i-PRO Blog Series: Week 4: Proper Configuration – the last line of defense in protecting your security program: by Will Knehr
This blog on the pillar of proper configuration is 5 of 5. Thank you for joining us for Cybersecurity month 2022!
Want to read up on the previous blogs? Click on the links below.
Week 1: i-PRO’s Internet of Things Cybersecurity Pillars to build a strong security program
Week 1 bonus: Resiliency – Will your devices be there when you need them the most?
Week 2: Cyber Hygiene - Creating a Culture of Cybersecurity in your Organization
Week 3: Product Security - Product Security: What product security features to look for with IIOT devices
It’s been a long journey, but we have arrived at our last pillar, which is centered around proper configuration of IIoT devices. So far, we have discussed building reliance into our IIoT devices and networks, practicing proper cyber hygiene, like updating the firmware on our IIoT devices, and product security. This pillar was purposely saved for last because it requires the culmination of all the other pillars. Proper configuration is the act of making sure that the security features on the IIoT devices are enabled, that those features are set up correctly, that our networks are configured properly, and that access control and authentication are enabled.
In a study completed by Gartner, they found that 99% of firewall breaches are due to improper configuration of network devices, endpoints, or security tools (Gartner). When you really break it down, almost every attack can be blamed somewhat on improper configurations. I could name thousands of real-world examples, but one of the most recent examples was the Colonial Pipeline attack that ended up taking down one of the largest oil pipelines in the last year. Colonial Pipeline was allegedly targeted by a ransomware attack using credentials that were found on the dark web. What’s the configuration error here? Multifactor authentication should have been enabled, networks should have been segmented, passwords should have been updated, and separated employees’ accounts should have been disabled. These are just a few configurations that would have either stopped the attack or mitigated the damage.
How does anyone find out what the proper configuration of devices should be? This topic can get a little complicated and technical, but I’ll try to keep it light. The first thing to consider is the industry in which the device is going to be used because each industry has different requirements. For example, the medical industry uses HIPAA and HITRUST, the law enforcement industry uses CJIS, banking uses a combination of frameworks, international companies tend to use ISO27000, credit cards use PCI/DSS, and the government uses NIST (National Institute Secure Technology). In my opinion, NIST is the gold standard framework when it comes to best practices for securing devices. NIST is free and is quickly becoming the go-to framework for a lot of industries. Cybersecurity frameworks get very technical and complicated, so it’s a good idea to consider hiring a consultant or security expert to help assess compliance.
In addition to using a framework to help determine best practices for proper configurations, users can ask the manufacturers or vendors if they have a hardening guide or secure settings guide for their products. Many manufacturers will work with security experts to develop guides that tell users exactly how to secure their new devices. The benefit to going through the manufacturer is that they will often give you step-by-step directions on how to enable security settings on their products.
Now that you have used a framework to determine best practices for device configurations and checked with the manufacturer to get a hardening guide, it’s time to audit those settings using a vulnerability scanner. A vulnerability scanner will scan the devices in your network and alert you if there is out-of-date software/OS/firmware, and it will also check your configs to see if they are not following best practices. Many vulnerability scanners even allow you to compare your settings to a security framework like NIST, HIPAA, PCI/DSS, and more.
**Special caution and note, when scanning IIoT devices make sure that you do it in a testing environment first and then divide your network into small chunks. Unfortunately, many IIoT devices are not made to be scanned and this can sometimes cause the devices to go offline. The last thing you want to do is cause a self-inflicted Denial of Service attack.
Over the last month, we have laid out a comprehensive program for how to manage and secure IIoT devices. This includes purchasing the right devices for your environment, ensuring that the devices will be resilient and there when you need them the most, ensuring that IIoT devices are updated and using the proper security settings, and making sure that you purchase devices from a company that is going to take security seriously. I can’t guarantee that you’ll never be attacked if you follow the practices laid out over the last month, but you’ll certainly be a much harder target. Continue to check our monthly blog and updates for more cybersecurity tips!