Last week Rendition Infosec founder Jake Williams contributed an article for next month’s issue of Power Grid International magazine. The article highlights the need for utilities to monitor their IT networks in order to protect their OT networks from compromise. Today’s release of the excellent CRASHOVERRIDE report by Dragos Inc only reinforces the points Williams’ made in his article.
While a simple Shodan search will show many ICS devices directly connected to the Internet, these organizations obviously aren’t following best practices in the first place. Monitoring would certainly help these organizations to detect threats as well, but they honestly have bigger problems that start with segmenting their networks.
For those utilities that have already segmented IT from OT (operational technology), monitoring the IT network is absolutely critical. Most attackers enter the OT network from the IT side of the network through phishing emails or other commodity exploits. They then noisily stumble through the network looking for the bridge between IT and OT. Even if the networks are completely airgapped (few truly are in our experience), attackers will eventually find a way to get malware to the OT side. But along the way, attackers usually make a ridiculous amount of noise trying to find the places where the IT and OT networks are joined.
Some will note that it is easier to detect attackers on the OT side of the network, and to some extent this is true. The amount of traffic on the OT network is much lower than on the IT network. The protocol diversity of the OT network is also lower, so it should be much easier to find an attacker on the OT side of the network. The only problem with this approach is that by the time they are detected, the attacker may already be in a position to disrupt operations.
Good defense in depth principles require that defenders monitor both the IT and OT networks for intrusions. Monitoring in the IT network only will also alert defenders to insider threats, IP theft, customer data theft,and commodity malware infections. As one more added bonus, IT network monitoring may provide early warning of ransomware events.
Whether or not you work in an ICS network, security monitoring is critical to ensuring the confidentiality, integrity, and availability of your technology assets. While ignoring information security and hoping for the best may have been an option in the past, it clearly no longer is. As highlighted by the CRASHOVERRIDE report, attackers are increasing their sophistication. The security of your organization must increase at a similar pace to your attackers or you will be breached.
To help smaller and budget conscious customers with their security monitoring, Rendition Infosec has created an innovative program that can get most customers started with security monitoring at a price point well below capital expenditure ranges. If you need a security evaluation of your network security or are interested in security monitoring, don’t hesitate to contact us at 888-409-5811.