When malicious actors eye your organization’s network, they are looking for any way in. Even the slightest crack in the armor could allow them to strike and cause irreparable damage. As the use of operational technology (OT) has skyrocketed in the past several years, attackers have identified vulnerabilities that could give them that opportunity, taking advantage of poorly protected devices and systems.
We’ve seen financial organizations fall victim again and again. ATM malware-as-a-service attacks entered the scene last year and as a result security breaches have become routine. It’s no longer a matter of if your network will be breached, but when.
The increasing reliance on OT and rise in interconnected devices within financial services, such as ATMs and surveillance cameras, delivers big benefits in the form of improved customer service, safety and efficiency. But at what risk? The same devices that were put in place to enhance operations and improve the speed of business are creating new entry points for hackers and posing serious threats to an organization’s sensitive information.
The challenge in mitigating the risk associated with OT is that each device is unique — aggregating information and communicating with the network differently. Therefore, creating and applying a broad-sweep security policy for OT isn’t the answer. Nor is it as simple as applying IT practices to OT systems.
Since actors are constantly evolving their attack methods, focusing security efforts on identifying and eradicating the attack vector is an uphill — and costly — battle that you will likely never win. The best and most efficient way to eliminate vulnerability crossover between OT and IT is to emphasize isolation and containment of critical assets, to eliminate any avenue of entry for hackers.
Build and Protect Your Castle
The concept of a Defense in Depth methodology for network security is nothing new. Dubbed the “Castle Approach,” this strategy focuses on establishing multiple layers of security controls throughout your IT infrastructure, similar to how castles were built centuries ago, with moats, walls and other nearly impenetrable barriers against intruders. Rather than investing in a team of guardsmen to identify and eliminate intruders, doesn’t it make more sense invest in guards as well as a drawbridge and a moat? This kind of multi-layer approach isolates your important information from the outside world, and creates the best defense against lateral attacks from hackers looking to breach your system through an OT device.
Network Segmentation is a Must
As IoT has gained momentum in the business world, the idea that all aspects of a network should be connected has become relatively standard practice. The reality however, is that not every device needs to communicate with the core network or the internet and some level of segmentation should still be in place. There are certain parts of your business, like internal accounting records or customers’ personal identification information (PII), that have no reason to be visible to the rest of the world and therefore should not be connected to even a well-defined perimeter. For those devices that do need to be connected, a degree of separation should be implemented to separate them from core operations.
Adopting a Defense in Depth approach means taking network segmentation seriously — essentially making IT and OT undiscoverable from each other. By completely isolating the OT that supports enterprise operations (which was likely never intended to be publicly accessible) you simultaneously protect OT from vulnerabilities inherent in an IT environment.
A Defense in Depth Strategy Extends Beyond IT
Creating and implementing a Defense in Depth strategy cannot fall squarely on the IT department. A commitment to improved cybersecurity hygiene has to start from the top, with board and C-level executives making cyber security actively engaging with IT to better understand what’s being done today and where improvements should be made. When leadership and IT partner to improve your company’s security posture, executives then trust IT to make smart and needed security investments and in turn, IT can trust that leadership will support it.
While adopting a Defense in Depth approach to your infrastructure is not a turnkey solution, it is the best way to protect your most valuable data and your customers’ sensitive information. By isolating your financial services infrastructure from your IT environment, you get the ultimate defense for a more secure network.