Proactive or Reactive OT Security? It’s time to change the question.

Critical Infrastructure systems are under relentless attack worldwide. The FBI, CISA, NSA, EPA, and the Israeli National Cyber Directorate (INCD) issued a Cybersecurity Advisory (CSA) about an Iranian group called “CyberAv3ngers” that were targeting specific water system PLCs. Public disclosure of attacks on the North Texas Municipal Water and the Municipal Water Authority of Aliquippa, combined with numerous reports of vulnerabilities in ICS hardware, also surfaced, including official CISA alerts. The Sellafield Nuclear site in the UK also reported a hack by cyber groups closely linked to Russia and China, and the authorities are not even sure when the breaches occurred.

A different perspective is needed when looking at the challenges facing Critical Infrastructure and Operational Technology (OT) cybersecurity. A famous entertainer once said, “Just when they think they have all the answers, I change the questions.” The essence of this quote is that we need to challenge assumptions that we hold and maintain the initiative over attackers rather than simply reacting. My life and cybersecurity history tell me that some things will never change:

1. Software will always have vulnerabilities: Every system has weak points
2. Legacy OT systems can’t always be patched: OT systems can last for decades, not 3-5 years like many IT systems
3. Human Error is unavoidable: Misconfigurations, phishing, malware, and many other attack vectors simply cannot be blocked no matter how many firewalls you put in your network.

If we hold these three truths as self-evident, many current security strategies echo the strategies of the Dutch Boy and the Dike - keep putting your fingers in to plug the holes and hope that more don’t occur.

‍

______________________________________________________________

‍

“What if?” is the question we need to ask ourselves.

The MITRE ATT&CK matrix and the Lockheed Martin Cyber Kill Chain begin with Reconnaissance. 

What if the hackers could not discover the OT systems and devices hidden behind a gateway? 

Next, hackers seek Access to systems, looking for the vulnerabilities and errors mentioned above to find a way into these systems.

“What if your access used biometrics, not passwords, and your mobile device’s security certificate, just like Apple Pay?”

After Access, hackers exploit vulnerabilities and attempt lateral movement.

“What if peer-to-peer encrypted tunnels secured all connections, and no lateral movement was allowed, even on a Layer 2 network?”

‍

____________________________________________________________

‍

So what should the new question be?

What if I could protect my network, not just react to attacks?

Cybersecurity for Critical Infrastructure is all about breaking the kill chain - and breaking multiple links, not just one. If you want to change the game and protect your OT network, explore Blastwave’s Network Cloaking technology and get a demo.