MITRE ATT&CK, method and ideas for OT Cybersecurity Assessment

Reading time: 6 minutes - Difficulty: advanced

The OT Cybersecurity Assessment stage is of essential support to the end user, or a system integrator, in applying the best practices of IEC 62443. In this article, we examine the MITRE ATT&CK method for a detailed risk analysis as required by IEC 62443, which is excellent when designing new systems; and how some of Fortinet’s most innovative solutions are suited for the purpose.

ABC of the Cybersecurity Risk Assessment

When we talk about the OT Cybersecurity Assessment, we are talking about the step of implementing and adapting the management system and countermeasures based on the actual risk of attack on industrial systems.

In a previous article, we the discussed OT Cybersecurity Assessment as presented by IEC 62443 best practices.

We know that the “High Level” risk analysis is followed by a more thorough detailed step, namely a Detailed Risk Assessment.

 

Among the responsibilities of the end user – assisted by the system integrator – the detailed risk analysis focuses specifically on the vulnerabilities found on the system.

If the system is existing and functioning, consisting of defined and known systems, the vulnerability analysis can be performed in the traditional way, that is, through active/passive scans, and analysis of the system’s networks.

But when the system is in the concept stage (if there are no fully identified model devices), we need to find an alternative way to perform the vulnerability analysis.

There are methods that are not specifically based on a product – or rather on published CVE specifications, as is the case with existing systems – but that implement more theoretical, high‑level concepts more in line with threat modeling.

 

So, how do you actually set up a risk and vulnerability analysis for a developing system?

The MITRE ATT&CK method is of great help in this regard.

 

The MITRE ATT&CK method

The MITRE ATT&CK is a framework developed by the MITRE Corporation through real-world observation and attacks analyzed over time, which helps classify cyber attacks and intrusions. This method combines three components:

 

  • Tactics represent the “why”: the reason for performing an action. For example, an attacker may want to achieve credential access
  • Techniques represent the “how”, e.g., the attacker may dump credentials to achieve credential access
  • Lastly, mitigations represent the technologies that can be used to prevent tactics and techniques, as shown in the following table

 

mitre attack matrix
Click on image to learn more

 

This means that multiple mitigations are linked to each technique, and vice versa.
The MITRE ATT&CK gives us a list of possible mitigations, broken down by attack technique and device type.

 

To name a few, MITRE suggests best practices about:

  • Access Management
  • Active Directory Configuration
  • Antivirus e Antimalware
  • Data backup
  • Data loss prevention
  • Encrypt network traffic

 

Some examples:

esempi mitre attack

 

Do you need assistance to analyze the Cybersecurity of your OT infrastructure?

 

Find the service that best suits your needs

Do you want to help our page grow? Follow us on Linkedin

 

 

A case where the MITRE ATT&CK is used

Let us take it step by step: first, risk analysis can be performed by assessing the risk scenario for a specific type of device, and taking into account the applicable techniques as part of the overall system architecture:
target attack scenario esempio
infrastruttura ot esempio

Thus, to mitigate such a risk scenario, the method suggests this range of solutions:

soluzioni suggerite mitre attack

 

The amount of mitigation that is actually undertaken, and the level of implementation with which each measure is applied to the project (Application Level), determines how much we have succeeded in reducing the initial risk, assuming that the combination of all the planned measures will lower the risk as much as possible.

Lastly, comparing the residual risk with the tolerable risk leads to an understanding of the level of mitigation needed, or whether that combination of measures is enough to make the risk tolerable.

 

For the purpose of providing complete information:

 

analisi del rischio con mitre attack
Click on image to enlarge

Do you want to help our page grow? Follow us on Linkedin

 

Here is a specific case of suggested mitigation: access management

In the current OT security environment, ensuring secure local and remote access to resources is crucial for business continuity. As guessed, such accesses can present significant risks, considering the possible threats online.

