Even as cybersecurity breaches involving third-party access remain among the most common ways attacks succeed, the need for such access continues to grow within operational technology (OT) and industrial control systems (ICS) environments.
There are many reasons for this, including companies with OT/ICS environments increasingly relying on device-maker support, external contractors, and other service providers for their expertise. They often provide remote access for these providers. Digital transformation efforts are also under way to accelerate the convergence of IT and OT networks and the adoption of cloud and industrial (and medical) Internet of things (IoT) devices.
"Third parties are heavily involved due to the evolving demands of OT and the increasing output of operational data to enhance business efficiencies," explains Chris Warner, senior security consultant at GuidePoint Security. "The increasing connectivity of OT to IT networks for remote operations introduces vulnerabilities typically associated with IT environments. However, integrating third-party vendors in OT environments is not straightforward," Warner adds.
"The increasing connectivity of OT to IT networks for remote operations introduces vulnerabilities typically associated with IT environments."
—Chris Warner
Tom Pace, CEO at NetRise, fundamentally agrees and notes that the stakes are also high. "Third-party risks in OT/ICS environments differ significantly from IT environments due to the nature of their operations and the criticality of their systems. The systems within OT/ICS environments control cyber-physical processes in industries such as energy, manufacturing, and utilities, where downtime can have severe safety and economic consequences for the asset operators."
The risks created by growing third-party access are considerable. The experts we spoke with cited the following five as the most pressing:
Attacks on the hardware and software supply chain: Enterprises with OT/ICS increasingly depend on third-party hardware and software, increasing the attack surface with the risk of malware or vulnerabilities creeping into the OT/ICS environment. "OT's reliance on proprietary technologies from a limited range of vendors heightens risks, as any single vendor's vulnerability can impact the entire system," Warner warns.
Third-party security failings: The security practices of third-party providers are something organizations can monitor but can't control. If third-party providers have weak authentication, exposure management, or monitoring and response practices, their weaknesses can become the weaknesses of every organization that connects to their systems.
Vulnerabilities within legacy systems: Many OT/ICS environments rely on devices that may be decades old and contain known vulnerabilities that are challenging to patch — if a patch is available. "Most of these systems are based on legacy designs, which means they never had to worry about cybersecurity, and the cost of retrofitting security functionality is prohibitively expensive. In some cases, like many lower-level embedded systems, it would be impossible without a complete redesign and reimplementation," says Michael Hasse, cybersecurity and technology consultant
Lack of visibility: Because OT/ICS environments are rapidly growing, are challenging to access, and may contain numerous proprietary protocols — visibility into the technology stack is challenging. The result is that it's very easy to lose track of what third parties can access. "OT/ICS systems are built using various third-party firmware and software components. Unfortunately, unlike in IT environments, visibility into these systems and how they communicate is often something many OT/ICS asset operators just don't have a good handle on at the moment," says Pace.
Third-party attacks: When threat actors breach third parties, the compromised organization may not be the ultimate target. The ultimate target may be an organization to which they're connected. Attackers can leverage that foothold whenever an organization is compromised to attack connected organizations and gain access to OT/ICS systems.
To mitigate these risks, experts advise operators to focus on improving operations in the following areas:
Attain comprehensive, deep visibility into assets in the OT/ICS environment. Pace says increasing visibility is critical. "Technologies like device identification, network security monitoring, and asset management tools are necessary to understand where devices are, what they are, and what they are doing from a network perspective," he says.
"A key artifact is a software bill of materials (SBOM). This allows visibility into what exists on devices, so if a component is compromised or a new vulnerability emerges, you can rapidly determine if it is impacted. If one of these OT/ICS components is compromised or a new vulnerability for one comes out, OT/ICS teams can rapidly respond and determine if they are affected," says Pace.
Limit access rights. Implement strict access management controls to ensure that third-party access is minimal and permissions are limited to only what is required. Consider providing temporary access rather than persistent and broad access privileges. Also, closely monitor and log all external activities for auditing and, if necessary, investigations. "Implementing and enforcing robust access controls, including strong multi-factor authentication and role-based access control for all third-party access points, can significantly mitigate security risks," says Matthew Corwin, managing director at Guidepost Solutions
Segment networks. Logically divide and separate the OT/ICS network environment into distinct microsegments. Such segments can be based on asset communication patterns and operational requirements. Strictly define security policies to control communications between segments of the network. "Isolation is still the primary answer; keep the third-party access as narrow as possible and keep the systems they access as disconnected as possible from everything else," says Hasse. "If a system is completely isolated or has very restricted access to other (necessary) systems, then any attempts to reach unrelated resources such as adjacent IPs, Internet, name resolution requests, [and similar] should trigger alerts immediately as they are quite likely to be signs of compromise," Hasse adds.
Baseline normal activity. To mitigate the damage of attacks from compromised third parties, organizations must monitor networks and systems to establish an accurate model of authentic communications and device behaviors during typical operations. Later, when system activity deviates from this baseline, it can be investigated or stopped if necessary.
Beyond monitoring for threats and new vulnerabilities. Monitoring is not enough. Within the internal environment, organizations must be able to respond to malware and threat actors. "The assumption should be that OT/ICS systems will be breached at some point, and the internal systems architecture should be designed to foster early detection and mitigate impact as much as possible," says Hasse.
Operational Response coordination. When incidents, including breaches, involve a compromised third party, the response needs to be coordinated with the partner. Success here requires coordination among security, IT, and operations teams and the partner's incident response teams to help contain the damage from the breach and recover any affected systems to their normal state.
"Organizations should operate day to day with their clients to ensure that third-party vendors are involved in operations, tabletop exercises with proper service level agreements in place, as well as any other regulatory or legal entity requirement in their area of operations," advises Warner.
Security breaches involving third parties will undoubtedly be challenging for some time. However, that doesn't mean the risk must remain unacceptably high. Increasing visibility, controlling access, segmenting environments, and partnering in response organizations can go a long way to reap the benefits and keep the risk low.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.