Navigating Industrial Cybersecurity:

Know Your Terrain: Industrial Control System Basics

While OT and IT both need to protect their systems and data from compromise, OT cybersecurity professionals tend to approach their systems differently than traditional IT because they have varying priorities.

For example, ICS control engineers can be reticent to upgrade their equipment even when it would enhance their cybersecurity outlook. This is because their focus on maintaining constant uptime and measuring performance characteristics such as overall equipment effectiveness (OEE) rivals other priorities like making sure they are running the latest and greatest firmware. These three imperatives tend to dominate the OT cybersecurity conversation:

1. Safety - Cyberattacks or human errors in an ICS context can have real-world physical consequences. Whereas a customer data breach could cost a retail company millions in fines and damage their reputation, the physical safety of human beings isn’t a central factor. In industrial environments, however, safety is paramount. This includes the safety of the workers on the plant floor as well as the customers served by the output of a particular ICS. This could look like shipping uncontaminated ingredients from a food processing plant or delivering a functioning car airbag within a vehicle built in an automotive assembly plant.
2. Quality - In an industrial environment, consistency is everything. Regardless of your end product, any threat to its quality could be financially impactful. Cyber events that don’t risk the physical safety of workers or customers can still take a toll on industrial organizations in the form of lost product due to quality inconsistencies in the forms of recalls or scrap. The ability to detect and correct anomalies affecting quality is crucial to ICS process integrity
3. Uptime - Cyber events can financially impact industrial organizations in a number of ways, from the theft of intellectual property to a denial of service (DoS) attack that renders parts of the control system unusable for a period of time. To put the significance of uptime in perspective, the manufacturing industry sees annual losses of $50 billion due to unplanned downtime.

Many industrial devices are running older, highly-vulnerable versions of Windows that have not been hardened or patched. Operators often feel that they can’t take these systems down for routine maintenance to improve security because they are critical for the overall operation of the plant or service.

There’s also the concern that an upgrade/update might interrupt operations. In some cases, security vulnerability scans typical in IT environments are too disruptive to use in OT environments. In fact, many ICS environments may still have specialized industrial protocols and equipment that don’t use TCP/IP (the most common communication protocol for IT networks and security tools).

Even when organizations can overcome these obstacles, cybersecurity is a relatively new discipline for operations teams running an ICS environment, and they may choose to delay acting on security issues because of real concerns about safety, quality and uptime. While such concerns are understandable, cyberattacks against critical infrastructure are escalating.

Critical Infrastructure

Not every ICS supports its nation’s critical infrastructure, but many do. Critical infrastructure pretty much does what it says on the tin, meaning it keeps the world running by providing basic services like water treatment and electricity.

The U.S. Department of Homeland Security’s National Infrastructure Protection Plan3 breaks critical infrastructure into distinct sectors: “There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

However, many ICS-based organizations aren’t serving as the backbone of public safety—but they nonetheless need to be secured. Common verticals include automotive manufacturing, power generation, transmission and distribution, oil and gas, pharmaceutical manufacturing and water/wastewater.

Critical Infrastructure Sectors

1. Chemical
2. Commercial facilities
3. Communications
4. Critical manufacturing
5. Dams
6. Defense industrial base
7. Emergency services
8. Energy
9. Financial services
10. Government facilities
11. Food & agriculture
12. Healthcare & public health
13. Information technology
14. Nuclear reactors, materials, & waste
15. Transportation systems
16. Water & wastewater systems

“In an increasingly interconnected world, where critical infrastructure crosses national borders and global supply chains, the potential impacts increase with these interdependencies and the ability of a diverse set of threats to exploit them.”

— U.S. Department of Homeland Security

The IT/OT Divide

Until recently, disparate network types like Ethernet and Fieldbus didn’t mix. ICSs are now increasingly enmeshed with IT devices and business processes, multiplying the risk of compromise to their command and control functions.

The need for IT/OT convergence also raises several questions for business unit owners: namely, whose responsibility is ICS cybersecurity—the plant floor operator or the IT security operations center (SOC)?

