This post was written by John Crawford, a control system product and solution security expert.
Epic Turla, Regin, and BlackEnergy are the names of just a few in a series of recent malware discoveries that target industrial automation control systems (IACS).
The increasing volume and sophistication of these types of threats has driven the topic of operational technology security all the way up to the corporate boardroom. Unfortunately, the attack capabilities being developed by these adversaries is outpacing the defensive capabilities target organizations are adopting.
Does your organization have the operational technologies, processes, and security expertise necessary to adequately prevent, detect, and respond to the latest malware targeting industrial automation control systems? Ongoing cybersecurity protection is a moving target requiring continuing investment. An option is engaging a managed security service (MSS) to improve your operational security posture. This article will help you understand the key benefits and challenges of an MSS, as well as some criteria to consider in selecting an MSS provider for your operational security.
Benefits
There are four primary benefits of a managed security service:
- Predictable cost
- 24/7/365 coverage
- Access to qualified domain expertise and technology
- Disentanglement from noncore competencies
Compared to starting up and staffing a private security operations center (SOC), outsourcing is significantly more cost efficient. The challenge here is access to competence and qualified industrial cybersecurity (ICS) resources. Even if your organization already has an enterprise SOC, or if cost is not a primary factor for your organization, it can be difficult to hire qualified IACS security professionals because there are so few available. On the other hand, training staff with the necessary skill set can be a time-consuming and onerous process for those new to the automation domain.
For a mission-critical IACS, 24/7/365 security monitoring and management is advisable. A managed security service provider can supply trained and qualified staff to support round-the-clock monitoring and response. In addition, it will likely also have access to technologies that enable a higher quality of service than you could provide using in-house capabilities.
Although going with a managed security service can have tremendous benefits related to cost, coverage, and quality, do not undervalue gaining the freedom for the business to focus on core competencies and operational excellence. By matching your operational technology security requirements to the appropriate service-level agreements, you can provide the right level of security while maintaining peace of mind regarding operational performance expectations.
Not a silver bullet
However, subscribing to a remotely managed security service is not a silver bullet. There are some organizations that rely on the network isolation of their IACS to provide an additional layer of security. If there is no remote connectivity to the IACS, for obvious reasons, it cannot be remotely monitored or managed. However, be wary if there is also no local security monitoring or management being performed. By itself, an air-gapped IACS network is insufficient to provide an acceptable level of security. In reality, a network-isolated IACS environment may be exposed to greater risk than that of a securely connected and remotely monitored IACS.
Systems with remote connectivity also may not be a good fit for continuous remote monitoring if the network uplink is already highly utilized, performance constrained, or expensive to operate. Therefore, it is important that the managed service vendor has the necessary consulting and professional services in its portfolio to enable secure operations without requiring always-on remote monitoring and management.
A common trap to look out for is the false assumption that remote access to the control system always equates to increased risk. Secure remote access technologies are mature and proven in the industrial space. Many industrial automation control systems already have remote access functionality to enable support, engineering, or maintenance. The decision to use a managed security service provider should be based on what skills, know-how, processes, and resources become available by allowing the remote connection, compared to relying solely on in-house capabilities.
Selecting managed security service
Selecting the right managed security service provider for your operational environment can become an onerous task, so here are some things to consider that will help with the evaluation process.
Does the provider understand operational technology and have the capability to secure the environment without degrading operational performance, usability, safety, maintainability, or serviceability? One of the most important criteria to consider when evaluating a managed security service provider is its maturity in adapting enterprise information technology (IT) security technologies to the operational technology space. Especially in legacy systems, it is very easy to cause the control system to malfunction or to introduce incompatibilities due to ignorance or carelessness. Even with seemingly primitive security controls, like antivirus, a configuration mistake can suddenly and unexpectedly bring a workstation’s performance to a screeching halt.
Because of this risk, the best security partner for you and your service provider is an organization that understands and has working experience with industrial automation systems. Industrial automation systems are different than business IT systems, and most vendors publish a list of security products that have been tested and verified to be compatible with their automation systems. The vendor may even provide specific configurations or limitations that need to be considered in an ICS. Any service provider you consider should have a solid understanding of your automation system vendor’s product and patch compatibility, security guidelines, and how to effectively use any security functionality integrated into the solution. A key partner is a domain operator who can identify the challenges associated with the unique problems in ICS.
Does the provider have global capabilities? If your organization operates globally, it is an advantage to use a managed security service provider that can give uniform services to your organization. The alternative is dealing with multiple providers and the increased cost of managing fragmented service from multiple organizations. In addition, you should ensure that the provider maintains local capabilities where your major operational assets reside.
Do the provider’s service level agreements address your operational performance needs? Establishing the performance metrics that you will use to gauge your quality of service should be communicated and agreed upon as early as possible when establishing a relationship with a managed security service provider. This will be a guide to determine the fitness of the provider to your organization’s specific needs. It is also important to understand what recompense you can expect if your service provider fails to deliver the agreed-upon service levels. These metrics usually include service availability, mean time to remediation, mean time to deploy antivirus updates, etc. The important thing is to choose metrics that encourage the behavior you want from your service provider.
Does the provider’s portfolio align with your service needs? Most managed security service providers offer the following services: security and risk consulting, firewall management, intrusion detection system (IDS) management, log monitoring, security information and event management, and vulnerability management. However, there are also some operations-specific pain points you may like addressed. Typically, these are things like configuration and policy deployment, device and signature updates, proactive vulnerability alerting and patch notification, vulnerability remediation, regulatory or compliance auditing, or vendor-specific security services like custom signatures or device hardening.
Is the provider reputable? Industrial automation control systems are very long lived. You should partner with a managed security service provider that will be around for at least as long. Ensure that the provider has a good reputation and is financially stable.
Is the provider’s deployment model compatible with your business needs? There are certain service design elements that may be important to clarify, based on the business’s requirements. For example, the pricing model may have to accommodate flexibility in focusing more on capital expenditure or operational expenditure, depending on how the business prefers to handle expenditures. Other deployment issues relate to where equipment and data will physically reside, who has management responsibility for what, and how the transition from unmanaged to managed operational technology will be handled.
What distinguishes providers? Cybersecurity protection is a moving target, and it is advantageous to have a service provider with a portfolio of people, technology, and ongoing development focused on industrial automation cybersecurity. For example, service providers producing custom IDS signatures based on ongoing in-house vulnerability research can provide greater protection. Advanced forensics capabilities are built upon know-how of industrial automation systems including human-machine interface software, controllers, protocols, and other devices. Most often, this distinguishing technology is in the form of in-house developed and refined methods and algorithms used within the security operations center that allow for more accurate analysis, a more sophisticated way of achieving a result, or an efficiency improvement through automation.
A major value of using a managed cybersecurity service is the people in the operations center. The employees keep up to date on the growing number of cyberthreats and the tools to deal with them, which makes them proficient and efficient.
About the Author
John Crawford is a control system product and solution security expert with more than 15 years of engineering experience. He is an innovator in the domain of industrial automation security, with multiple patents pending. Crawford is sought after for his diversity of expertise in the areas of security design, security architecture, secure software development life cycle, product security testing, security governance, risk management, and compliance.
A version of this article also was published at InTech magazine.