How Logitek Implements Equipment Defense

Defense-in-depth strategies propose applying different protection mechanisms at different levels within an ICS OT installation.

In previous posts, we have discussed how to protect network perimeters and how to increase the level of internal network protection. However, there are threats that use other access vectors for their cybersecurity attacks (for example, the use of removable media or communication systems -email, web pages, etc.-).

Therefore, it is necessary to implement protection systems for the equipment itself connected in all of our networks. These mechanisms should include the following lines of fortification:

• Ability to detect and block the actions of known malware.
• Ability to protect the incoming and outgoing communications of the equipment, detecting and blocking known attacks.
• Have heuristic capabilities that, depending on the normal behavior of the equipment, can detect 0-day attacks.
• Ability to stop the execution of non-permitted applications or application white-listing.
• Ability to alert and report.
• Optionally, have central administration consoles to allow the management of multiple devices in an agile and simultaneous manner.

And, in this way, achieve a park of protected and monitored equipment in a simple way to avoid the main attack vectors such as: malware and/or the exploitation of unpatched vulnerabilities.

It is important to emphasize the need to protect assets from unpatched vulnerabilities, or “virtual patching”. The installation of patches in the base systems of the equipment in the OT world is usually one of the main headaches of those responsible for cybersecurity. Patch installation has inherent risks:

• Patches can change the behavior of the base system and, in turn, can compromise the correct functioning of the industrial applications that run on it. Therefore, before installing any patch, it must be ensured that it is supported by the industrial software.
• The installation of patches usually requires reboots of the equipment. This fact forces, in many cases, that the patching is done during scheduled maintenance shutdowns, which are not very often, so the equipment is exposed for weeks/months/years? to that vulnerability.
• Not applying the patch = increasing the surface of exposure of the equipment to eventual cyberattacks.

The protection of equipment based on “virtual patching” allows to drastically reduce the exposure factor of the equipment as well as the time in which it is at risk due to the lack of installation of patches, without the inconveniences of installing said patches.

In industrial environments, equipment exists because it has an explicit function and this is usually implemented in a small and limited set of applications. In these cases, the protection of IT equipment in OT can be further increased by using systems that restrict which applications are allowed to run.

Generate a list of the applications that the equipment can put in memory to be executed (whitelist) and prevent any other code from running, malicious or not, avoids infection and propagation of malware easily and effectively, in addition to preventing certain equipment from being used for unintended purposes.

The use of whitelists is very useful in OT environments since these solutions do not usually require any type of restart or update to function correctly, which allows us to protect the equipment without introducing update or maintenance shutdowns.

At Logitek we have technologies that offer these protection capabilities, offering the final equipment:

• Detection and elimination of different types of malware (viruses, Trojans, worms, web threats, etc.).
• Reduction of the exposure factor to the network by detecting threats, denial of service attacks or reconnaissance scans.
• Detection of unauthorized changes to files, registry, directories, etc.
• Control over the applications that can or cannot be executed on the equipment.
• Detection and blocking of attacks on 0-day vulnerabilities (virtual patching).

For more information, do not hesitate to contact us.

Links related to defense in depth

• Defense-in-depth strategy in industrial cybersecurity.
• How Logitek Implements Perimeter Defense.
• How Logitek Implements Internal Network Defense.
• Defense in depth.
• How Logitek Implements Data Defense.