MSPs with industrial clients in their portfolios have a set of security issues that often differ from other verticals, and each vertical brings its own baggage.
With healthcare clients, for example, it’s PHI and HIPAA regulations.
With finance clients, there are large sums of money to safeguard along with banking regulations to follow.
With education clients, it’s student privacy and grades.
But with industrial clients, there are the “moving parts”: valves, pipelines, security cameras, conveyor belts, and automated releases of everything from toxic chemicals to cooking spray to consider.
“Imagine it is a game of Mousetrap in real life with intelligent IoT systems power it,” says Ian Merkley, an independent industrial consultant in Toronto.
Yet, it’s more than just an individual value that can be compromised; one industrial component that fails can have a domino effect that spreads to other businesses and industries. The risk of industrial attacks has only increased since the beginning of the conflict in Ukraine. The concern is so high that CISA recently issued an advisory warning of increased attacks and how to thwart cyberattacks on operational technology (IoT) and industrial control systems (ICS) assets.
“As with so many things, systems are interconnected, so that an attack on even a peripheral player to a critical infrastructure player can soon become a big deal,” Merkley warns.
The CISA bulletin issued on Sept 22 was unusually stark:
Because OT/ICS systems manage both physical and operational processes, cyber actors’ operations could result in physical consequences, including loss of life, property damage, and disruption of National Critical Functions.
CISA emphasizes that those in charge of security for OT and ICS assets need to assume they are being targeted now and act accordingly instead of waiting for a threat to arise. Even small, incremental changes in security can go a long way toward thwarting an attack.
“While it may be unrealistic for the administrators of many OT/ICS environments to make regular non-critical changes, owner/operators should consider periodically making manageable network changes. A little change can go a long way to disrupt previously obtained access by a malicious actor.”
Merkley notes much of it comes down to budget. “You can’t persuade some CEOs to allocate more money for security, and this is where MSPs that can show and explain to clients the value of spending more on preventative maintenance can result in a win for all,” he says.
CISA advises MSPs and other stakeholders to follow mitigation measures, some of which include:
Identify and secure remote access points
Owners/operators must maintain detailed knowledge of all installed systems, including which remote access points are—or could be—operating in the control system network. Creating a complete “connectivity inventory” is a critical step in securing access to the system.
“The connectivity inventory is step one,” explains Merkley. “An MSP needs a map of their client’s entire ecosystem to document each access point, similar to mapping a cave system or complex building; you need to know the entry points.”
Once those access points have been identified, CISA recommends establishing a firewall and a demilitarized zone (DMZ) between the control system and the vendor’s access points and devices while not allowing direct access into the system; use an intermediary service to share only necessary data when required.
“This step acts as a door with a lock, it may not be foolproof, but it is far, far better than nothing.”
Restrict tools and scripts
Some IT departments start removing tools and scripts left and right in panic. “But the tools and scripts are there for a reason, and there are legitimate uses, and I don’t recommend just getting rid of them,” Merkley advises.
CISA’s bulletin agrees with Merkley’s assessment, recommending that instead of getting rid of them altogether, the MSPs should “carefully apply for access and use limitations to particularly vulnerable processes and components to limit the threat.”
Conduct regular security audits
According to Merkley, many companies become overconfident in a brand’s name because they don’t have basic vendor vetting.
“Just because a brand has a great reputation doesn’t mean you shouldn’t scrutinize it to ensure best practices are followed.” Merkley says, adding “That should be step one of a security audit.”
CISA also advises reviewing software patching procedures, confirming storage of cold copies, and verifying the removal of all non-critical software services and tools. Also, activity logs should be regularly scrutinized too.
“Sometimes – in fact, often – a security threat is hiding in plain sight, and if a security log had just been monitored more closely, a threat could have been caught,” says Merkley.
And when it comes to industrial clients, the result of not doing so could be disastrous.
Photo: Pitchayaarch Photography / Shutterstock