The answer, of course, is that the responsibility is shared. But many organizations lack the internal organizational structures to delegate and enforce roles and responsibilities across both sides of the business.

Once you define roles and responsibilities within your overarching IT/OT cybersecurity program, you can run into several technical hurdles in bringing these two sides together as well. This is due to the fact that legacy ICS equipment, now increasingly Ethernet-connected thanks to the IIoT, wasn’t made to handle data transmission in a secure manner. Here is the U.S. Department of Homeland Security’s2 breakdown of the differences between various security controls on the “shop floor” versus the “top floor.”

Differences in IT and OT Cybersecurity Challenges

The IT/OT Gap

Image

The Three Classes of ICS

Industrial organizations have options when it comes to automation equipment. For instance, some systems must be distributed to be able to manipulate instruments that are physically distant from one another. Others are localized, with oversight of multiple subsystems for a large number of control points managed within close proximity. Most ICSs run on one of the following types of systems:

1. Distributed control systems: Distributed control systems (DCS) manage and automate thousands of control points within a process. These are typically found in large localized facilities such as oil and gas refineries, chemical, pharmaceutical and power generation plants. DCSs are often made up of a number of different components, like controllers, I/O devices and servers.
2. Programmable logic controllers: A programmable logic controller (PLC) is a type of industrial computer that is the brains of the operation. It makes decisions through input received by sensors and then through logic programming, makes a decision of what to do, e.g., turn on a motor or release pressure. PLCs are found within any industrial automation process and can also be part of a larger system, such as a DCS.
3. Supervisory control and data acquisition: A supervisory control and data acquisition (SCADA) system centrally manages and monitors remote field devices that are often spread over thousands of square miles, and can control remote field devices to perform certain operations based upon specific alarm or notification conditions, such as opening a valve or closing a breaker. For geographically-dispersed control environments, like those of a natural gas pipeline or remote electrical substations, a SCADA system is used to control and manage these applications.

TIP: Regardless of what type of ICS you oversee, your cybersecurity best practices (like achieving and adhering to IEC 62443) are more or less constant. Ensuring the integrity of your industrial environment is largely a matter of asset discovery/inventory, management, and monitoring—those processes will just look different depending on the specific hardware and software within your ICS.

The Purdue Model

During the early days of IT/OT convergence, it was clear that a reference architecture needed to be created to articulate the specific roles and functions of the machines that control the physical processes as well as the other relevant ancillary devices and operations. In 1990, The Purdue Enterprise Reference Model was born to do just this. Today, it is simply referred to as the Purdue Model.

The Purdue Model has evolved over the years, but its purpose of classifying different domains of management for physical processes remains the same. Over its evolution, the Purdue Model has become the gold standard for network segmentation (this refers to segmenting networks supporting the different levels of the model through the use of firewalls, where all traffic is denied traversing the Purdue Model levels unless it’s explicitly permitted).

As more and more connectivity was occurring between the shop floor and business IT networks, the Purdue Model evolved to outline a new line of demarcation between industrial control networks and enterprise networks through the use of a demilitarized zone (DMZ). Today, the Purdue Model consists of seven levels, including the DMZ at Level 3.5.

Levels of the Purdue Model

• Level 0 - I/O Field devices
• Level 1 -  Control: PLCs and RTUs
• Level 2 - Process: HMIs, operator stations and supervisory control
• Level 3 -  Operations: Historians, network services and advanced control
• Level 3.5 - DMZ
• Level 4 - Business network
• Level 5 - Enterprise IT

Industrial-specific equipment and devices are found as you get closer to the physical process at Level 0. As such, Level 0 and Level 1 are where devices such as sensors, actuators, drives, PLCs and DCSs reside. As you get further from Level 0 and Level 1, more standardized, traditional IT systems (such as engineering workstations, human-machine interfaces (HMIs), data historians, and SCADA) will be found—all of which are running on common operating systems, such as Linux and Microsoft Windows.

As automation systems continue to evolve, the different levels of the Purdue Model will still be needed, but they will probably not look as physically identifiable as they are today. The future of automation systems will be on the same trajectory as IT systems that will eventually be abstracted from physical qualities through the use of virtualization, service-driven networking, application containers and cloud environments.

