Industrial controllers are the brains of all industrial control systems. If these critical devices are compromised by cyber-attacks, it can lead to critical operational disruptions and widespread damage. With the devices being connected everywhere, cyberattacks on ICS have risen significantly. In our recent coverage on Top 5 OT Risks and Trends 2022, one of the concerns is the sharp rise in cyber attacks targeting control systems where malicious external actors using new attack vectors seek to compromise the underlying technologies in industrial processes such as critical controllers.
Generally, since these controllers cannot install endpoint agents and lack basic protections and security controls, it’s difficult to defend them against such threats. Even if your organization is not the target you can still suffer collateral damage, as the ICS is shared across industrial sectors. But protecting against external cyber-attacks is not enough, since threats also exist inside your network. Remote workforce, legacy application access protocol, or contractors with direct access to the network may cause significant damage due to human error such as misconfiguring a controller or setting the wrong access policy that can then be targeted by cyber attackers.
Security Configuration Management
Security-focused configuration management is a process used to oversee the configurations of information systems. Monitoring the configuration of information systems helps organizations ensure adequate security measures are in place and cybersecurity risk is reduced to an acceptable level. Systems often come with predefined passwords, pre-installed applications, and default settings.
Cybersecurity Weaknesses Identified in the Field
Based on recent cybersecurity assessments that we have conducted, many organizations allow these poorly configured systems to operate on their network. As a result, some of these organizations were exploited by bad actors because the default settings made it easy for bad actors to gain unauthorized access to an organization’s sensitive data.
Security configuration management can be challenging for organizations with large networks and complex architectures. The organizations that were exploited had a challenge in accurately inventorying and updating records about hardware and software running on their network and creating and maintaining baseline settings for device configurations. In addition, manual processes used by these organizations caused errors and inconsistencies. These organizations should have analyzed changes before they were applied and checked configurations against policies and standards to ensure compliance.
Security configuration management tools could have addressed these challenges by providing several advantages for businesses:
Visibility
You cannot manage what you do not have inventoried. This rule holds true for every organization we work with. Leveraging the visibility offered by a security configuration management tool, an organization can maintain secure configurations enterprise-wide across servers, routers, firewalls, and switches. The ideal tool gives organizations visibility and automatically fixes any misconfigurations.
Compliance
Security configuration management tools provide visibility into organizations’ compliance with their policies. This reduces the time to identify non-compliance and security risks faced by the organization. Without the use of such tools, we generally see organizations struggle to maintain compliance holistically, often chasing their tails as the result of a decentralized approach to compliance.
Automation
Security configuration management tools detect and can be set up to automatically fix misconfigurations. Automating configuration managementallows the organizations we work with to streamline their processes by reducing errors, decreasing the implementation time for changes, and drastically reducing resource expenses.
Every organization needs to ensure they have a secure configuration in place. The right tool can protect an organization against vulnerabilities while reducing the overall security risk faced by the organization.
Configuration Management in Practice
The management of endpoint configurations within an environment is a challenge each organization needs to tackle in a way that’s suitable for their business. Organizations must assess the security risk by allowing certain configurations and have a configuration policy that reduces risk to a reasonable level. Based on the organizations we work with, consistent hallmarks of a mature information security program will include the following key components.
Configuration management policies, standards, and procedures developed internally
Configuration management tools
Monitoring of compliance with configuration policy
Using a configuration management tool
We have noted the following best practices at organizations that have adequately implemented a configuration management tool:
Visibility into every asset running on the network and ensuring everything running on the network meets the minimum security requirements as defined by the organization’s policies and procedures
Only authorized software is running on the network
Software running on the network is patched in a timely manner
Real-time revocation on network and application access entitlement
For remote endpoints, Airgap’s integration with CrowdStrike Falcon Zero Trust Assessment (ZTA) leverages a Zero Trust isolation platform. CrowdStrike Falcon ZTA monitors over 120 unique endpoint configurations — including sensor health, applied CrowdStrike policies, and native operating system security settings — to deliver a risk score that uniquely leverages this context to build powerful and granular security policies.
About Airgap Networks
Security experts know that network segmentation is the best defense against evolving cyber threats. However, available segmentation solutions require either installed agents upgrades to networking hardware with proprietary implementations. Airgap is the only vendor that offers agentless network segmentation and autonomous policy controls through a patented and innovative approach that enables isolation at every layer and down to every device. All this means malware is immediately blocked from traversing the network, even within the same VLAN or same subnet.
Additionally, a typical organization takes hours or days to detect and respond to ransomware attacks. Panicked, they often resort to draconian measures such as shutting down the entire network during a cyber event, resulting in severe operational disruption. Airgap has built a specialized Ransomware Kill Switchthat surgically stops ransomware propagation with minimal operational impact.
Finally, enterprises often enable direct access to high-value assets over vulnerable protocols such as Windows RDP. Airgap’s identity-based access control provides strong zero trust safeguards as an additional layer of protection.
Airgap’s patented solution is custom-designed to reduce the enterprise attack surface and protect high-value assets in manufacturing, healthcare, retail, and critical infrastructure verticals where a compromised core operational system can bring down mission-critical processes. Airgap Security Platform is the easiest to implement and manage and it is currently deployed across many large multinational customers.
Contact Airgap at [email protected] and test drive modern agentless segmentation with zero trust.