Even with COVID-19 vaccines gaining approval across the world, we will likely be far into 2021 before an adequate proportion of the general population is vaccinated and social distancing can subside. And for many companies, the pandemic merely accelerated an existing transition toward an increasingly remote workforce—many employees who previously worked on-site may no longer do so, even once it's no longer a matter of public health. In other cases, having adjusted to the new normal of working from home, some companies may embrace a hybrid remote and on-site approach.
For most companies, we expect a larger number of employees to remotely access industrial information technology (IT) and operational technology (OT) systems. However, exposing industrial networks to remote connections inherently expands an organization's attack surface. While it's widely understood that purpose-built technology is required to mitigate this risk, a crowded marketplace saturated with insufficient solutions means that decision-makers must understand what criteria to evaluate vendors.
When it comes to investigating industrial cybersecurity threats, the following capabilities are essential:
Many VPNs or other solutions that claim to provide secure off-site access to industrial technology environments eliminate or obfuscate the audit trail of remote user activity. This makes it exceedingly difficult, or even impossible, to efficiently and effectively investigate potentially malicious remote user activity and correlate it with other events on an organization's industrial network. This is particularly concerning in situations where the questionable remote activity could have an impact on process integrity or safety—regardless of whether the activity is malicious or unintentional.
Historically, industrial cybersecurity incidents have typically required personnel to work on-site in order to access network and forensic data. The physical distancing requirements implemented in response to COVID-19 forced many organizations to change this approach, and moving forward, remote investigations will likely remain commonplace for many enterprises as part of accelerated digital transformation. As such, whether a solution allows security personnel to conduct remote investigations should not be overlooked.
Remote access notwithstanding, time is of the essence when it comes to investigating potential cyber threats to enterprise industrial technology environments. The longer it takes security personnel to analyze a potential threat, its impact, and mitigate, the more likely an incident could affect process integrity and safety. As such, decision-makers should scrutinize vendors on their solution's ability to evaluate and examine indicators of compromise within an industrial network, as well as the impact the indicator in question has had on similar technology environments.
When it comes to addressing industrial security alerts, the more context about a threat provided to a security operations center (SOC) analyst, the better. A remote user action under investigation may have been performed by an adversary—or alternatively, by a process engineer, vendor, or contractor. SOC analysts need detailed information to help determine key questions, such as who performed the operation and whether it was authorized. A solution that can provide easy access to a video recording of a user session under investigation can enable SOC analysts and other security personnel to investigate and remediate potential threats faster and more efficiently.