Page 70 - Cyber Defense eMagazine forJune 2021
P. 70

Based  on  that  map  and  these  checkpoints,  do  some  demarcation.  Zoning  will  help  you  to  contain
            malicious activities. For example, use fire zones or anything similar established in the physical world of
            production as a way to map cut-off points for a certain area.

            These checkpoints (which are likely firewalls or L3 switches) as well as the many assets and devices in
            your OT and IT environment are then part of the Check sequence, that is to monitor them for changes
            from that overall baseline and secure configuration you established.



            Check
            Uncontrolled changes are the main cause for cyber incidents, regardless of whether the malicious change
            happens in the OT world or in the IT space. The ability to detect any change, as provided in the DO cycle,
            will allow to run automated checks. Pre-approved and ideally pre-tested changes should go through that
            check without raising any alarm, unless there are any deviations from what was expected. Unplanned
            changes will be verified against known good and bad samples to identify malicious or suspicious events,
            which are then followed through in the security workflow established in the PLAN phase. Changes in IT
            occur frequently in contrast to changes to OT equipment, which are less frequent, but conversely the
            impact of a malicious change can have real-life consequences. Make sure that changes on critical assets
            and on critical processes are accounted for. Operating from a Secure Baseline makes the detection of
            unplanned integrity changes much clearer and allows the process to be automated using system integrity
            monitoring technology.

            Any unknown device showing up in your monitoring is a change that needs to be acted upon, as that
            indicates a gap in the PLAN and DO phase.


            Act / Adjust
            The automated monitoring will allow you to act upon any gaps identified going through the PLAN stage
            again,  now  including  the  previously  unknown  elements.  It  also  enables  you  to  make  the  necessary
            adjustments when major changes to an existing production process or new business processes or even
            new business models are introduced. Update your plans and maps, including your Secure Baseline with
            any changes to software, patches, or network ports, then adjust your incident handling where needed,
            and start the cycle again.





















            Cyber Defense eMagazine – June 2021 Edition                                                                                                                                                                                                70
            Copyright © 2021, Cyber Defense Magazine.  All rights reserved worldwide.
   65   66   67   68   69   70   71   72   73   74   75