This is our monthly blog detailing best practices for operational technology (OT) cybersecurity for under-resourced organizations by Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team), which provides free resources to help small and medium businesses (SMBs) create or enhance their OT cybersecurity program. The Category and Practice from the “OT-CERT OT Cybersecurity Fundamentals Self-Assessment Survey” is noted for each best practice. Hopefully, you filled out the survey and identified your gaps – these best practices can be implemented to begin to address those gaps. If not, there’s no time like the present – join OT-CERT and get started today.
Larger Organizations Take Note
If you have been increasing your security posture and reduced risk of a significant cyber attack in your enterprise, including your OT environment, that’s excellent news! However, does your risk assessment include the possibility of a cyber attack on one of your critical suppliers, and the impact that would have on your company’s operations? Could you still produce your product or provide services to your customers? Read on to ensure that you are quantifying the likelihood and impact of that risk correctly in light of the current threat environment. And strengthen your supply chain security risk posture by promoting OT-CERT to your suppliers.
How to Let Distributors, Systems Integrators, and Other Vendors Interface with the OT Network
In this month’s blog we answer the question, “How should vendors access and transfer files to the OT network when they come onsite?” We provide two separate best practices – one for accessing the OT network and another for transferring files to the OT network.
How should distributors, systems integrators, and other vendors access the OT network when they come onsite?
|Logical Access Control|
Supply Chain Risk
|One systems integrator in an OT-CERT tabletop said their customers log them in to the customer’s own personal account, or a privileged account, and walk away and let them do whatever they need to do. This practice is risky, because it is important that all actions on the network can be attributed to an individual user. This will assist in investigating unintentional mistakes as well as potential malicious activity.|
A medium company in the OT-CERT tabletop said they are required to call their IT helpdesk, which is outsourced, and IT provides temporary access for the vendor to an account, but someone must watch everything they do and make sure they log out of the account when they are finished. This is a good practice for consideration if you have sufficient resources.
Dragos Recommendation: We recommend that you create a user account specifically for each vendor, with the access required by that particular vendor. Ensure that the vendors have correct user access as well as the correct permissions in the software. Different OT/SCADA software handles access permissions differently, so it is important that you understand how to assign the appropriate access to the software for your vendors. Also, you might need to create two sets of accounts: one on the IT side, and one on the OT side. Although some advanced planning is required, creating the accounts is easy, and this way if you do experience a cyber incident the investigation will be much easier. We also recommend that the account be suspended or deleted when the vendor has completed their work.
In addition, have the vendors sign a policy that informs them of what they can and cannot do with their account. It should also inform them that their activities will be monitored, and any misuse could result in account termination. If you do not have an acceptable use policy for your company, check out the template provided by SANS – you could start with this and tailor it for OT.
In March, OT-CERT will provide an OT acceptable use policy template that you can customize and use with your vendors. If you haven’t joined OT-CERT yet and you would like to use this template join today so you don’t miss out.
How should distributors, systems integrators, and other vendors transfer files to the OT network when they come onsite?
|Supply Chain Risk|
|Not all cyberthreats come from outside your network – malware is often introduced by trusted third parties that connect to your network to do their job. Remember that vendors service many customers, so their laptops and removable media devices plug into many networks. If one of those networks is infected with malware, it can easily infect the vendor’s device and spread onto any network they subsequently connect to. According to a recent report by Honeywell, 37 percent of malware is specifically designed to be spread by removable media, and almost 80 percent of the cyber threats passed by removable media devices can critically impact industrial operations.|
In many actual OT cybersecurity incidents, the attackers first compromised a trusted service provider, then used that vendor’s status to gain access into their actual target’s networks. While you may not be the intended target of the attacker, you could be an innocent victim if the same compromised vendor serves you as well. Therefore, when a vendor comes to your site you should never let them connect their laptop directly into your network or plug in a removable media device.
One systems integrator in an OT-CERT tabletop exercise said most of their SMB customers let them plug their laptops and removable media devices directly into their OT network. It is important that you implement our recommendations below for transferring files from your third parties to your OT network. It is an easy recommendation that you can implement no matter how small you are, and it greatly reduces your risk of malware impacting your operations.
Dragos Recommendation for Vendor USB Devices: Optimally, we recommend that you work with the vendor and download their software / information onto one of your organization’s computers in your IT environment – not your OT environment – prior to them being onsite. Be sure to use a computer that is running anti-virus or endpoint security software, so the information / software is scanned for malware. Next, transfer the files to a dedicated USB device for your OT environment, and finally use that USB to transfer the files into the OT environment.
Don’t forget to document the process for transferring files from vendors and train all relevant operations personnel on the required processes.
Dragos Recommendation for Vendor Laptops: USBs are a common method of transferring files to OT devices, but if a vendor needs to connect a laptop to a production ICS/OT system, we recommend that you provide the vendor access to one of your organization’s laptops to perform their work. This laptop should be a dedicated laptop specifically for the OT environment. Using the same laptop or other device in both the IT and OT environments, even if both are owned by your company, is a high risk practice that Dragos would identify as a critical finding in a risk assessment.
If the vendor’s laptop is running proprietary software or an application that cannot be installed on your computer, we recommend that you first ensure that the laptop has all of the latest anti-virus definitions and Microsoft patches. In addition, require one of the following: the vendor connects directly to the target OT device with a cross-over network cable or other interface, such as serial or USB; or, the vendor connects the laptop to a local firewall that is configured only to allow traffic between the specific target IP addresses, ports, and services required to perform their work. Your IT team or provider can instruct you on how to do this.
Stay Up to Date with SMB Cybersecurity Resources: Join Dragos OT-CERT!
Dragos OT-CERT offers FREE resources to help SMBs build their own manufacturing / OT / industrial control systems (ICS) cybersecurity program without hiring any cybersecurity experts. OT-CERT membership is free and globally available to OT asset owners and operators. Resources are oriented toward small and medium businesses and resource-challenged organizations with OT environments that lack in-house security expertise. Members have access to a growing library of resources such as reports, webinars, training, best practices blogs, assessments, toolkits, tabletop exercises, and more.
Currently available resources include:
- OT Cybersecurity Fundamentals Self-Assessment Survey
- OT Asset Management Toolkit
- Self-Service OT Ransomware Tabletop Exercise Toolkit
- Collection Management Framework for Incident Response
- OT Cybersecurity Incident Response Toolkit
- OT Data Backups Guidance
- Access to an introductory ICS/OT cybersecurity module in Dragos Academy
If you haven’t joined Dragos OT-CERT don’t delay! Membership is open to organizations that own or operate a manufacturing / ICS / OT environment. Please join and spread the word to your community and supply chain so we can all work together to raise the security posture of the entire ecosystem – we are only as strong as our weakest link.
We look forward to working with you to safeguard civilization!
Ready to put your insights into action?
Take the next steps and contact our team today.