Precision Threat Intelligence is Vital to Securing Industrial Control Systems and Operational Technology Environments
In large industrial contexts like the aerospace industry, threat intelligence enables precision and effective deployment.
More than half a million new malware variants are discovered every single day. Once discovered, cybersecurity practitioners add them to industry-wide data feeds that fuel a wide variety of security technologies.
Many security tools support direct integration with open-source threat intelligence data coming from AlienVault OpenThreat Exchange, SANS, and others. This provides security analysts with up-to-date information on how the latest threats work.
But there’s a problem.
The volume of incoming threats is so high that most analysts can’t use this data in a timely manner. Manually querying the threat intelligence database and looking for the one threat that matches your particular operating environment can take hours – precious time that analysts don’t have.
The problem is even more pronounced in manufacturing or industrial contexts. The vast majority of threats don’t apply because these organizations aren’t using the types of systems and tools used in generic office settings. They’re using Industrial Control Systems, networked SCADA architecture, and integrated IoT devices.
Threats against these systems and devices exist, but they’re of a different class altogether. Security leaders in manufacturing and industrial environments need threat intelligence that is filtered according to their unique security risk profile.
Understanding the Risk Profile of Industrial Organizations
Every organization has a unique security risk profile. This profile is a product of many characteristics, like the organization’s tech stack, hardware deployments, and other assets. Even its geographic location can influence the threats it is likely to encounter..
Threat actors are smart enough to avoid wasting resources trying to break through their target’s strongest defenses. Whenever possible, they concentrate on the weakest link in the organization’s security chain. For manufacturing and industrial organizations, that often means targeting operational technology and industrial hardware.
Compromising OT equipment may require hackers to invest a great deal of time and effort into their attack. Malicious firmware updates are just one example – it takes extraordinary patience and technical expertise to create and deploy malicious firmware directly to on-site hardware.
However, the reward is well worth the risk. A malicious firmware update may bypass network firewalls and IT security controls. It could go unnoticed for months or years while security professionals focus their time and attention elsewhere.
Organizations that rely on ICS systems, SCADA architecture, and customized in-house deployments must study the threats most likely to impact the systems they specifically use. This requires taking a unique approach to threat intelligence.
5 Ways to Adapt Threat Intelligence to the IT/OT Environment
Manufacturers and industrial organizations must implement threat intelligence in a way that focuses on the set of threats they are uniquely vulnerable to. There are several things security leaders can do to ensure this:
Collect Comprehensive Data from Multiple Sources
Collecting generic threat intelligence data from open-source feeds is not enough. Organizations may need to invest in additional data sources and have reputable security vendors curate that data for rapid use.
Open-source threat intelligence data can be enriched from a wide variety of sources. Dark Web monitoring, internal network logs, and industry-specific watchlists can help industrial security leaders gain visibility over the threat landscape.
Your first warning about an emerging threat may not come from a public threat intelligence feed. It could come from a Dark Web hacker offering to sell your organization’s intellectual properties to the highest bidder. You can’t protect that data without insight into the vulnerabilities affecting those systems and assets.
Filter Threat Intelligence Data According to Context
The MOVEit Transfer vulnerability that made headlines in mid-2023 led to at least 600 individual breaches, impacting millions of people. The Common Vulnerabilities and Exposure (CVE) numbers associated with this breach are CVE-2023-34362, CVE-2023-34363, CVE-2023-34364, and CVE-2023-35036.
However, finding out if your organization is impacted takes time and research. You must find out if any user or third-party provider associated with your organization used the affected version of MoveIT Transfer in a way that would allow hackers to exfiltrate data.
If your organization doesn’t use the application, it isn’t vulnerable to the attack. Burdening your threat intelligence feed data with information that doesn’t apply to your organization simply slows down your analysts. Your threat intelligence provider should contextualize the information you receive based on the threats your organization is actually vulnerable to.
Automate Threat Detection in Real-Time
For threat intelligence feed data to make a serious impact on your security posture, it must be easy to integrate into security processes. If analysts have to conduct dozens of manual queries to find out if a threat is even applicable to your business context, that won’t happen.
Curated threat intelligence feed data should be integrated directly into the systems that analysts use to detect and respond to threats in real-time. That might mean implementing a security information and event management (SIEM) platform and integrating it with your threat intelligence service to drive real-time insights.
This allows analysts to instantly see how observed activity matches up with known indicators of compromise. From there, determining the appropriate response is simple and cost-effective.
Collaborate with the Security Community
Imagine a highly organized, well-funded cybercrime syndicate launching an attack that specifically targets aerospace manufacturers. It exploits vulnerabilities in some technology commonly used in that sector and grants threat actors access to mission-critical data.
Now imagine your organization was the first one targeted. Every other aerospace company on the planet wants comprehensive data on the attack. They want to know about the technical exploits leveraged, the technology compromised, and the threat actors’ motivations.
The faster and more accurately you can share this information with the security community, the better the overall response will be. Your ability to protect your organization’s data relies on the speed and precision with which you – and every other organization in your industry – can do this.
Invest in Security Training and Education
OT security teams need comprehensive information about emerging threats in order to mitigate their risks effectively. This goes beyond training for operational security best practices – it must include highly targeted content that addresses the unique risks your organization is subject to.
Only when operational security teams know the latest threat trends and attack techniques can they create and deploy effective mitigation strategies. This information is also important for IT teams and their security partners. In a modern, connected organization, all roles are also cybersecurity roles.
Effective training can help build a culture of security that prevents hackers from deceiving administrators and launching social engineering attacks. Having strong policies is important, but those policies are only effective if everyone follows and understands them.
Secure Your Industrial Processes With Maverc
Maverc specializes in providing cybersecurity services, assessments, and training to organizations in the aerospace industry. We help industrial leaders protect themselves against emerging threats targeting operational technology and ICS-controlled infrastructure. Find out how we can help you secure your organization against advanced threats.
