Imagine being the operator who watched as a mouse moved across their screen and changed the level of sodium hydroxide in their water facility to more than 11,000 ppm. Imagine the feeling of panic that set in with the realization that this change could poison the drinking water of nearly 15,000 people. While in this instance, the possibility of that change successfully propagating into peoples’ homes and businesses remained isolated, the fact is, an attacker successfully changed critical water treatment settings remotely. We’ll learn more about what happened in this incident over time, but plant operators shouldn’t wait for more information to start taking action.
The majority of cyberattacks that occur are not sophisticated, complex campaigns. Attackers will take the path of least resistance, and that means that basic security hygiene, when employed consistently, can help mitigate most attacks. Brushing and flossing aren’t exciting to talk about, but we all know they’re an effective way to prevent cavities. But what are the equivalents of ‘brushing and flossing’ for cybersecurity?
Cybersecurity must start with understanding what’s in your environment. You can’t protect what you don’t know. In the past, cybersecurity was focused on IT assets like servers and workstations, but the increasing connectivity of control systems requires that we expand that notion of visibility. A complete and up-to-date inventory of all the devices in your environment is the most basic starting point for securing them.
Once you know what’s present in the environment, the next step is to make sure that they’re configured securely at the onset. A misconfiguration in your environment is like leaving the front door unlocked for an attacker. Finding and addressing misconfigurations can dramatically reduce the risk of compromise.
Vulnerabilities are flaws in a system that an attacker can take advantage of to gain access or make changes. They’re different from misconfigurations because they’re not a setting that’s intended to be changed. If leaving the door unlocked is a misconfiguration, using a lock that doesn’t actually work is a vulnerability. In control systems environments, vulnerabilities can be difficult to address because systems can’t always be patched as easily. Addressing vulnerabilities in control systems may require strategies other than applying a patch, such as network segmentation.
While no one wants to experience a cybersecurity incident, they do happen. Preparing your response before you’re in the middle of a crisis is important. This includes determining who should be involved, what their roles will be, and how information will be communicated. It also means ensuring that you have the technical tools to understand what happened. Log data from the systems involved and ideally, change detection data can decrease incident response time.
The cybersecurity market is full of advanced technologies that promise to stop the most sophisticated attacks, but evidence shows that a consistent focus on the basics pays off. Understanding what you have, making sure it’s configured securely, addressing vulnerabilities, and preparing to respond to incidents will go a long way towards securing your environment.