As cybersecurity solutions were first created, they set out to address one— if not the greatest—challenge for industrial cybersecurity: the inability to secure something that is unknown or invisible. These solutions did not gain much credibility until they were able to identify devices that operate at Level 0 and 1 of the Purdue Model, as devices at these levels communicate not with traditional IT protocols, but with industrial protocols such as Ethernet/IP, Modbus and Profinet.

Why Some ICSs are Stuck in the Past

Cybersecurity was not even close to being on the radar when modern-day ICSs were initially developed over 30 years ago. In addition to IT/OT convergence, there are a few other challenges industrial organizations face if they want to enact the cybersecurity programs they’ll need in order to stay protected from errors and attacks.

The shift to new network technologies improves data collection, new levels of automation, operational efficiencies and time-to-market, but it also produces new cybersecurity risks due to factors:

• Unintegrated technologies: Many ICSs are purpose-built and proprietary, and were created when cybersecurity impacts were not a concern.
• Flat networks: Many ICS networks are flat, meaning each device has access to the rest. In a flat, non-segmented network architecture, a malware attack against one device gives the malware free reign to propagate through the control environment with impunity.
• Workforce challenges: Through the combination of an aging workforce and more and more IT technologies being adopted within ICS at a faster rate than ever, a skills gap for securing ICS has emerged. With an estimated 3.5 million unfilled cybersecurity jobs by 20214 , the skills gap is another challenge to overcome.

TIP: To bridge the IT/OT divide, a recommendation for industrial organizations would be to create an ADX role (ADX stands for automation and data exchange). The primary function of this role is to interface with both IT and OT control engineers to ensure the operational process functions and the data about the process is exchanged with IT to drive business decisions.

“In the next 5–10 years, industrial systems are going to become increasingly connected to the internet as the IoT becomes more and more essential to industrial operations, and as those systems are also hooked into 5G cellular networks—which are promising much lower communication delays between devices. IoT device security is usually terribly weak right out of the box, so this will be a serious challenge for industrial systems to manage when IoT devices are deployed at scale.”

— Justin Sherman, Cybersecurity Policy Fellow, New America

Key Terms & Definitions

Let’s go over some of the language commonly used in the industrial cybersecurity field that you’ll want a basic understanding of as you continue reading.

Best Practices for ICS Decision-Makers

Once you understand the industrial cyber threat landscape and the frameworks you can use to secure your ICS against cyber events and breaches, you’re ready to take action using proven methods leveraging a Defense in Depth strategy with foundational controls.

Defense in Depth

Defense in Depth is a concept borrowed from medieval European castles, where multiple levels of defense were used to defend the castle from adversaries. Such layers included the moat, bridges, gates, inner and outer walls armed with cannons and soldiers, and tower keeps.

The same strategy can be used to secure your networks. It’s a layered strategy to defend networks where multiple levels would need to be breached before a cyberattack could reach its full damage potential. This strategy makes it more difficult to achieve the desired end goal, and also adds the capability of detecting and preventing the spread of an attack based upon the layered defense approach. Built-in redundancies are put in place in order detect and then stop intruders from laterally moving from one part of your ICS to another or lingering on your network undetected.

What does Defense in Depth look like in an ICS context? Imagine this: Your cloud network feeds through edge network firewalls, which lead to your plants, substations or field facilities. Your plants and field facilities then connect to another deep packet inspection device firewall, which leads to your final PLCs. That’s one example of network segmentation, a concept we’ll continue to explore in this chapter, achieved through Defense in Depth; the attacker would need to overcome several layers of security controls in order to carry out their goals.

Elements of a Defense in Depth Strategy

“Defense in Depth as a concept originated in military strategy to provide barriers to impede the progress of intruders from attaining their goals while monitoring their progress and developing and implementing responses to the incident in order to repel them. In the cybersecurity paradigm, defense in depth correlates to detective and protective measures designed to impede the progress of a cyber intruder while enabling an organization to detect and respond to the intrusion with the goal of reducing and mitigating the consequences of a breach.”

