NTT Security On OT Security

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

Thought Leadership

Securing Operational Technology:


How vulnerable is our national critical
infrastructure?
On any given day, the chances are need to connect them to the corporate
that if you work in a utility, oil and network or internet – and the internet was Industry under attack
gas, manufacturing or alternative not what it is today. Management of the
• In June 2017, the Petya
energy organization, you have had systems rarely fell under IT control.
ransomware attack hit airlines,
to fend off a cyber attack. Activist hospitals, banks and utilities
groups, individual troublemakers, around the world, causing them to
criminal organizations and rogue The UK National Security Council shut down their computer systems
states are targeting Operational has identified cyber attacks as a
‘tier one’ risk to national security, • Three months earlier, the global
Technology (OT) and our national WannaCry ransomware attack
critical infrastructure daily, in an alongside terrorism and major
international conflict. closed parts of the UK’s National
attempt to disrupt services and Health Service, causing it to run
cause havoc. Financial Times, October 2014 some services on an emergency-
Cyber crime forces companies of all sizes only basis
in almost every sector to take stock; but • In October 2016, the Mirai malware
for those organizations that make up But these systems are increasingly created botnets on IoT devices
our critical infrastructure, the threat of a connecting to the internet in an attempt to launch a massive distributed
cyber attack has serious repercussions to streamline business, improve denial-of-service attack that
that reach far beyond the disruption to communication in the supply chain disrupted all US internet traffic
the individual business. We all depend and find new intelligence from the
latest technology trends such as big • In 2015, a new malware type
on the reliable functioning of our critical called BlackEnergy was discovered
infrastructure – and to some degree, we data and the internet of things (IoT).
Added to this, there’s a growing desire in US industrial control systems
take it for granted that it will always be that operate critical infrastructure.
there for us. for engineers to connect to these
control systems remotely. Thirty or It had capabilities for both
Well-publicized attacks (and those never so years ago, physical threats were espionage and sabotage.
made public at all) tell us however, that the biggest concern – now it’s more
this isn’t always the case. So what can we likely to be a cyber attack that poses
do to better protect ourselves against the greatest threat. But often the one security breach that led to the loss
the threat of a serious breach? complexity of these networks means of confidential information or disruption
that operations managers are reluctant of operations in the past 12 months. In
Connected ICS and SCADA systems are
to relinquish control over their OT, addition, 78 percent said a successful
more vulnerable to attack
and IT departments are unwilling to attack on their organization’s ICS or
In many organizations, much of the critical take responsibility for what they see as SCADA systems is at least ‘somewhat
infrastructure technology environment uncontrolled environments with likely’ within the next 24 months. Yet only
predates the internet when managing archaic hardware. one in six respondents described their
Industrial Control Systems (ICS) and organization’s IT security program or
Supervisory Control And Data Acquisition New connections inevitably mean activities as ‘mature.’
systems (SCADA) was easier than it is new threats
today. Years ago systems were largely Global research from Ponemon shows
proprietary and isolated, and operations that nearly 70 percent of critical
managers worked on-site. There was no infrastructure managers reported at least

