Four ICS security use cases that reduce cyber risk

For years, cybersecurity experts have warned of the growing risks associated with operational technology (OT) systems. New data from Skybox Research Lab makes it clear that those fears are well-founded. As detailed in the latest Skybox Vulnerability and Threat Trends Report, the number of new vulnerabilities in OT products nearly doubled in 2021, jumping 88% compared to 2020. That’s nearly nine times the growth rate of total new vulnerabilities over the same period.

The Skybox report goes on to describe how attacks on OT systems are growing in frequency, scale, and seriousness—and how threat actors are targeting OT devices with increasingly sophisticated malware and exploits. Case in point: the recently discovered INCONTROLLER/Pipedream malware targeting common industrial control systems (ICS)/supervisory control and data acquisition (SCADA) devices.1 In some instances, attackers are going after OT systems (in order to disrupt or damage vital infrastructure, for example). In other instances, they’re using OT systems as launchpads for attacks on IT networks.

Report

Vulnerability and Threat Trends Report 2022

Record breaking vulnerabilities, rising OT security risks, and increasing exploits demand a new approach to vulnerability management.

As threats mount, OT security falls further behind

Despite the rising tide of threats and attacks, OT continues to lag well behind IT when it comes to cybersecurity. While IT practices incorporate confidentiality, integrity, and availability (the “CIA” triad) as core principles, the traditional OT paradigm values health, safety, environment (HSE), and availability above all, with cybersecurity an afterthought at best.

Many OT devices have few, if any, security controls in place. Older devices are especially limited, with little-to-no support for ongoing patching or maintenance. Even where scanning and patching are theoretically possible, they’re often impractical because organizations can’t afford to compromise the availability and stability of critical OT systems. Insecure OT systems are increasingly exposed to attack as formerly isolated OT devices are connected to networks, and OT and IT environments converge.

Often, OT organizations don’t even have complete awareness of their OT assets and attack surface. OT assets are growing exponentially, driven in part by the explosion of IIoT devices, and now greatly outnumber IT assets. “Shadow IIoT”—unmanaged deployment of industrial internet-of-things devices—is rampant.

And a substantial percentage of organizations appear to be seriously underestimating current OT threats and the likelihood of attacks. In Skybox’s recent report (Cybersecurity risk underestimated by operational technology organizations) surveying cybersecurity decision-makers, 56% expressed high confidence that their organization would not suffer an OT breach in the next year, yet 83% said they had at least one OT security breach in the prior 36 months.

All of this is happening when OT security teams are stretched thin by talent shortages (aggravated by the “great resignation”) and competing priorities, including a variety of new, updated, and more stringent regulatory requirements and guidance like NIST SP 800-82r3 and the EU NIS.

Shifting the paradigm

The combination of soaring threats, increasing exposures, the inherent limitations of OT devices and environments, and the resource constraints of OT departments makes the goal of robust OT security sound like an unattainable dream. And it might well be—if organizations were limited to conventional brute-force approaches (aka “scan and patch everything”). But fortunately, they aren’t. The Skybox Security Posture Management Platform flips the established paradigm on its head and transforms OT security in fundamental ways:

  • From reactive to proactive
  • From fragmented to holistic
  • From scattershot to prioritized
  • From manual to automated
  • From sporadic to continuous
 
Watch demo: Skybox platform for ICS cybersecurity

Four key use cases

Skybox’s platform addresses a variety of important use cases in OT security and compliance. Four use cases, in particular, stand out (all aligned with Purdue Enterprise Reference Architecture):

(1) Asset and vulnerability inventory

Despite ample investments and efforts, most OT organizations lack an accurate, complete, up-to-date inventory of their assets. And without a thorough inventory, ensuring security and compliance is impossible. You can’t protect what you can’t see.

Skybox Vulnerability Control consolidates information from a wide array of sources (as described in the “Discovery” section below) to assemble a much more comprehensive inventory of IT and OT assets and vulnerabilities. Skybox’s solution can also identify outdated, insecure operating systems, insecure assets and services, and installed patches. At the same time, the solution provides accurate measures of risk and asset importance.

(2) Vulnerability lifecycle management

Skybox Vulnerability Management provides an end-to-end solution for identifying, prioritizing, and addressing your riskiest vulnerabilities on an ongoing basis. It consists of the following elements (explained in more detail in the “transformative capabilities” section below):

  • Discovery: a collection of OT and IT asset and vulnerability data, including scanless, non-intrusive vulnerability discovery on non-scannable assets. Correlate vulnerability data with threat intelligence.
  • Network modeling, context-aware exposure, and attack path analysis.
  • Multi-factor risk scoring: measure and prioritize actual risks based on exposure, asset importance, exploitability, and severity.
  • Remediation workflows: identify and implement optimal remediations.
  • Change management: ensure that network-based remediations are properly maintained and updated as needed.
  • Dashboards and reports: automatically track performance versus SLAs, keep teams and management informed, and demonstrate the value of vulnerability management programs.


