It’s popular maxim in cybersecurity circles because it’s true for any organization, especially in an increasingly digital and cloud-centric environment: You can’t protect what you don’t know.
With the rise of hybrid work, mobile devices and the Internet of Things, organizations may struggle to know exactly what is connected to their networks at any given time.
“Even companies that I know today tell me they know exactly where every piece of equipment is, but when they do an inventory, there’s always onesies and twosies,” says Pedro Serrano, senior security architect at CDW.
“They will come up and tell me, ‘You know, Pedro, that air conditioner unit was installed 20 years ago and it is still operating. And that damper, it’s a control and it sits there, and nobody looks at it. And guess what’s still in our system and is running on a Windows 98?’ I have seen that.”
Click the banner below to secure your SCADA networks in an evolving threat landscape.
The First Step for SCADA Security Is Developing an Inventory
As threat actors continue to develop more advanced tools and techniques, visibility is more essential than ever to protect your organization against attack. And as supervisory control and data acquisition (SCADA) networks are frequently outdated, that challenge can be even more significant. That’s why it’s so important to establish a baseline by creating an inventory of everything in your environment.
“The first thing we need to do is figure out what your rules are. In what box do you want to play?” Serrano says. “When we talk about mobile devices, are we talking about mobile devices that you carry? Are we talking about mobile devices that I issued to you? Or are we talking about mobile devices that you bring from home, such as my iPad, that I can connect to work and get my company email?”
“An inventory is a must,” Serrano continues. “The moment you do an inventory, then you can do that gap analysis. Because then you can see where you are.”
A gap analysis can be key to developing complete visibility and strengthening your security posture. It outlines the vulnerabilities lurking within your environment.
Assessing Your Environment Can Expose Hidden Vulnerabilities
No matter the size of your organization, a vulnerability assessment is a critical step in developing the visibility to keep you secure.
Joel Vargas, area sales director for CDW, notes the wide variety of assessments available. “Assessments can be very comprehensive, very long engagements that go through a ton of detail with multiple engineers. It could be as vast as that, with a lot of documentation that comes along with it, or they can be far less complex,” he says.
According to Vargas, some assessments can be very light. They might simply involve asking some questions and bringing in a consultant “just to have a healthy security discussion,” he says.”
Once the vulnerability assessment has been performed, Serrano says, the next step is to formulate a plan that considers tech priorities, the level of risk and budgetary constraints. “Which ones are most important? Is importance based on profitability? Do I dive into the application? Do I need to do some upgrades?” The answers to these questions and many more will help to determine next steps.
Security Considerations to Keep in Mind After an Assessment
Once an assessment has been performed and your organization has identified priorities for minimizing vulnerabilities, it’s important to plan ahead for detection and response capabilities. Not all of these considerations are obvious.
“Sometimes, the biggest threat is not actually the external threat. It’s an internal threat of someone that’s a bad actor inside your organization. If you have someone that’s a malicious employee or someone that has privileged access, you need to manage,” Vargas says.
Serrano notes that some organizations are challenged because they have limited staff or budget. “I can sell you tools, but if I all I do is sell you a tool and you don’t have the people to operate it, I'm doing you a disservice,” he says.
In such scenarios, Serrano notes, automation and staff augmentation can be helpful. “Everybody sees the value of having cutting-edge visibility tools in their environments. The problem is that you need a team of people to operate them,” he says. “So, for the smaller IT shops, maybe a more automated process or managed services are better.”
Regardless of your organization’s size or maturity, there are always appropriate and effective steps to take to make your environment more visible, scalable and secure. It’s an unending process.
Every organization must adapt to incorporate new technology, address unexpected circumstances and defend itself in an ever-evolving threat landscape. The best security strategies demand continued review to reassess their effectiveness and ensure their strength.
UP NEXT: Find out what you need to know about migrating to Windows 11.