In order to better protect Industrial Control Systems from cyber attacks, companies should take heed from the wise words of successful military tacticians and the lessons learned from some of the greatest failures in military defence, says Tim Ricketts, Director of M.A.C. Solutions.
In 2016, NATO officially recognised cyberspace as a warfare domain – an important change that has led many Cyber Security companies to liken their strategies for preparation and defence to Sun Tzu’s philosophies shared in The Art of War. While it is important to take heed from the wise words of a successful military tactician and philosopher, it is paramount that we look to history for some of the greatest failures in defence so that you may learn from these too.
This article looks at a historical defence failure that mirrors that of many security breaches in the cyber realm, where a persistent threat will take full advantage of an opportunistic weakness in the defender’s wall. This historical event took place in Istanbul (then known as Constantinople) in the year 1453, fought by the defending Roman Byzantine rulers and the advancing Ottoman Empire. The Roman rulers erected a series of defence structures that featured large, high walls and secured entrances, spanning the city and protecting it from conquest.
The legend has it that one of the main gates to the city had been left open by an outbound raiding force. This open gate was quickly discovered by a small group of Ottoman forces, who realised that they could get inside and raise their banner. The raising of the banner caused panic among the defending forces, who retreated and lost vital ground within the city walls. The ensuing Ottoman forces eventually overwhelmed the city’s internal defences and, as history tells, for the Byzantine and the Roman Empire in the East – the battle was lost.
With the history lecture now out of the way, it is important to pick out the key points presented in this story and take these as golden nuggets:
- Your organisation’s defences may be strong, but will always need entry points
- Ensure that access to entry points is well reviewed, logged and audited
- Plan for the worst; be as proactive in your internal defences as your external ones
“These lessons learnt are great,” you may be thinking. “But how do they apply to my Industrial Control System?”
Let’s start with the first one: you may not have a wall – but you do have a moat, in the form of an air gap. This keeps your operational network seemingly safe from the outside world, with the ‘jump’ being too great for your conventional attack. No network, however, is truly isolated from the outside world, just as no city is ever truly isolated by a moat; there needs to be a way in to allow for updates and to access equipment remotely, and this will always leave the possibility for mistakes to be made.
Regular maintenance tasks, such as removing outdated pieces of equipment, could also be likened to our story. Think of it like this: you have your very own Wall of Constantinople in the form of your firewall, and you have gates through that wall in the form of ports. When an engineer removes that piece of equipment, but doesn’t close the port, then you now have an open gate – one that has turned into an exploitable attack vector. Products such as Cyber-X can detect these open ports, quickly allowing engineers to close these gates to your operational network.
You will almost certainly understand where your entry points are, but you should also be aware of the times, manner and reasons in which people access them. An early warning sign to a breach on your network is sporadic and unauthorised access to systems. Detection of these breaches could help to close gaps or even prevent major incidents, but if you notice that there is an entry point that is infrequently used or is now surplus to requirements, then you should consider its removal. Products such as Cyber-X learn about your usual network traffic, making it easy to spot traffic that is unusual for your network, such as traffic that occurs during off-peak hours, unusually large packets or unexpected protocols.
Planning for the worst is not the same as admitting defeat, but rather being prepared to recuperate from the worst possible outcome, often meaning that your disaster recovery will be mature and developed enough to restore services as quickly as possible. Frequently monitoring the state of your network devices allows you to develop customised, efficient and profoundly effective plans that evolve along with your organisation’s scale.
For more information on cyber security products and services, or if you have any queries relating to this article, please visit www.mac-solutions.net.