Together, these capabilities make vulnerability management a comprehensive and continuous process.

Brief

Vulnerability Lifecycle Management for Critical Infrastructure

Automate the vulnerability lifecycle based on infrastructure context and threat intelligence to de-risk your OT environment.

(3) Automated compliance for firewall and network infrastructure

Skybox Security Policy Management automates the process of validating compliance on network devices and managing firewall changes. It begins by collecting information from a variety of sources (e.g., routing tables, firewall rules, and NAT tables) through a wide array of integrations, then uses this data to build a network model. This model is used to simulate network traffic and automate compliance checks. Our solution understands key regulatory frameworks and requirements affecting rule policy, configurations (device hardening), and zone-based access.

Skybox Security Policy Management can help you:

  • Enforce proper configurations and harden devices, and ensure access policies and network segmentation—per industry recommended practices and CIS benchmarks
  • React and comply efficiently with evolving CI regulations
  • Automate change management, eliminating a huge amount of manual labor and speeding implementation of change requests by days or even weeks
  • Improve audit readiness by automating workflows for demonstrating compliance

(4) Network segmentation

Although segmentation has been widely recommended as a key technique for risk mitigation for many years, the speed of business is rendering traditional validation methods obsolete. Skybox automation can help re-level the playing field. Using a multidimensional network model and path analysis to simulate network traffic, Skybox Security Policy Management can help organizations quickly and efficiently validate whether their current segmentation is effective. Once proper segmentation is in place, Skybox Change Manager can help ensure that it stays that way.

Transformative capabilities

Skybox’s game-changing impact on OT security is made possible by a set of unique capabilities:

Holistic discovery:

Skybox solutions leverage information from multiple techniques and sources to create a far more complete picture of vulnerabilities and assets. Our solutions leverage organizations’ existing active scanning campaigns as well as our own non-intrusive scanless detection and third-party passive scanning, along with threat intelligence from Skybox Research Lab. This enables much greater coverage than scanning alone, providing detailed information on OT and IT assets, vulnerabilities, configurations, and security controls.

Network model:

Skybox collects information from across your OT and IT environments, using integrations with over 150 networking and security technologies, including OT networks and their security management platforms. It merges and normalizes this data and builds it into a comprehensive model that provides total visibility across hybrid environments. It also enables detailed simulation and analysis to identify exposed and exploitable vulnerabilities, validate configurations, ensure compliance, troubleshoot connectivity issues, optimize security controls, and protect critical assets.

 

Accurate risk scoring:

Traditional vulnerability scoring approaches focus shortsightedly on severity (as measured by CVSS). They bombard security teams with false positives: long lists of vulnerabilities that pose no substantial risk (because they’re not exposed to attack, for instance, or don’t affect important assets). Skybox, by contrast, performs accurate risk scoring, factoring in not only severity but also asset importance, likelihood of exploitation, and, uniquely, network-based exposure analysis. Exposure analysis is critical because only exposed vulnerabilities can be exploited, regardless of severity.

“By measuring actual risk, Skybox can reduce the list of urgent vulnerabilities by several orders of magnitude (from hundreds of thousands to a few hundred, or from thousands to a few dozen), enabling security teams to make the best use of limited resources.”

Targeted vulnerability remediation:

Skybox can identify which remediations are most effective in reducing overall risk based on customer importance and risk tolerances in various business units. Crucially, these remediations go beyond patching and include steps such as network segmentation, configuration changes, and policy enforcement. Skybox’s solutions also can be configured with SLAs to enable better tracking of efforts by various teams.

Workflow automation:

Skybox brings a new level of speed, efficiency, and repeatability to many aspects of vulnerability and compliance management by automating traditionally manual tasks such as configuration change management. Our solutions integrate into existing processes and workflow tools such as ServiceNow, Splunk, and Jira. Skybox data can also be exported into other tools via APIs for downstream analysis. Notification options are available for network changes in sensitive OT environments, firewall emergency rule activation, and more.

Brief

Automation security change management with network context

Gain insights that help eliminate vulnerabilities and optimize security policy management.

Together, these capabilities let OT security teams get out of firefighting mode and begin proactively identifying risks and applying appropriate protections even when patching is off the table. Skybox solutions can also help OT organizations address various pressing security and regulatory/compliance needs.

OT security and compliance made manageable

Skybox solutions bring clarity, precision, and streamlined efficiency to OT security and compliance—reducing the complexity, eliminating the guesswork, and turning a seemingly intractable problem into a manageable job. Skybox can get you to the point where you know the distribution of your assets, recognize the specific risks they’re posing, and understand the concrete actions you need to take to drive those risks down.


Footnotes:
  1. Alert (AA22-103A):APT Cyber Tools Targeting ICS/SCADA Devices, CISA, April 2022: https://www.cisa.gov/uscert/ncas/alerts/aa22-103a