To ensure the protection of sensitive data, the adoption of a remote access management solution, such as FortiPAM (Privileged Access Management), Fortinet’s flagship proposal, which you can learn more about below, for account-based access management, control and monitoring, processes and mission-critical systems with high privileges across the entire OT environment, the implementation of ZTNA (Zero-Trust Network Access) controls or IPsec connections, in accordance with the MITRE ATT&CK framework, is highly effective.

 

The key steps to ensure secure access management are:

  • Authentication and Authorization (MITRE ATT&CK Mitigation: Multi-factor Authentication and Authorization – ID: M0804, M0932)

FortiPAM, for example, offers a strong authentication and authorization system for users requiring access to the network infrastructure, the establishment of default remote connections based on local or Web applications or which are easily configured and customized, and the integration of two-factor authentication solutions to increase and strengthen credential security. This approach reduces the risk of compromising passwords and unauthorized access, helping to mitigate the attack.

 

  • Session monitoring and anomaly detection (MITRE ATT&CK Mitigation: Session Activity Monitoring – ID: M0918)

Configuring FortiPAM for active monitoring of remote sessions in the industrial environment is of paramount importance. By analyzing session activity through screen recording and command logs, unusual or potentially malicious behavior, such as the use of unusual commands or access to unauthorized resources, can be detected. This practice, along with other possible solutions in the Security Fabric Ecosystem, such as the FortiGATE Next Generation Firewall, help identify and promptly disrupt suspicious activity and prevent further stages of the attack.

 

  • Limitation of Privileges (MITRE ATT&CK Mitigation: Secure Administrative Channel – ID: M0918)

A key element in mitigating threats is to establish a privilege model for every network user. Again, through FortiPAM, strict access rules can be defined, granting users only the privileges they need to perform their activities in dedicated windows of time.

 

  • Registration and Audit of Activities (MITRE ATT&CK Mitigation: Audit and Accountability – ID: M0801, M0804)

Remote access activities should be carefully recorded and regularly audited in OT infrastructures. FortiPAM also stores detailed user activity reports, thereby simplifying monitoring and analysis in case of incidents. These records are essential for detecting suspicious activities and conducting investigations of breaches.

 

Fortinet’s access management solutions

As anticipated, Fortinet’s access management solutions offer advanced security and controls for industrial network infrastructures. Implementing converged solutions with dedicated OT systems, such as, among others, FortiGATE Next-Generation Firewall, the in-depth FortiPAM, FortiNAC for access monitoring and control, FortiAuthenticator for multi-factor authentication and FortiToken for OTP authentication code generation, and following the MITRE ATT&CK framework mitigations, enables companies to significantly reduce the risk of compromising sensitive production data and operational assets.

Fortinet has been globally recognized by Westlands Advisory analysts as a leader for IT/OT convergence with its Security Fabric platform, and with the strongest focus on the OT world with cutting-edge solutions to secure operational networks.

 

Fortinet’s hardware and software solutions provide the following advantages:

  • Adaptation to needs: devices developed specifically for industrial infrastructures, offering security without compromising operational efficiency
  • Full visibility: monitors network traffic and user activity to quickly detect abnormal behavior
  • Application control: precise control of applications, thereby reducing risks
  • Advanced defense: with dedicated OT and IoT security services on the Fortiguard platform, such as Industrial Security Service for Intrusion Prevention (IPS), Application Control and Virtual Patching, sophisticated threats can be detected and mitigated without disruption
  • Compliance: Meets the latest critical infrastructure security regulations and standards

 

Integration of strong authentication systems, proactive monitoring, and targeted access rules enable threat mitigation and create a safe and secure operating environment.

To conclude, the MITRE ATT&CK framework gave us the correct ideas, and moving on to practice, we found Fortinet’s proposals to be among the most developed mitigation solutions on the market.

 

 

Any questions or comments?

 

Share us your feedback

Do you want to help our page grow? Follow us on Linkedin

 

Go back to the blog
Send this to a friend