—U.S. Department of Homeland Security

Foundational Controls: The Best Friend of ICS

Previously, you may have noticed a common theme among the industry-recognized frameworks provided by organizations such as IEC, NIST and CIS. Following these frameworks takes the guesswork out of what can be referred to as “foundational controls.”

What are Foundational Controls?

Foundational controls are the basic cybersecurity practices—such as network segmentation, vulnerability management, configuration management, and change control—that serve as the core of a successful cybersecurity program.

After you have the basic controls firmly in place, you can move on to the more advanced security ones. To eliminate the most risk and get the biggest bang for your security buck, you first need to make sure foundational controls are implemented and the supporting processes around them are being followed.

The Pyramid of Foundational Controls

Image

The Five Foundational Controls You Need to Know

These foundational controls are the ICS cybersecurity best practices on which you should build your industrial cybersecurity program. These controls are called out by all the industrial cybersecurity frameworks listed above.

1 - Hardware & Software Inventory

It goes without saying, but one of the most basic steps to securing any environment is knowing what’s in it. How can you secure something unknown? If you don’t already have one, an accurate asset inventory, including both hardware and software, should be your first objective. Maintaining this inventory over time is critical for your cybersecurity program. The technology capabilities in your automation systems will continue to evolve—as well the threats targeted against them. This inventory is a cornerstone of your cybersecurity program so you can then effectively implement the other foundational controls for those assets.

One quick way to achieve a high-fidelity level of inventory is to use a tool that passively collects data on every connected device within your ICS. This same tool not only can tell you what’s on your network, but can also baseline normal network communication, inclusive of the industrial protocol, so you can determine if there are any deviations in the baseline and pinpoint changes from normal operations. It’s from this baseline monitoring you have a change control process, as you can start to watch for and manage changes in your process configuration.

For example, someone overseeing an oil refinery may know that their most sensitive asset is the system that maintains oil temperatures. A hacker enters an email server by way of an internet-connected device. How do they get from the email server to their target? The hacker needs to follow a path to their target from IT to OT using crackable, vulnerable devices as stepping stones. That’s why ICS operators need to have an accurate network map that details each device’s configuration and vulnerabilities. You can use that information to make sure there is a conduit in place to block the hacker’s path to your most sensitive zones and assets.

2 - Change Control

How do you maintain a high level of integrity over your industrial process if you don’t have a change management process? Your process should not only outline how to document, approve, test and deploy changes, but also map every change from a configuration of a firewall or switch to a new control program being uploaded to a PLC. A change management process will be most effective when it is enforced with a detective control that highlights all 29 changes—as all control engineers will know their activity is tracked against authorized work orders or change management requests.

Unauthorized configuration changes or authorized changes made to the wrong devices, whether accidental or intentional, can cripple plant operations systems. These scenarios create unplanned work to remediate outages and can cost a lot of money in production downtime or quality recalls.

Configuration changes can also affect the hardened configuration of a device against a framework like IEC 62443 that can leave it vulnerable to malware and malicious behavior that can quickly negatively impact your ICS. An example of this is the enabling of a USB port when the framework calls for all USB ports to be disabled. Understanding whether configuration changes impact the secure configuration state of a device is critical for reducing the attack surface for malicious behavior.

3 - Centralized Log Management

Log management solutions are synonymous with the way a data historian captures and replays process events and sensor measurements for industrial processes. Log management is the act of aggregating log information across all devices in your ICS into a centralized log repository.

These logs provide evidence about the ICS’ cybersecurity state and operation. Logs are produced from network devices (switches, routers, firewalls, etc.), operating systems such as Windows and Linux, applications such as SCADA and HMI, and controllers and DCS. Remote access solutions, VPNs and authentication systems such as Active Directory also provide log information.

This raw log data contains a wealth of information that tells how the system or device is operating, like providing an indication that a power supply has failed or highlighting cybersecurity events such as unsuccessful login attempts. It’s critical not to ignore this data, as it can be a form of predictive maintenance outlining situations that could create downtime and unplanned work.

