Identifying and Protecting your ICS’s Crown Jewels

Every organization has its “crown jewels” – assets that are the most critical to its operation and therefore needs the most protection. It could be a person, (e.g. the head of state, who’s always surrounded by a large guard detail), a certain activity (e.g. national elections, which if tampered with may skew the democratic process), stored data (e.g. IP or customer PII) or any other asset at the core of the organization.

In industrial organizations, the crown jewels are often OT assets and their associated business processes, which, if compromised, could significantly impact the organization’s operations and even its very existence. Naturally, these important assets need to be prioritized for maximum security at the expense of other, lesser-critical assets and processes.

For this reason, it’s critical to first and foremost correctly identify your crown jewel assets.

While this may sound trivial, the complexities of modern ICS networks prevent “eyeballing” which assets are the most critical. Doing so may expose misidentified critical assets/process to excess risk.

(For example, it may seem obvious that an industrial manufacturer’s crown jewels are the PLCs that control production, whereas in reality it’s actually the power supply unit that’s the most critical).

So how do you identify which of the hundreds of PLCs you operate is the most critical? Or an engineering workstation which if hacked to send incorrect command values may cause a disaster? What would be the impact of a certain database getting crypto-locked?

The key to identifying your crown jewels is adapting a risk-based approach to OT security, by which you prioritize asset criticality by weighing the probability of each and every known threat materializing (i.e. successful attack) within each business unit against the impact (i.e. damage caused) of the attack on the organization as a whole.

Calculating each asset’s exposure to risk requires analyzing multiple huge datasets for attacker capability, malware behavior, vulnerabilities introduced by devices and device vendors, already-installed security measures, topology, communication protocols, and much more.

Achieving risk assessment in modem production environments requires automated tools with access to ever-changing databases of vulnerabilities and APTs. Risk assessment consultancy can no longer be a manual process that is performed yearly, but an ongoing automated process.

With so many variables at play, getting a clear picture of the risk facing each of your business units requires simulating the behavior of malware as it breaches and infects the network. This is done using either the actual OT network as a test-bed (which is risky, since there’s a chance of impacting operations and even damaging devices) or an accurate digital image of the network. Of the two I’m a fan of the latter method – it’s safer and allows replicating the test if needed, with no effect whatsoever during both the data collection and the risk simulation phases. Not coincidentally, it’s also the method used by Radiflow.

The result of the simulation is a clear picture of your exposure to network risk: which business units indeed make up your crown jewels, and accordingly, which threats and adversaries pose the most risk to your specific network, and which security measures reduce the most network risk. The resulting security roadmap, based on the findings of the simulation, not only ensures operational resilience – by providing the adequate level of security for your crown jewels (which may not be what you thought they were) and to all other business units based on need – but also optimizes the ROI of your OT security operation.

The takeaway? Industrial cyber-security has in recent years made great leaps that allow you better allocate your security resources to better secure your “crown jewels” and ensure your operational resilience. The way I see it, it’s a no-brainer.