A New Approach to Securing Industrial Control Systems

Industry Perspectives 2020-11-19

Traditionally, securing ICS environments has focused on prevention and standards conformance and been performed as a distinct operation from IT security. This checkbox approach is based on the assumption that, by building security solely on industry practices and standards, you’d be able to keep a unique facility or critical infrastructure secure. However, as the major breaches of other compliance-driven industries have shown, a new approach to ICS security that is led by intelligence, streamlines meeting regulatory requirements, and strategically addresses the unique needs of each environment is critical.

Throughout 2015, our consultants found that attacks designed to destroy or disrupt operations are increasingly becoming the norm for threat actors – including against mission-critical ICS. As more systems become connected through the Industrial Internet of Things (IIoT), blending IT networks, OT networks, and access vectors, the sole notion that NERC CIP-compliance or an IEC/ISA 62443-conformant approach will keep our critical infrastructure secure introduces increased risk and workloads for security professionals.  

The unique challenges of the ICS environment

Vastly different from an enterprise IT environment where systems can be shut down and replaced with relative speed, mission-critical ICS technology may have been in place for 10-15+ years old with minimal budget to update them nor the manpower or down time to replace them. Often times, vendors are no longer supporting the software and security updates are non-existent.  In these environments, ensuring a non-disruptive security strategy is essential to keeping infrastructure up and running.

Lessons From The Frontlines

Over the last 10+ years our Mandiant services team has responded to the most significant breaches in the world and one persistent lesson has remained true – the best security organizations in the world focus on minimizing the impact of an attack. This means rapidly moving from detection to response before an attacker can fully achieve their objective. As the IoT reaches into the industrial control space, it will be critical to update the way we approach cyber security for ICS because we can’t assure the critical points of our infrastructure will remain disconnected.

Know Thy Enemy – The Value of Intelligence

An effective security posture should be designed to protect the most critical targets and assets in an organization, and deploy the right resources to match the offensive capabilities of your adversary. While most people think of threat intelligence as a virus database to reactively catch malware, in reality it’s the contextual knowledge about an attacker targeting ICS that enables for strategic security solutions to be developed.

To create an effective security posture, you need to start with knowing your adversaries, what they are targeting and their attack methodology. Otherwise, you can’t design a system to detect and minimize the impact of their attack.

A New Approach to ICS Security

Working in industrial control environments is nothing new for FireEye, or the Mandiant consultants that specialize in ICS or our recently acquired threat intelligence company iSIGHT partners. We’ve brought together the best available resources in critical infrastructure cyber security, and strategically aligned with the best partners in the industry to help organizations move to an intelligence-led security model that makes compliance easier and detecting and responding to attacks against the most highly targeted critical infrastructure providers in the world faster.

The starting point for this is a new Mandiant Service called ICS Healthcheck, which follows a unique methodology to bridge IT security teams and the operations or engineering staff who manage ICS infrastructure to identify joint solutions to potential vulnerabilities.

Today we also announced a new partnership with Belden, a leader in the ICS industry. The partnership brings together detection, targeted threat and vulnerability intelligence, and specialized Mandiant ICS services from FireEye, and deep visibility, endpoint intelligence, change detection, network segmentation and industrial networking solutions from Belden’s cybersecurity portfolio.

Another key relationship is the recently announced partnership with Parsons, a global infrastructure management firm. This partnership will allow us to deliver new ICS security capabilities at scale, across the critical infrastructure providers around the world.

These partnerships, along with customized services, intelligence and technology, will deepen the ICS specific data sources feeding into the FireEye Threat Analytics Platform (TAP) that collects data and applies threat intelligence, rules tailored for ICS environments and advanced security data analytics to event data streams. TAP cuts down the noise of typical security solutions and provides industrial networking situational awareness to improve response times in the event of an attack.

ICS Security Delivered as a Service

Like almost every industry one of the biggest challenges for critical infrastructure providers is staffing and managing security tools. FireEye introduced FireEye as a Service to carry out rapid detection and response actions and alleviate the deployment and monitoring of new technologies on behalf of our customers. With FaaS, critical infrastructure customers can deploy new, non-disruptive technologies tailored to the ICS environment and with FireEye as a Service, have the option to have these managed by FireEye experts who can identify the critical alerts and help close the gap between detection and remediation.

There’s more to come as we continue to develop our offerings for keeping critical infrastructure secure.