December 13, 2019 | Posted in Blue Teams by Michael Polise
In many organizations, some of the most critical IT assets consist of specialized equipment which resides on a manufacturing floor or within research and development labs, industrial control systems, or medical devices. These devices have a direct impact on organizational revenue; however, they present significant risks due to their unique profile, attack surface, and location within the environment.
This blog post will discuss several challenges that organizations are faced with when it comes to securing specialized devices their environment and several practices that can be employed to extend visibility into the threats affecting such devices as well as reduce the attack surface.
Challenge #1 – Agents and Patching
Equipment on a production floor, R&D lab, or industrial control network often runs specialized software which may or may not rely upon an outdated Operating System. Additionally, these devices generally do not support the installation of security patches or endpoint agents, i.e. software distribution, anti-malware, and EDR. In some cases, they utilize firmware alone and there is little that can be done in terms of improving endpoint security through traditional means. Where a device relies upon a Windows Operating system, it is likely XP or an embedded version of Windows.
Challenge #2 – Vulnerability Identification and Attack Surface Analysis
Performing regular vulnerability scans against these devices would be ideal, however, they are often very fragile and weren’t designed with security in mind. If you have these devices within your environment and ever tried to perform a vulnerability scan, or even a simple port scan, you likely knocked over a device or two – meaning systems became unresponsive as a result of being scanned. In the absence of vulnerability scanning it is difficult to assess the attack surface.
Challenge 3: Connectivity to the Corporate Network and Internet
Often these devices require access to core services such as Active Directory, DNS, DHCP, and possibly file or application servers to enable integrations and reporting. If these services are not collocated on the same network, such as the local network at an R&D lab or manufacturing site, these devices are communicating directly to the corporate network. Without proper network segmentation, this increases the exposure level not only for corporate assets, but also ICS and IoT devices because they are not insulated from threats on the corporate network. Assets may also be accessible to or from the Internet if third-party access is required for support or if an application requires connectivity to a cloud service.
Questions to Ask in Order to Begin Assessing Risk
When assessing these devices within your environment for the first time, below are several questions to help identify potential security risks.
|What Operating System does the device utilize?||Will the vendor provide vulnerability notifications?|
|What applications are installed on the devices, if any?||How are the devices accessed?|
|Does the vendor allow installation of security tools?||Is third-party connectivity required?|
|Can the vendor produce a list of required ports, services, and hardening procedures?||How is authentication managed?|
|What is the vendor’s process for testing and authorizing the use of security patches?||What level of connectivity is required to the Internet and Intranet resources?|
Given the absence of traditional endpoint agents for AV, patch management, and EDR, its critical to address that gap by implementing a platform to obtain visibility into device behavior through baselining normal activity, identifying anomalous behavior, detecting rogue assets connected to the network, and identifying vulnerabilities through asset profiling. This can be accomplished by leveraging products from companies such as Armis, Zingbox, Claroty, and Dragos.
These products offer the ability to close the blind spot on IoT and ICS devices in your environment through passively monitoring network traffic to identify potential threats, profile assets to provide insight into the types of devices including Operating Systems being used, and can detect when an unauthorized device is connected to the network. Security events from these products can be forwarded to your SIEM to provide centralized alerting for purposes of incident response and depending on the maturity of your organization you could also integrate these products with Palo Alto, CISCO, and other firewall products to automatically block potentially malicious traffic.
This is not a new concept, but something few organizations do well simply because it is a significant undertaking and difficult to determine where to start. At its core, network segmentation enables you to separate assets by creating zones throughout the network and restricting traffic flow. By restricting traffic flow, you are able to isolate portions or your network and minimize the impact of a potential threat. Traditionally, firewalls and access control lists are utilized to enforce segmentation through applying strict policies to limit traffic flow.
You might be asking, “if I am already utilizing a firewall to segment IoT and ICS devices located at a manufacturing facility, doesn’t that provide adequate security?”. While it provides a layer of security as well as a choke point for blocking network traffic, traditional firewalls are not designed to detect threats targeting IoT or ICS devices. Threat detection capabilities mentioned above will provide that capability, and when combined with proper network segmentation drastically improves your level of resiliency.
The third aspect to consider is vulnerability management. Most of the devices in question cannot be patched on a regular basis, if at all due to device manufacturer restrictions. Maintaining an inventory of critical IoT and ICS devices as well as software is necessary to enable vulnerability assessments and subsequent remediation or mitigation efforts. Threat detection products can also facilitate the collection of data for population in a CMDB. The key takeaway with respect to vulnerability management for ICS and IoT devices is to not reinvent the wheel. Integrate the assets into existing processes and build relationships with the appropriate site personnel to ensure proper handoffs for mitigation activities.