4 - Vulnerability Management

Vulnerability Management (VM) is the process of understanding what publiclyknown vulnerabilities or weaknesses are present on your network, referred to as common vulnerabilities and exposures (CVEs). Most attacks from ransomware and malware are the result of unpatched CVEs that have been known and go unpatched or unremediated before the attacker strikes.

One challenge of implementing VM in OT environments is that most legacy ICS equipment can’t handle the interrogation of vulnerability checks from traditional VM scanning technologies. As you get closer to Levels 0 and 1 from 30 the business networks at Levels 4 and 5, there will be assets that are likely not suitable for active scanning techniques. Devices such as HMIs, data historians and engineering workstations in Levels 2, 3, and 3.5 (DMZ) are probably better candidates for active scanning as these devices are based on traditional IT technology.

As long as you know where they are, ICS assets will benefit from an in-depth vulnerability scan from a VM tool. VM tools score vulnerabilities based on risk in order to help you know which ones to remediate first.

5 - Network Zones & Segmentation

Network segmentation is achieved by dividing your network into zones that are organized by groups of systems that are serving a similar operational function and risk profile. A conduit creates the boundaries between zones, where all communication in and out of the zone is denied unless it is explicitly permitted through the use of firewalls or access control lists.

If one device, such as an HMI, gets compromised by ransomware, it can only affect other devices of similar function within the same zone, as the conduit would limit the spread of the ransomware by denying communication between zones. This is a key part of establishing your Defense in Depth strategy.

The IEC 62443 ICS security standard recommends the concept of network segmentation using the zones and conduits strategy.

Zone: A grouping of logical or physical assets that share common security requirements based on factors like criticality and consequence.

Conduit: Creates the boundaries of the zones and denies all communication in and out of the zone unless it’s permitted—effectively a network pathway between zones, in which applied controls can resist network-based attacks, shield other network systems, and protect the integrity and confidentiality of network traffic.

TIP: Focusing on monitoring and the configuration of conduits is typically far more cost-effective than having to upgrade every device or computer in a zone to meet a requirement.

Passive vs Active Scans & Agent vs Agentless Monitoring

Some areas of your network require passive scanning to avoid disrupting sensitive legacy systems. Passive scanning is the technique of listening to network traffic and fingerprinting devices as they’re found. This aids in 31 creating an asset inventory, determining communication patterns, mapping networks and detecting vulnerabilities.

On the other hand, active scanning or querying/polling can directly interact with a particular device to glean additional information. Using both active and passive techniques gives you the most robust data. However, there could be limitations with passive monitoring, e.g. network switches may not have the available port capacity to be the aggregator port for mirroring.

Another limitation could be performance capacity of the switch, as it may not have the processing power to perform mirroring as it requires additional processing overhead. Due diligence must be performed to make sure that the switch fabric can support mirroring to meet the needs of data collection for cybersecurity and asset inventory.

TIP: When actively querying a device, you should make sure your scanning solution speaks the asset’s native language (such as Modbus TCP or Ethernet/IP CIP). Otherwise, your scans run the risk of halting production by taking a device offline.

Beyond passive versus active scanning, you also need to understand when and when not to use agents for data collection. While agents provide rich information, as they are installed locally on the device, first make sure that your automation vendor allows for third-party agents to be installed on their HMIs or engineering workstations before attempting.

Agentless scanning also allows you to harvest data from devices—as long as you can get credentialed access. There are countless ways to harvest data agentlessly, so find a solution that provides the most flexibility through both OT and IT protocols. Your best bet is a strategic combination of agentless and agent-based scanning.

Think in Terms of Risk Management

Don’t be overwhelmed by the amount of work it will take to implement all five of these foundational controls in your network. Everyone needs to start somewhere, and that somewhere is generally starting with gaining visibility into what devices you have on your network and their communication patterns, vulnerability posture, configuration state and log information.

Standard Purdue Model Industrial Network Architecture

Image

TIP:
Levels 0–2: Passive scans, and active and passive agentless
precise protocol scans
Levels 3–5: Active agentless scans