www.nttsecurity.com Copyright© NTT Security 2018


Recent years have seen some well- It’s becoming increasingly easy for would- What does the research say?
publicized SCADA attacks – such as be hackers to see and infiltrate connected • Almost 70 percent of critical
Stuxnet that disrupted Iran’s uranium systems. In 2012, researchers at a infrastructure managers reported at
facility in 2010 – yet security is still not a Chicago-based cybersecurity company set least one security breach that led to
priority for many organizations that form out to measure how many ICS are openly the loss of confidential information or
our global critical infrastructure. Only 28 exposed to the internet. They closed the disruption of operations in the past 12
percent of people that took part in the count at 2.2 million unique IP addresses months1
Ponemon survey said that security was linked to ICS at energy- related sites.
ranked as a top five strategic priority for Using the publicly-accessible search • 78 percent of critical infrastructure
their organization – and yet minimizing engine Shodan, they built search queries managers said a successful attack
downtime was a top priority for the using the names of 182 SCADA suppliers on their organization’s ICS or SCADA
majority of respondents. In other words, and their leading products, and many systems is at least somewhat likely
minimizing downtime is a priority, but not devices revealed not only their presence, within the next 24 months2
enough is being done to reduce risk. but also hardware and firmware metadata • Cyber risk is the world’s number seven
that could help a hacker pinpoint risk overall in 20183
documented security flaws. Search
engines are capable of revealing public • Just 48 percent of companies claim
“We have seen a number of attacks
interfaces to huge numbers of systems that all their critical data is securely
to critical industries in areas like
– the most worrying of which are the web- stored4
the Middle East and the US and
these had a major impact on facing controls for critical infrastructure, • 55 percent of global organizations
operations.” such as power plants, transport networks across all sectors believe a data breach
and security services. is inevitable at some point5
Michael Chertoff, former head of US
Dept. of Homeland Security • Ransomware attacks jumped in
“Companies of our size malware detections, up from 1 percent
unfortunately experience cyber in 2016 to 7 percent in 2017 at a global
Is enough being done to address level6
attacks nearly every day.”
evolving threats?
Patricia Wexler, • Globally, only 49 percent of
Standards and guidelines for cybersecurity organizations had a formal incident
JPMorgan spokesperson
already exist, and in many cases have response plan. This is up from 48
been in place for years. Yet reported percent in 20177
cyber attacks continue to grow and
many of these attacks could have been What can we do? • It is calculated that USD $3 trillion is
avoided by the rigid application of security The four pillars of Operational the total global impact of cybercrime8
controls. That said, there is a growing Technology security
• 50 percent of critical infrastructure
awareness globally of the threat of cyber
The first step in controlling risk is to managers say their IT security activities
attacks against critical infrastructure and
understand your exposure across all have not as yet been defined or
SCADA systems. In the US, the National
areas of the business and prioritize those deployed9
Institute for Science and Technology (NIST)
deemed critical. Next is to establish your
continues to work hard and the Obama • It’s estimated that 1.8 million more
level of capability in four key areas:
Administration published the Framework cybersecurity professionals will be
for Improving Critical Infrastructure 1. Detecting anomalies, threats or needed by 2022.10
Cybersecurity in February 2014; ANSSI, incidents and knowing how quickly you
France’s national agency for computer can respond
systems security, recently drafted two
2. Controlling and securing the data flow
working documents on how to protect
between defined networks
critical infrastructure; in Germany, the
federal interior ministry unveiled draft 3. Controlling and managing user access
legislation in August 2014 that would pave to systems, and how systems can
the way for the introduction of tough new access one another
cybersecurity measures to protect ‘critical
4.Identifying and protecting the growing
infrastructure’; and the UK launched its
array of network endpoints, beyond
own sub-group earlier in 2014.
PCs and mobile devices, to include IoT
That’s all great news, but these guidelines and OT.
and frameworks are only that. More
As these networks are extremely complex
encouraging is the development of OT
and often use proprietary hardware and
solutions, which supplement IT security to
protocols, it is vital that assessments
tackle new challenges like IoT. It’s essential
are conducted by specialists who fully
that OT concepts become embedded
understand the intricacies of control
in industry so that organizations can
networks.
continuously monitor and control their
own systems and IT environments, and do
everything possible to reduce the risk of
cyber attack.

1, 2, 9. Critical Infrastructure: Security Preparedness and Maturity, Ponemon, 2014 3. Lloyds City Risk Index 2018 4,5,7. NTT Security Risk: Value2018 Report
6. NTT Security, 2018 Global Threat Intelligence Report 8. Risk and responsibility in a hyperconnected world: Implications for enterprises, McKinsey 2014
10. Frost and Sullivan 2017 Global Information Security Workforce study

