The rise of ubiquitous connectivity in industrial control systems over the past decade has enabled organizations to achieve substantial productivity gains. Unfortunately, the network architecture that connects our mission-critical cyber assets and accelerate efficiency is the same network that expands our attack surface and provides adversaries pathways to compromise our environment. Networks, like most technologies, can be designed for defense or exploited for malice.
Today, organizations running operational technologies (OT) are on a race to strengthen their cyber resiliency. This means developing the capabilities to run their critical operations despite the constant pressure of disruptions caused by cyber-attacks. A fundamental requirement to protect cyber assets is to gain and maintain accurate network visibility. There are two sides to network visibility: 1) active monitoring, and 2) architecture modeling. The former leverages sensors to collect live traffic data while the latter leverages network device configuration files to represent the topology.
At Network Perception, we have helped hundreds of organizations put in place a robust architecture modeling practice using NP-View. We firmly believe that an accurate representation of network topology and connectivity paths is an essential step to acquire comprehensive visibility over cyber assets. The fact that our users consistently uncover a wide array of misconfigurations and vulnerabilities when they start analyzing their network architecture through their firewall and router configurations is a strong reminder that conducting ruleset verification is crucial.
We compiled a list of the most frequent network access vulnerabilities discovered in OT networks over the past few years. The table and descriptions below presents the top 5 vulnerabilities along with best practice recommendations to remediate them.
At the top of the chart is the absence of outbound network traffic filtering. Most firewalls are configured to block traffic initiated from outside. The reverse direction is either overly permissive or not scrutinized at all. This is an important risk in the context of an OT network for three reasons. First, workstations infected by a malware will attempt to call home to download updates and expand their reach. Second, it makes sensitive data exfiltration much easier for adversary. Third, it can be a compliance violation if the network lacking egress access control is critical (e.g., an electronic security perimeter under the scope of NERC CIP-005). Our recommendation is to verify firewall rulesets to ensure that both directions are filtered according to the principle of least-privilege (inbound and outbound).
Next in our list is the risk of remote access being exploited as a threat vector. We have seen a significant increase in requests for remote access from employees working from home and from software vendors offering remote maintenance services. This is an important challenge for security teams because remote access can proliferate uncontrolled and transform an OT network into a Swiss cheese. Our recommendation is to follow the latest NERC CIP standards that have been recently updated to make sure electric utilities with medium and high impact cyber assets have a method to determine active vendor access and the ability to disable them. An inventory of external communication paths can be automatically generated with network architecture modeling.
Segmenting a network is the most efficient way to prevent attackers from extending their reach through lateral movement. Unfortunately, network segmentation is easier said than done. Complex network environments going through frequent changes are prone to become more porous over time. We recommend adopting a 3-step network access policy hardening approach: 1) deny all access by default, 2) define network zones, and 3) enable connectivity among zones on a strict need-to-know basis. If starting from a clean slate is not possible, then one should at least verify rulesets to identify overly permissive rules (e.g., “any” source or “any” destination) and reduce their scope.
Patching vulnerable applications is not always possible in an OT environment where 24/7 operational availability is required. As a result, security and network teams have to work together to ensure that vulnerabilities are mitigated through multiple layers of access control. We recommend running a path analysis as part of a vulnerability assessment to precisely understand which network services are exposed to which network zones.
Addressing the network access vulnerabilities described above is extremely important but not sufficient due to the dynamic nature of connected environments. Even OT networks that are considered more static than IT networks go periodically through firewall ruleset changes. Not having a robust review process to understand the consequence of a change will inevitably introduce overly permissive rules and weaken network segmentation over time. We recommend adopting a workflow in which candidate changes are analyzed with network modeling prior to being deployed into production. This analysis should be conducted by an independent verification team that is separate from the team that designs the change.
Addressing those network access vulnerabilities will have a significant impact on preventing attacks, such as ransomware, from successfully breaching your critical environment. They are part of the cyber hygiene all organizations should adopt to strengthen their cybersecurity posture. Contact us if you need help analyzing your network access policies or if you would like to share feedback on the list of vulnerabilities presented.