3 Steps to Protect Federal Laboratories from Cyber Attacks

Federal laboratories – like those operated by the FDA, CDC, NIH, and other federal agencies – contain more connected devices than ever before. These devices that you use to transport, handle, test, and analyze your materials, regardless of their sensitivity level, can be often overlooked as part of your CPS security strategy. One weakness or vulnerable point in the lab’s network can allow for a cyber incident that could impact the integrity of the lab, the safety of staff members, and security of national interests. 

Gain a better understanding of the top challenges and considerations when protecting your laboratory and the six foundational steps to secure these devices.

Protecting the Federal Laboratory Environment: Key Considerations

As federal laboratories are filled with myriad materials - biological and radioactive materials, infectious agents, chemicals of interest, dual-use and other sensitive substances - they can likely be targets of interest by adversaries, are very sensitive to even minimum environmental changes, or otherwise present a risk.  To protect the lab environment, there are 3 key areas of priority in the context of cyber-physical security: 

• Cyber physical assets handling lab substances: Any action taken to secure the laboratory environment must be taken with a full understanding of what must be secured within it. This includes OT and IoT or IoLT devices. Identifying every device in the lab, down to the lowest level of insight - such as the model of an I/O card in a device, for example - is key to applying the right security or compensating controls. Using security capabilities purpose-built for OT and IoT and these networks is the first step.

  • Unmanaged assets: Unmanaged assets can pose a risk if they are not appropriately identified, as their security has likely not been maintained, leaving exposure or a blind spot in the lab’s attack surface. 

  • End of Life assets: Assets that are end of life (EoL) must be identified so that appropriate compensating controls can be determined and applied. 

• Physical security: If your lab is a lucrative target of interest, physical security is likely already top of mind for your physical security team. Physical security devices - from cameras to intercoms - are suffering from vulnerabilities just like their OT counterparts. Those responsible for laboratory cyber physical security should be aware of the lab’s overall physical security status, and be working with their physical security counterparts to ensure this element of the lab’s security is addressed.   

• Facilities or Building Management Systems (BMS) security: Securing the controls responsible for maintaining the temperature, pressure, and humidity of the lab and its substances is the third area of focus to ensure the lab and its substances remain secure. 

3 Key Steps to Secure Federal Laboratories

1. Gain detailed asset visibility

To appropriately protect the assets in your lab, you must be able to have a rich asset profile for each of them. This is why BOD 23-01, M 24-04, BOD 18-02 and CDM have all called for asset discovery and greater ongoing asset visibility. Lacking this level of detail can lead to at least 2 problems: 1) insecure devices and 2) false positives. 

To address the federal BODs and other directives calling for an asset inventory, the task may seem overwhelming. One of the misperceptions is that you need SPAN or TAP functionality, need to upgrade your switches to get it, and that you otherwise cannot get the visibility that you need. The reality is that the right OT security platform will be flexible and enable your choice from among multiple discovery methods that can work best in your environment. 

Claroty offers the choice of five different discovery options to profile assets, including the industry’s first “zero infrastructure” collection capability, Edge. And the profiling is some of the most detailed in the industry, enabling you to see the asset’s vendor, model, firmware, OS version, and protocol. See the image below for an example showing down to individual slot-level serial numbers and firmware versions of a PLC in a plant. This method of asset discovery offers precision, which is critical when discerning what exposures exist and the right mitigation for them. 

A key next step in your asset visibility is then establishing exposure profiles - which go beyond known exploited vulnerabilities (KEV’s) for each asset. As early as 2021, EO 14028 called for the ability to “maximize … early detection of cybersecurity vulnerabilities and incidents on its networks.” Doing so enables security teams for each agency, lab or network to better understand their most relevant and critical exposures for immediate action. 

Starting with accurate and detailed asset visibility also means reducing false positives that can result from basing vulnerabilities and exposures on a more generalized categorization of the asset, rather than its specifics. The Claroty Platform goes deep into the details of the asset, such as the specific firmware version, as shown in the example above.  This enables the most appropriate compensating controls or other actions needed for the asset’s specific exposure. Additionally, using Known Exploited Vulnerabilities (KEV), rather than relying just on CVSS or EPSS, helps dial in the level of priority such vulnerabilities have to you. 

2. Establish network protection 

To establish network protection, in addition to the details of your assets, their communications or behavioral baseline must also be established. This baselining means understanding normal asset and protocol behavior - which devices talk to which devices, using what protocols, at what times to later identify anomalous conditions.

From the detailed asset profiles, The Platform identifies exposures impacting any asset be they end of life, subject of a Known Exploited Vulnerability (KEV), or other exposure. From there, the Platform automatically generates recommended compensating controls, segments the network into virtual zones based on characteristics such as function, manufacturer, and can provide other helpful considerations.  See below graphic for a simple example establishing baseline information.

With assets discovered and baselined, virtually segmented, and recommendations made, The Platform can help you establish continuous monitoring for threat and anomaly detection as part of your overall exposure management. 

3. Begin Threat Detection and Continuous Monitoring

From the detailed asset inventory and baselining, you will be able to monitor for threats and other anomalies such as misconfigurations or anomalous behaviors such as unusual behavior or communication patterns between devices. This continuous monitoring will help to keep your assets, network and environment secure and to help meet compliance with Federal directives and other requirements. See below for a snapshot of some of the information reported and available for more detailed analysis.

The Platform is able to swiftly identify issues and recommend immediate actions. You can also identify weak links, locate online devices and status and further investigate alerts as individual actions or as part of an interconnected story the security team can use for investigation. In addition to the benefits of this continuous monitoring for threat detection, by tracking and reporting on device utilization, The Platform also helps enhance operational efficiency.

Other Steps to Consider

While IT tools cannot provide the level of OT or broader CPS security needed for these unique environments, through Claroty’s open ecosystem and REST API, your security team can easily leverage policy engines, firewalls, SIEMs and other security tools to enforce what you are learning and enacting in your CPS network.

Claroty directly integrates with products from Cisco, Fortinet, Splunk and others to allow you to do just that when you are ready to do so. You can set the stage to align CPS with not only your IT security tools but your SOC processes and overall governance.

Take Action to Secure Federal Laboratories with Claroty

As the leader in CPS security, Claroty is able to help your Federal laboratory across stakeholders and the breadth of your cyber physical attack surface. By securing all aspects of the federal cyber physical footprint and infrastructure, Claroty helps each agency, lab, or other facility to meet compliance requirements of BOD 23-01, M 24-04, adhere to EO 14028 and other mandates, all while ensuring that every step of your cybersecurity journey is streamlined, connected, and protected. 

To see how your agency can benefit from these steps and take the security of your laboratory to the next level, talk to a member of our team or experience a demo of our platform in action.