Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East

Mohamad Mahjoub, CISO, Veolia Middle East

Hats off to the industrial community who performed extraordinary efforts to keep the civilization running under the challenging circumstances ofthe COVID-19 pandemic. As a result, many industrial entities shifted their ways of conducting business to espouse an increasingly connected industrial grid. Taking this fact into consideration, the trend continues, and cyber-attacks keep on coming with no end in sight. Billions of US dollars were spent over the past ten years on cyber-attacks. Such attacks exist in the digital space but today they are having a real and tangible effect on our physical world. Facilities that aid economy, public safety as well as public health are categorized under the umbrella of critical infrastructure. Due to the exploding digital transformation that is happening in the recent years in the critical national infrastructure, there is a path nowadays for attackers to run from spoofed email in an email inbox all through the network to the ICS crown jewels and industrial assets. We learned a lot from the recent industrial attacks that took place in 2021, we learned that the initial attack vector is usually simple due to poor security perimeter, we also learned that ransomware gangs are maturing more and more, and we learned that when there is a critical public service on the line there is more chance that the ransom will be paid. Given that, building a comprehensive industrial cyber security program is more important than ever. Compared to previous years, the industrial regulatory spectrum in many geographical areas in the world is becoming mature. To battle cyber threats, many countries have drafted their own custom standards as regulatory vehicles based on infamous international standards such as ISO 27001, ISA/IEC 62443, and NIST 800-82. In addition to local, regional, and international standards which can act as an overarching regulatory umbrella to your program, you need a tactical framework to underpin your journey. What is better than the MITRE ATT&CK for ICS framework to benchmark all your efforts against. This framework provides a map for TTPS that are commonly used by adversaries. Understanding those techniques will provide you with actionable insights on how to guard your ICS environment, furthermore this framework can act as a common language used by the industrial community to effectively communicate and analyze incidents, not to mention its impact on enhancing your organizational security strategies and policies.

One of the main OT challenges faced by majority of industrial organizations is assets and network visibility. A recent study conducted by DRAGOS revealed that 90 percent of their clients had limited or no visibility into their industrial networks. Under many circumstances, network analysts were blind to critical network traffic, and centralized logging was not in place. Identifying your crown jewels and monitoring what is going on in your ICS network are critical steps for developing a full picture of what occurs across industrial assets and sites.

Luckily, there are many products in the market that offer network visibility, threat detection,and operational insight capabilities. Implementing such solutions goes hand in hand with digital transformation and business modernization journeys. Such solutions will enable your cyber security team to deeply monitor the OT environment and create specific use cases to quickly react on suspicious activities. IT and OT teams will be able to confidently secure the OT environment and detect cyber risks as well as mitigate them, and finally this can enable and prepare for the conversions between IT and OT which will become a reality because it will be easier to manage both environments.

Many companies have not yet implemented such solutions; but why? Well, because of their ways of working, typically organizational culture reasons. Usually, such companies do not react before a breach, enforcement of a regulation, or a mandate by the C level or board of directors. As per a study prepared by NOZOMI, 60 percent of the companies are still at this stage, 30 percent of the companies have started a POC of a certain product, they came to know the vulnerabilities they have in their OT environment, and they started taking some actions to remedy those vulnerabilities. Only 10 percent of the industrial companies are at the optimization phase, in where they have a centralized SOC along with security streamlining and orchestration in place.

Data, Application, Host, OT Network, Edge and Boundary, in Addition to Physical Security Layers Must Be Carefully Assessed Before Relevant Security Controls Can be Implemented

The rule of thumb is “Threats can be mitigated through a well-maintained defense in-depth strategy”. Industrial environments are no different. Data, application, host, OT network, edge and boundary, in addition to physical security layers must be carefully assessed before relevant security controls can be implemented. The most important factor is the governance aspect and management support, employee’s awareness, existence of solid policies procedures, in addition to having resilient incident response and business continuity plans. My advice to corporate cyber security teams is to go to their plants, understand the process well, learn the language of the OT people, and build relationship with them as this will help tackling cyber security concerns more efficiently.