Oil & Gas IQ Infographic interpretation In a recent OGIQ survey it showed that most concerns are aimed on Hackivism (61%) and State actors (espionage (20%) & cyber warfare (8%)). Fox Interpretation: Hacktivists are the low-hanging fruit (easy pickings) to defend against. If you are not fully confident you can keep hacktivists out, then your defense against state actors and corporate espionage will probably not effective either. To keep hacktivists out, the first thing to do is own up to the vulnerabilities and make sure your OT environment cannot be attacked from the internet. You cannot demand from OT to "just upgrade to the latest patches" as this may impact continuity and will require downtime. So segregating is the first step. Do it properly, and use data diodes. For the networks where you can enforce updating and patching procedures, you do need to stay standby in case an incident does occur. And you actually need to know when an incident occurs. How will/can you know? By using a reliable network monitoring tool: ProtACT And how confident are you that your defense mechanisms can handle/detect State Actors/APTs? (APT=Advanced Persistent Threat) Fox Interpretation: State actors and APTs are backed with a lot of knowledge, money and patience when subverting your infrastructure. However, they prefer the lazy approach, and will target the easy pickings, which is the digital infrastructure because they do not even have to leave their offices to launch an attack. When there is no network segregation, they can just walk in. When there is a firewall in place, some effort will be needed to circumvent it but it is still doable. The only way to protect your OT network against online attacks is by using an air gap or a data diode. For all networks, monitoring is key to detecting anomalies, in particular when preventive measures like air gaps and data diodes have not been applied. For the OT networks, use a Fox DataDiode to stop outside attacks. For the IT networks, use ProtACT to see what is happening and be able to react quickly when something happens. Have you segregated your IT network from your OT (IT = Information Technology) and OT is (Operational Technology) network? Fox Interpretation: The above figure shows that it is perceived that installing a Firewall is sufficient to safeguard ICS systems against hackivism and APTs. Using a firewall is always better than having no separation at all, and it is an indication that it is understood that the OT environment is a particularly valuable asset to protect against attacks. However, firewalls are not an adequate solution. Often, firewalls are left open, because the administrators fear that closing the firewall further may harm the continuity. Also, maintaining a firewall requires a lot of know how. When outsourcing the firewall management, the keys to opening your OT network are handed over to external parties. Technically, a firewall is only a moderate hurdle being put up. By definition, it allows data to flow into the OT network, including malicious data. Moreover, firewalls are essentially complex software with bugs and holes, just due to their sheer size. So we see the use of a firewall as an acknowledgement of the need for protection, however without the protection that your OT environment needs. Consider the use of a Fox DataDiode, which does not have any of the drawbacks of a firewall. From within your IT network, to what kind of data and/or devices do you need to have access to in your OT network? (Multiple answers possible) Fox Interpretation: Sharing data generated in production environment (ICS), be it from SCADA, Historian, RTU's or HMIs in real time with corporate (IT) network has become necessary for business analysis and interpretation of data. Integration means that connections are set up. These connections could be used for purposes other than data sharing between the production environment and the corporate network, e.g. malicious purposes. Corporate networks are connected to the Internet and therefore can be infected and hacked into. When connections exist between corporate networks and ICS production environments, these systems become vulnerable to malware and attacks. Ultimately, if this vulnerability is exploited, availability and integrity of production systems and critical assets are at risk. Placing a Fox DataDiode between the corporate networks and the production networks, guarantees integrity of the production systems as only data flowing from the production systems to databases or monitoring stations in the corporate network is possible because of the one-way network connection. ICS assets that facilitate production are protected against cyberattacks, abuse and even mistakes from the corporate network. Furthermore, threats operating through the corporate network, for example malware that has entered the corporate network through an Internet link or hackers conducting targeted attacks, cannot reach the production network. Are you monitoring your network? (Multiple answers possible) Fox Interpretation: Security is always a fine balance between preventive controls and detection. Since you cannot prevent everything you will most certainly need to implement some form of detection capabilities. It is very concerning that more than a quarter of the organizations are in the dark, having no idea or warning if/when their preventive controls fail. It is positive that some organizations have taken steps with an IDS or other detective controls such as a SIEM or host IDS. 2 In what timeframe do you need to make (additional) investments in (cyber) security solutions as a result of regulatory compliance? Fox Interpretation: The numbers show cause for concern as one cannot help but wonder if the stakeholders are aware of the urgency in which they need to address the need to secure their ICS networks sooner rather than after the attack has become a paralyzing fact. In the last three years, how often have you been confronted with a serious ICT cyber incident? (ICT = Information and Communication Technology) Fox Interpretation: Cybersecurity incidents are a daily occurrence. Even though serious incidents occur less often, they are common enough to be a serious cause of concern and to be something to be prepared for. The results of this questionnaire confirm this: close to one third of the respondent have been confronted with a serious cybersecurity incident in the last three years. This means that two thirds have not yet fallen victim to a serious incident yet, or, more importantly, do not know it. How fast do you think it is necessary to be able to respond on a (cyber) security incident? Fox Interpretation: There are a number of factors that help increase the quality of response to an incident. Timeliness is one of these factors. Other factors are: timely escalation, appropriate communication, thorough investigation and good mitigation. It is always important to be able to respond quickly to an incident, even though the resulting process of investigation and mitigation may take weeks or even longer. Does your organization have an Incident Response Plan in place? Fox Interpretation: A good response plan, which includes having a trusted investigator under speed dial, helps improve the quality of response and helps drive down the overall costs of response. If you had to make an estimate of the costs involved to recover from a cyber-attack, what estimate would that be? Fox Interpretation: Numbers speak for themselves, everyone realizes that when an ICS environment has been attacked that the consequences are financially devastating. 3
© Copyright 2024 ExpyDoc
