4 Essential Layers of ICS Security
18 June 2019
Dean Ferrando, Lead Systems Engineer (EMEA) at Tripwire, offers four foundational principles of cyber security which may sound almost too obvious, but are the groundwork on which any other security measure should be built on.
Some organizations spend lots of time focusing on physical security, especially those with industrial control systems (ICS). Others are small organizations worried about their personal data being stolen. And then there’s everything in between the two.
While the end security goal is usually the same for each entity, problems of understanding often arise in security conversations that boil down to differences in industry-specific language phrasing.
A good example of that would be someone from the ICS world referring to their log management solution as the historian, whereas someone in the commercial vertical knows it as a SIEM. Fundamentally, they do the same thing in gathering up all the activity or log data from devices to be forensically stored and analyzed at a later date.
One of the best ways to overcome this is using analogies in security conversations when the need arises. Below are four examples that all ICS organizations should maintain or at least adhere to (at a minimum).
Also of interest: A guide to DNS Search Suffix Wi-Fi attacks
1. Asset Management
Asset management refers to the consistent management or awareness of devices within an organization—whether that means software, PCs, or hardware devices such as a PLC on an ICS plant floor. Any device or entity found within an organization could be considered a threat, and not knowing what you have is almost as bad (or even worse) than leaving it unsecured.
Now this synopsis could be taken as absurd, but organizations can even be attacked by devices like vending machines placed on the office floor. As vending machines have network capabilities, they can be accessed. They can then be used to get onto the corporate network and, fortunately, can be also detected via an organization’s security tools.
Common analogy: Imagine a stranger on the street walks up to you and states that he is planning to or has already broken into your house and has or will take your favorite item and then walks away.
So, the first thing you do when you get home is to do is an asset assessment. Where are your weak points like windows and doors? You then check that they are all secured. But it’s probably too late.
Takeaway: Make sure every device that could potentially be compromised and used as a means of accessing sensitive information is inventoried and maintained.
Also of interest: What can we learn from the WhatsApp breach?
2. Network Segmentation
Network Segmentation is critical to good security hygiene as it segregates internal networks from each other. If someone were to gain access to your network, network segmentation could prevent movement to more critical parts of your network, thereby limiting the damage they could cause.
Now, the benefits of this control seem obvious but you will be amazed at how many organizations still have a ‘flat’ network, or one with no segmentation. As more and more IoT devices are being put online or being made available to remote access, this is now a big-ticket item that needs to be addressed.
Common analogy: Imagine your family comes over to visit during the winter holidays, and during their visit, they ask you for your local Wi-Fi password. Now, let’s assume you work from home and are using a flat network for all your devices, including your work laptop. The fact that your family members phone has automatically saved your Wi-Fi credentials means that a sophisticated attacker could compromise their phone and move laterally across your network to your corporate laptop/network.
Takeaway: Segment as many devices as possible. Understandably, segmenting networks and placing firewalls in could be an expensive effort; however, not doing so could cost more in the long run.
Also of interest: Unprotected Tech Data server leaked PII and financial data of customers
3. Vulnerability Assessment
Vulnerability assessment is often referred to in the same sentence as patch management, and there is a correlation. However, it is a standalone area of security that should be better understood.
Vulnerability assessment provides an understanding of where vulnerabilities lie in your environment. Having visibility on where your potential weak points are within your estate is critical to not only closing out potential attacks but also to maintaining operational effectiveness.
Understanding what’s on your network and which of those devices and software applications expose you to vulnerability risk is a critical, foundational practice for reducing cyber security risk.
Common analogy: You are a security guard with orders to lock down an office block after a workday. When you look up at the windows, you should hopefully be able to see most of the windows have been closed by the employees when they left for the day. However, you see that there are a few still left open. Consider this assessment the equivalent of a vulnerability assessment scan: You have scanned your perimeter and have determined that you have a few potential risks that could be exploited.
Takeaway: Vulnerability assessment is a foundational process for reducing cyber security risks in any organization. However, the way in which you conduct that assessment matters. The bare minimum may check a compliance requirement, but appropriate vulnerability assessment tools and processes are required if you’re going to practically and effectively reduce risk.
Also of interest: How can CISOs be better leaders?
4. Continuous *Integrity* Monitoring
People often don’t know where to start when it comes to security and are usually directed to frameworks that can assist, such as the Center for Internet Security that provides a great place to start.
Asset discovery is the first critical security control on their list of 20. Within the ICS industry, you can see frameworks such as IEC62443 point to the importance of asset discovery. These frameworks provide a good roadmap for those looking for cybersecurity guidance. When implementing various controls, it’s important to understand how these controls work together.
Log management is a critical security control that gives you visibility into activity in your environment. Paired with the additional functionality of continuous monitoring, particularly integrity monitoring, provides a much clearer picture of what’s happening on your network and can alert you when concerning activity (bad changes) happens in your environment.
Most of the hacks or threats that have been reported on have been based on a hacker being in an organization’s network for months if not years, making changes and moving through the network until they find the crown jewels.
Common analogy: Imagine you own a candy shop. One day, a school bus stops by and all the kids descend on the shop in one large group. When the kids have all left, you notice that a jar of sweets has gone half empty, and you don’t recall selling a single item that day. You go through your receipts (the equivalent of going through logs), confirming no sales. Receipts don’t tell you what actually happened.
If you had a security camera, you would see who pilfered from the jar and how much they took. And if you had someone monitoring the CCTV footage in real-time (continuous monitoring), you can catch the culprit before they get away with your candies.
Takeaway: Keeping records of activity is good, but continuous monitoring will alert you to issues as they happen so you can prevent or mitigate the damage.
These security practices are absolutely essential to an effective cyber security strategy. It can be tempting to tackle these at different times, but the value of each control is really when change management, vulnerability assessment, log management and network segmentation are working together.