Page 70 - Cyber Defense eMagazine forJune 2021
P. 70
Based on that map and these checkpoints, do some demarcation. Zoning will help you to contain
malicious activities. For example, use fire zones or anything similar established in the physical world of
production as a way to map cut-off points for a certain area.
These checkpoints (which are likely firewalls or L3 switches) as well as the many assets and devices in
your OT and IT environment are then part of the Check sequence, that is to monitor them for changes
from that overall baseline and secure configuration you established.
Check
Uncontrolled changes are the main cause for cyber incidents, regardless of whether the malicious change
happens in the OT world or in the IT space. The ability to detect any change, as provided in the DO cycle,
will allow to run automated checks. Pre-approved and ideally pre-tested changes should go through that
check without raising any alarm, unless there are any deviations from what was expected. Unplanned
changes will be verified against known good and bad samples to identify malicious or suspicious events,
which are then followed through in the security workflow established in the PLAN phase. Changes in IT
occur frequently in contrast to changes to OT equipment, which are less frequent, but conversely the
impact of a malicious change can have real-life consequences. Make sure that changes on critical assets
and on critical processes are accounted for. Operating from a Secure Baseline makes the detection of
unplanned integrity changes much clearer and allows the process to be automated using system integrity
monitoring technology.
Any unknown device showing up in your monitoring is a change that needs to be acted upon, as that
indicates a gap in the PLAN and DO phase.
Act / Adjust
The automated monitoring will allow you to act upon any gaps identified going through the PLAN stage
again, now including the previously unknown elements. It also enables you to make the necessary
adjustments when major changes to an existing production process or new business processes or even
new business models are introduced. Update your plans and maps, including your Secure Baseline with
any changes to software, patches, or network ports, then adjust your incident handling where needed,
and start the cycle again.
Cyber Defense eMagazine – June 2021 Edition 70
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.