ICS Cybersecurity: Visibility, Protective Controls, Continuous Monitoring – Wash, Rinse, Repeat

Posted on September 26, 2018
ICS Cybersecurity: Visibility, Protective Controls, Continuous Monitoring – Wash, Rinse, Repeat

As we have talked about in prior blogs, industrial cybersecurity is a journey. This is a journey that is never-ending, as control system technology advancements are adopting information technology (IT) and cloud-based solutions at a faster rate than ever before. At the same time, the threat landscape of malicious activity is constantly evolving. We now have malware like Industroyer that can communicate with industrial protocols and threats like Triton that are capable of targeting Safety Instrumented Systems (SIS). What’s to be done in response to these threats? In other words…

What is your strategy?

Do you have an industrial cybersecurity strategy, or are you just rolling the dice? It’s important to define what the overall goal should be for an organization’s industrial cybersecurity strategy. At the end of the day, the strategy needs to outline people, process and technology solutions that can help mitigate, lessen the impact of and/or help prevent industrial cybersecurity incidents, events which may affect one’s ability to view, monitor and control the industrial process. As we defined a cyber event in one of my prior blogs earlier, these events can come from human error, equipment failure or malicious behavior.

How do you get started on this journey?

The following blogs from other Belden brands have succinctly addressed the following question “how do I get started?” Have a look: ICS Security: 3 Ways to Get Started and Getting Started on ICS and SCADA Security. Both of the above understand cybersecurity risk assessments as a good first step. While this is a great recommendation, there are things you can proactively do in parallel to get started on this journey.

Control what you can control

While it may seem that securing an industrial control system is a daunting task, there are some fundamentals that you can begin right now. These fundamentals are core to regulatory guidelines and industry best practices like IEC 62443, NIST SP – 800-82 and NERC CIP. Even if your organization has not chosen a standard to adopt, you can start with these fundamental goalposts: gain visibility, implement protective controls and perform continuous monitoring.

Gain Visibility

Take the guessing game out of the equation. When you know what is on your control network, you can manage communication patterns, network topology variations, configuration changes, vulnerability context and other environmental elements by fact.

  1. Understand and document all network communication between the industrial control network and the corporate enterprise IT network.
  2. Understand and document all remote access into the industrial control network, i.e. vendor access with dial-up modems, VPN and cellular connectivity.
  3. Create and update asset inventory information for both hardware and software.
  4. Create and maintain a network topology diagram.
  5. Understand what industrial protocols are communicating and between what assets, such as HMIs to PLCs.
  6. Understand how assets and devices are configured and if those configurations are changing.
  7. Identify what vulnerabilities (weaknesses) are present in the environment.

Implement Protective Controls

Protective controls are controls that help prevent or lessen the impact of cyber events. These controls can be implemented as a parallel or serial work stream to the Gain Visibility stage. For example, ensuring network segmentation between the corporate enterprise IT network and the industrial control network is a great first step. Network segmentation is a practice by which all network communication is denied unless explicitly permitted through the use of firewalls or access control lists on networking devices. Another protective control is system/device hardening where 1) all services are disabled that are not explicitly needed to run the industrial process, i.e. disable insecure protocols like telnet which does not encrypt traffic; 2) cyber security features such as logging, SSH, SNMPv3 and other features are enabled; and 3) the device/system is checked for proper configurations, i.e. change default passwords. Other fundamental protective controls include:

  1. Network segmentation a) Between production cells b) Between key mission critical systems/devices such as PLC’s and RTU’s.
  2. System and device hardening a) Per an industrial standard or best practice like IEC62443 or NIST SP 800-82 b) Include devices like HMI’s, PLC’s, Engineering workstations, Historians, and industrial networking devices.
  3. Centralize all remote access with strong authentication a) Create a DMZ for all of these connections b) Implement multi-factor authentication for users. Multi-factor is a two-step authentication process by having something you know, like a password, and something that you don’t, like a token.

Continuous Monitoring

The next stage is to implement continuous monitoring. Just like you have a SCADA to help optimize and control your industrial process, you need a “SCADA”-like cybersecurity solution to help optimize and control visibility to industrial cybersecurity events and ensure the protective controls you have implemented are operating correctly. This is not a one-and-done activity. This needs to be performed continuously. Industrial cybersecurity “SCADA” monitoring helps answers the “how do you know” questions. These are as follows:

  1. How do I know if my device/asset configurations are changing, and do those changes put the device in an insecure state?
  2. How do I know if my operational baselines (the configuration of a device or system that is specific to the environment it is running in) are changing?
  3. How do I know if one of my devices is on the brink of a failure?
  4. How do I know if a rogue asset or protocol is now present on my control network?
  5. How do I know if my vulnerability profile has changed?

If you are able to answer these “how do I know” questions, you will be able to keep your industrial process running, which at the end of the day is the most important thing. Know your network. If you don’t, someone else with a different motive will. You do not get to make the decision on whether you are a target for either an external or internal malicious intent. Do not roll the dice. Come up with a strategy that is driven from executive management. Tone at the top is very important. Our control networks are defensible. The time is now to start with visibility, protective controls and continuous monitoring. Cybersecurity can be an enabler to the key performance indicators of the industrial process: safety, productivity, and quality.

tripwire_ics_is_essential.png

Level up your industrial control systems expertise today by getting a copy of "Industrial Cybersecurity is Essential." By downloading this piece you will:

  • Learn why industrial control systems are about much more than hackers and attacks
  • Read a case study examining how a recent industrial incident was identified and resolved at a U.S. water utility
  • Understand how Tripwire products can monitor logs, correlate events, integrate with identity management systems, and more
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!