating and regularly reviewing threat vectors to identify new risks and continually update current risks based on the remediation actions taken and new vulnerabilities identified.

How will evolve attack surface in the future?

Future security operations will have to manage monumentally large attack surfaces, so this challenge of mitigating and managing potential vulnerabilities won’t get any easier. Today, the average organization battles vulnerabilities in the millions, and even the most resourced, top performing teams can only address 10% of them. The good news is on average, organizations need only address between 2% and 5% of vulnerabilities. Yet for companies with less-than-stellar security management tools, the number of vulns deemed high or critical can be vastly inflated, meaning remediation teams are wasting time, money, and energy on potentially irrelevant vulns. At the end of the day, cybersecurity will be a tremendous balancing act.

PHOENIX Project is developed exactly for this scope, to cyber-fortify the European EPES infrastructure by enabling and coordinating advanced, adaptive, and cooperative detection of large scale, cyber-human security and privacy incidents and attacks

Using coordinate European EPES cyber incident discovery, response and recovery and Incidents’ Information Sharing platform (I2SP) it acts at pan-European level as a decentralized, trusted-by-design near real-time cybersecurity information awareness platform, coordinating the information exchange among authorized EPES stakeholders, utilities, CSIRTs, ISACs, CERTs, NRAs, and the strategic NIS cooperation group.

Sources:

https://www.techtarget.com/whatis/definition/attack-surface

https://www.cycognito.com/attack-surface-management

https://www.iiconsortium.org/2018/01/the-human-attack-surface-the-weakest-link-in-your-ics-security/

https://verveindustrial.com/resources/blog/attack-surface-management-6-steps-for-success-in-ot-ics/

https://informer.io/resources/attack-surface-discovery

https://www.garlandtechnology.com/blog/how-does-asset-discovery-work-in-ot-environments

https://www.kennasecurity.com/blog/what-is-attack-surface-discovery/

https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html

Cookie	Type	Duration	Description
__cfduid	1	1 month	The cookie is set by CloudFare. It is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
_wpfuuid	0	10 years	Contact form UUID (Universally Unique Identifier) cookie. It allows the plugin to connect entries by the same user and does not contain or represent any personal information or entry details.
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
test_cookie	0	11 months
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. It is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors.
_gat_gtag_UA_152331303_1	1 minute	Google uses this cookie to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. It is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

Steps for effectively reducing ICS Cybersecurity Attack Surface

Energy Shield

BRIDGE

Success

Defender

NRG-5

sofie-logo

Elsa

interflex

Intergrid

NobelGrid

PROMOTioN-Logo-RZ-RGB

logo_reserve_sRGB

wisegrid-logo