CISO for a Day? Reduce Attack Surface in the Process Control Domain.

Opinion piece.

If you have money to spend on ONE project to deliver in 2023, What Say You?

Answer? Reduce Process Control Domain (PCN) Network Attack Surface in Critical Infrastructure.

You are preparing to front up to the media after a ransomware attack.

Another Cyber Attack front and centre across headlines all over Australia and the world.

Shareholders demand answers. A significant event report must be submitted to Government departments: ASD, ACSC and DHA are involved.

The world has fallen down under your feet and walls breaking all around your organisation.

The cautionary tales have been shared around the IT Campfire for months on end. Medibank, Telstra, Optus, Liberty Financial...

How the hell could this have happened?

Back to the Future

In our Cyber Defence world of seemingly unlimited options, priorities and project pressures, timelines and goals to meet, keeping the lights on and business as usual, hypothetical scenario game play should be top 3 on every Industrial Control System Asset owners list. Hear me out whilst you sip your third cup of chai soy latte coffee (Yuck!- give me full fat extra cream any day).

Where a worse case scenario has occurred as above, let's assume all hell will, and has, broken loose. Let's fast forward past the media public hanging. The sacrificial lambs. Forensics analysis done and dusted. What will this Post Event Report outline?

(Lack of) Acting on Common knowledge: Indicators of Compromise/Attack.

Time and time again, we know an Industrial Control System is RARELY attacked head on, that is, a system compromise is 90%+ breached via the IT layer. NOT the Process Control Network Domain: An IT Application (Web Browser, PDF Word, Virtualisation) OR An Internet facing service OR Phishing/Web Exploit OR In-secure remote access AND the golden keys of compromised Credential Access.

Simplify through, simplification.

We know discovered vulnerabilities that are not patched in a timely manner, can easily lead to exploitation (if exploitable) and inevitable disaster. The Cat and Mouse game of finding and patching and updating with a frequency that is ACCEPTABLE to PCN domain where DOWNTIME is managed a few times PER 365 Days is like juggling 7 sticks of TNT. Boom! It is just a matter of time.

The (In)famous IT Patch Tuesdays is required to ensure maximum and timely protection for the significant coverage these evolving IT Assets, both physical hardware/operating systems, internal software applications and external facing assets, provide over a much shorter lifecycle. This incudes the used to death term of Defence-in-Depth Cyber Tools.

In the PCN, how often are the ICS physical assets changed?

How many applications and external facing assets exist to service these physical assets?

What physical IT Assets such as Servers, Routers and PCs, run which Operating System and which version and at what point and layer of the PCN does it CONNECT to the IT Domain? (Read Choke Point).

The PCN list is much, much shorter and smaller than in the IT Domain. Point Blank Simple Fact.

Defend the Defensible (of the now).

Contrary to certain beliefs of the value of real time threat monitoring in the PCN, we are not arguing about the value this type of technology brings. In my view, and based on experience working with hundreds of sites covering water, energy/power, manufacturing, mining, oil & gas and critical sector projects, threat monitoring is an absolute necessity.

The suggestion here is, remembering, we have ONE project to deliver in 2023 with ONE budget, is to focus on HARDENING the PCN. Nothing more, nothing less. How? Why?

A point in time scan for inherent PCN system vulnerabilities AND an assessment of the PCN to uncover physical or critical connections, network points, prioritise crown jewels, for the business to understand "which few services if stopped, has a detrimental NEGATIVE IMPACT to nominal operations of the business". That is what we get busy working on.

Update Operating Systems (Bad Actors LOVE old OS that have known exploits). If the OS cannot be updated e.g Microsoft won't even touch em!, build a control mechanism around them to reduce that specific identified Risk to a manageable outcome.

Update PCN Software from ICS Vendors. They'll love the Service Contract Uplift it its not already included in your Maintenance Program.

Refresh Servers and Networking equipment as above. Including the OS and associated Applications and do you really need all those services activated to run your plant?

USB Ports enabled?

Known Compromised Network Transport Comms enabled? Ghost Assets?

Misconfigured Software broadcasting IP etc out to the WW Bad Web by a third party 4 years ago?

This also goes for Security Assets.

What Firewall and Networking Rules/Ports/Apps are running/Open/Enabled. Do you need them all?

Zero Trust. Remove by default if an operator does not use it daily, weekly, monthly, yearly (Players Choice of course).

The harder choices: if your PCN architecture, designed 15 years ago, by is mere existence, NOW has known limitations to achieve cyber resiliency, do you forklift to enhance the existing weak design to an enhanced secure-by-design architecture (hot swap of course- someone say tested back up, recovery and operational plans?)

To end, lets recap:

Step 1: Point in time scan of Site for Known Vulnerabilities and Risks.

Step 2: Network Site Assessment covering IT and OT Assets (Physical and Software). Step 3: Harden (Patch and disable items you do not need to operate each site).

Oh, this does NOT cost millions of dollars and 3 years to deploy. Perhaps a few weeks dependant on number of Sites, Assets and OT and IT Devices per site for Step 1 and 2. Step 3 is where time management and prioritisation comes into play.