As the complexity of a computer system increases so does the difficulty of securing it against cyber-attack. In fact, difficulty of protection rises at a more than one-to-one ratio with complexity. This is one of the reasons we at MSI so highly tout extensively segmenting complex networks into “enclaves” with individual firewalls and access controls, as well as strict trust rules on how each enclave can communicate with each other and the outside world. Although this process is complex to develop and implement, once in place it greatly simplifies the protection of critical assets such as industrial controls systems and administration networks.
One reason why it behooves utilities to consider cyber-protections at this level is the exponential rise in the availability and use of Internet of Things (IoT) devices. It seems like every kind of device there is now has a computer in it and can be accessed and administered over a network of some kind. And usually this network is the Internet or is routable to the Internet.
Systems at threat include industrial control systems and the enterprise networks that administer them; they employ more remote access devices every day. IoT devices that are connected to enterprise networks can be just about anything. Smart light bulbs, cameras, heat sensors, voice controllers, televisions, robots… the list is daunting and grows constantly.
Exacerbating this problem for most of the last year has been the pandemic emergency. The need for social distancing and remote working has exploded because of it. And as we all know, in an emergency functionality trumps security every time. Concerns have set up remote conferencing and remote administration systems at a record pace. And even if they have performed some form of risk analysis before, during or after implementation, chances are that they may not have been holistic in their threat and risk analysis.
This brings me back to the enclave computing scheme I mentioned above. To set up proper network segmentation, the first things you need to know are what data/devices are on the network, how data flows between these entities and what trust relationships are implemented in their setup. Until you have a grasp on all of these factors, there is no way you can gauge the full range of negative security effects hooking IoT devices to your enterprise network can have.
So, my advice to Utilities and other users of industrial controls systems is this: do a thorough business impact analysis (BIA) of your enterprise network and all of its connections. The BIA will reveal the factors I mentioned above. It reveals what devices and data are there and their relative criticality. It shows you how data moves and what trusts what. This information is the necessary precursor to accurate risk and threat assessment, and can be the beginning of a new level of information security at your enterprise.