www.nttsecurity.com Copyright© NTT Security 2018 2


Building the right OT security model
for your business Ten steps to improving your 5. Educate and train your employees
The last thing that any organization Operational Technology security – ensure they really know your
wants is to make the headlines following footing policies and incident response
a security breach. The damage to 1. Understand your risk – conduct an processes. Systems are still
reputation can be enormous, as can the annual risk assessment exercise more at risk due to unintentional
financial costs. It’s not a case of if it will to understand your current risk consequences from various insiders
happen, but when, so it is essential that exposure. Maintain the board’s than from malicious outsiders. Take
you have a mature, detailed incident engagement with cyber risk time to educate your engineers on
response plan, and monitoring systems key security controls – engineers
2. Engage with a specialist partner with
capable of providing a comprehensive have little or no background in
a track record of conducting similar
and real-time view of network security. Make it a priority to teach
technical risk assessments. Ensure
activity. Timely incident response is them the basics
you are getting the best from your
imperative following a breach and many existing technology and border 6. Check passwords on connected
organizations don’t have spare resources defenses. Understand what is on devices – many connected devices
waiting to leap into action when an your network and what protocols are using weak or factory-set
incident happens. It might be worth traverse it passwords that leave the front door
considering a monitoring and incident wide open
3. Secure configuration – keep
response partner to provide the right 7. Incident response – establish,
hardware and software protection
resources to help you return to business produce and routinely test incident
up-to-date – persistence pays off
as usual as quickly as possible should a management plans to ensure that
for the cyber criminal. Stay on top
breach occur. there is business continuity and to
of basic protection. Work with
suppliers to ensure proprietary prevent a cascading effect
systems are maintained. Build an 8. Secure network – manage the
NTT Security responded to many asset register, paying particular network perimeter and filter out
client incidents over the past attention to end-of-life/unsupported unauthorized access
year. Globally, just 49 percent systems
of organizations had a formal 9. Malware protection – establish anti-
incident response plan in place. 4. Establish a monitoring and detection malware defenses and continuously
This is up from 48 percent in the system – continuously monitor scan for malware
previous year. all log data generated by your OT 10. Patching schedules – ensure that
systems in order to baseline ‘normal’ SCADA systems are up-to-date with
NTT Security Risk:Value 2018 Report activity. This enables real-time patching schedules and are not
detection of attacks that go against using default passwords. Patches
this definition of normal behavior may have subtle differences to
Do you have the skills in-house?
those provided by Microsoft or
Understanding risk exposure, preparing Apple for example.
an incident response plan and
continuously monitoring risk in your
organization takes time and expertise.
You may not have these skills in-house, or Conclusion
you may have tried and failed to recruit What’s clear is that critical infrastructure problem and invests in Operational
people with the right skills – there’s a and industrial plant control systems Technology security to reduce the ever-
growing global skills shortage in this are coming under scrutiny from both present threats. We will get better at
sector that will take years to improve. attackers and defenders. Much is being identifying, locating and penalizing the
Many organizations look to outsource done to create frameworks and draft bad guys to deter the majority of attacks.
these critical functions to reassure legislation. But this will not be enough Until that day, business needs to remain
themselves that systems are monitored unless the industry takes control of the vigilant to protect its own assets.
around the clock and experts are on hand
to provide essential advice and support
when needed.

NTT SECURITY NTT SECURITY INCIDENT FORENSIC INCIDENT INCIDENT INCIDENT REPORT
NETWORK TEAM DEPLOYED MANAGEMENT ANALYSIS AND RESOLUTION CLOSURE AND AND ROAD MAP
MONITORING CAPABILITY INCIDENT WRAP UP
CAPTURES AN ESTABLISHED CONTAINMENT
INCIDENT
• Customer suffers • NTT Security • We rapidly • Our analysts • We provide • We support • Post incident,
incident and has no deploys a skilled, establish process investigate, identify, support and incident closure NTT Security
in-house capability rapid response structure to handle analyze and contain guidance to the and wrap up provides a report
team to client site, the incident on the the cause of the client to resolve on-site activities on the incident,
including incident client’s behalf incident the incident along with a
handlers and tactical road map of
technical analysts recommendations
to reduce risk

Figure 1: Operational Technology solutions from NTT Security help you to reduce the risk of future incidents, as well as minimizing the business impact/cost

www.nttsecurity.com Copyright© NTT Security 2018 3


Working with NTT Security and you require support to get back to
You want to be confident that you business as usual as quickly as possible.
have the right processes in place For those organizations that prefer to
to both identify risk and to take outsource their information security
immediate action if a breach occurs. support, we offer Managed Security
Information security and risk Services (MSS), where you gain access
management is a continuous process and to our collective global knowledge and
many organizations are now outsourcing systems and our highly experienced
this vital area to NTT Security, where our people. A combination of these two
teams work around the clock to monitor elements applies a layer of intelligence
your security infrastructure, detect and context across correlated events to
threats, and recommend solutions. increase visibility, understanding, and
the ability to make informed business
Our security experts will work with you decisions regarding your risk profile.
to baseline normal network behavior and
identify OT security gaps using our proven For more information on how we can help
Risk Insight process. We’ll be with you you to identify security weaknesses and
every step of the way, with our Incident continuously manage your assets, visit
Response team should a breach occur www.nttsecurity.com

About NTT Security


NTT Security is the specialized security company and the center of excellence in
security for NTT Group. With embedded security we enable NTT Group companies
to deliver resilient business solutions for clients’ digital transformation needs.
NTT Security has 10 SOCs, seven R&D centers, over 1,500 security experts and
handles hundreds of thousands of security incidents annually across six continents.
NTT Security ensures that resources are used effectively by delivering the right mix of
Managed Security Services, Security Consulting Services and Security Technology for
NTT Group companies – making best use of local resources and leveraging our global
capabilities. NTT Security is part of the NTT Group (Nippon Telegraph and Telephone
Corporation), one of the largest ICT companies in the world. Visit nttsecurity.com to
learn more about NTT Security or visit www.ntt.co.jp/index_e.html to learn more
about NTT Group.

www.nttsecurity.com Copyright© NTT Security 2018 UEA V2

You might also like