(Source – Shutterstock)

One-size-fits-all is a myth when securing cyber-physical systems

Article written by Vijay Vaidyanathan, Regional Vice-President, Solutions Engineering – Asia Pacific & Japan at Claroty

Over the past two and half years, many organizations have seen five, even as much as 10 years’ worth of digital transformation across their operations. At the same time, their physical and digital assets have become increasingly intertwined.

The recent spate of high-profile ransomware attacks against oil pipelines, food supply chains, hospitals, and other critical infrastructure has brought into sharp focus the high criticality of cyber-physical systems (CPS) and their exposure to attacks.

Vijay Vaidyanathan, Regional Vice-President, Solutions Engineering for Asia Pacific & Japan at Claroty.

While the rise of the Extended Internet of Things (XIoT)—the connected assets that underpin cyber-physical systems—has created security challenges for all types of organizations, the complexity of this web of connected devices can impact organizations in different ways.

Singapore’s Cyber Security Agency (CSA) recently warned that critical IoT devices now face a growing risk of ransomware and other attacks by cybercriminals. In its Singapore Cyber Landscape 2021 report, the agency cautioned that such attacks could have a “devastating impact on organizations due to the potential costs in downtime”.

Think about the breadth of assets that may be included, from OT assets such as programmable logic controllers (PLCs), to building management systems (BMS) such as heating, ventilation and air conditioning (HVAC) controllers and elevators. Then there are IoT devices, such as security cameras and vending machines, to healthcare and IoMT devices, such as infusion pumps and MRI machines.

How these devices are used, how they connect to the rest of the network, how important they are to business-critical processes, and which threats pose a real risk, will vary from organization to organization. For these reasons, it’s important for security teams to have a powerful yet also easy way to customize the capabilities that help them monitor, identify, and respond to security concerns and potential operational disruptions.

Clearly, there’s no such thing as a one-size-fits-all approach to securing cyber-physical systems and upholding operational resilience in today’s hyperconnected environment. Organizations need a user-friendly suite of products to set parameters for identifying and addressing what matters most to them.

If you are among the 85% of critical infrastructure organizations predicted to adopt hyper-converged solutions by 2024, here are three key takeaways to remember as you evaluate offerings.

Beware of solutions that paint with a broad brush and don’t allow you to customize cyber-physical systems security on a granular level

Every environment is unique, so to achieve operational resilience, you need to be able to track the variables that are most important for your environment.

Claroty xDome has more than 90 different variables you can use to customize your risk tolerance parameters. For example, you can set alerts based on events you define, including out-of-range values or specific communications. While essential for network protection and optimal detection and response, this flexibility also enables you to design a preventative maintenance program to avoid unscheduled downtime and build operational resilience. You can also filter information by firmware and software versions and group assets in ways that are logical for your organization to help inform mitigations and cyber resilience efforts, including risk assessments, vulnerability management, Zero Trust best practices, incident investigation, and triage.

Curated, nuanced context empowers security teams to ensure operational resilience

Claroty further enriches customized alerts with context. Leveraging an algorithm based on the unique context and specific circumstances in which each alert is triggered provides a single, tailor-made metric for assessing risks present in your environment. In addition to easily weeding out distracting false positives, alert risk scoring enables rapid and effective prioritization when responding to a time-sensitive incident. This helps ensure operational resilience by ensuring incidents are resolved quickly and effectively.

You can further inform the parameters you set for alerts and filters using asset risk scoring. This granular mechanism to score risk for each asset on the network enables you to further identify and understand the nature of an asset’s risk in order to better prioritize and remediate related alerts and vulnerabilities. An asset’s overall risk score can be based on individual scores on vulnerability, criticality, accessibility, infection, and threat. For example, HVAC systems would have a higher criticality score for organizations in the pharmaceutical or food and beverage sectors that rely on temperature-sensitive processes.

Situational factors play a big role, so understanding attack behavior within the context of your cyber-physical environment is vital  

Regardless of your level of visibility, threat detection, or the vulnerability management controls you implement to manage risk, you cannot eliminate it entirely.  

Critical infrastructure organizations face information threats, hostile surveillance, and malware. Claroty takes customization and context even further by enabling you to understand situational factors that threat actors use to their advantage during an attack, and the steps you can take to proactively remediate risk.

Attack vector mapping identifies the most at-risk assets and zones in your cyber-physical network and simulates the various means through which an attacker could penetrate that network, with a focus on lateral-movement scenarios. Through a visual representation, you see all the points at which you would be alerted during the course of an attack. From the first alert that a new asset (for example, an intruder’s system) has entered the environment, and along the entire contextualized chain of events and all alerts related to a single incident.

Having the full context surrounding every step of the attack means you’re better able to stop a threat actor before they access an operationally critical part of the network and commence an attack that could result in safety issues or costly downtime.

One-size-fits-all security for today’s hyper-connected organization is a myth.

Designed for flexibility and ease-of-use, Claroty’s suite of products offers the customization, contextual enrichment, and situational awareness capabilities security teams need to be able to understand what threats and security flaws pose a real risk to their bottom line and secure their unique environment.

The views in this article is that of the author and may not reflect the views of Tech Wire Asia.