In keeping with this week’s NCSAM theme of internet-connected devices (in healthcare), we decided to jump way ahead in our ‘15 Cybersecurity Fundamentals Awareness Month’ (15CFAM) series to #14 (Address All Smart Devices) and #13 (Secure the Supply Chain) from WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities guide.
In our NCSAM Week 3 post we discussed how internet-connected devices improve organizational efficiency, so we won’t belabor that point. But suffice to say, when these unsecured devices are connected to our networks, they create holes (often to the internet) that may not have previously existed. Adversaries are exploiting weaknesses in internet-connected (smart) devices to gain access to industrial control systems that support critical infrastructure. Likewise, smart devices could present even greater risk to an organization than traditional computing devices if they are not securely configured and carefully managed. It is vital that all smart devices are included in the organizational risk management strategy – from asset inventory, supply chain, and vulnerability management, to monitoring, policies and procedures, and everything in between. Furthermore, given the use of smart devices by employees to perform their jobs – especially this year – it is imperative that safe and secure operation of these devices be included in training and awareness curriculum.
While all internet-connected devices need to be addressed, the industrial-internet-of-things (IIoT) is of great concern to utilities. IIoT brings convenience and efficiency to water/wastewater management, but IIoT is the antithesis of air-gapped industrial deployments that many utilities strive to maintain. Therefore, IIoT security cannot be ignored; organizations simply cannot afford to deploy IIoT now and secure later, if at all. The cybersecurity risks and challenges brought about by IIoT must be addressed in the initial planning phases, including selecting devices from manufacturers that prioritize security. Additionally, all smart device product and service providers must be assessed through the supply chain risk management program. Several existing frameworks and methodologies exist that can be used to drive IIoT security, including the NIST Cybersecurity Framework (CSF), NIST 800 series, IEEE, NIST Cyber-Physical Systems (CPS), NERC CIP, and ENISA.
From component vulnerabilities to financial transactions, the supply chain/vendor relationship is also a common threat vector for cyber attacks and must be intentionally managed through security and vulnerability testing and risk assessments. Vendors, contractors, consultants, integrators, and manufacturers constitute vital parts of the supply chain. These relationships must be assessed and better managed for the risks they pose to the overall risk profile of an organization. Once again, employee awareness cannot be overstated in helping curb threats from third parties. Attackers are swift to usurp the foundation of trust that is built between a company and its vendors. Internal staff must be empowered to be extra vigilant and not blindly trust requests that appear to come from a trusted partner. Staff that manage vendor relationships, especially financial aspects, should be immersed in advanced training regarding threat actor tactics.
A recent post by the Arcweb Advisory Group discusses the challenges surrounding these two topics, in Take Control of Your ICS, IIoT, and IoT Software Supply Chain Security Risks.