From Good to Great – Building on ICS Security Basics
Most industrial organizations are behind the curve when it comes to cybersecurity, facing mounting complexities like the IIoT, the skills gap and the IT/OT divide. But what about industrial organizations that are already taking steps in the right direction and need to know what awaits them on the horizon? What practical next steps can your organization take to optimize your current ICS cybersecurity program? What new threats and trends are emerging that you can get in front of now in order to meet the future well-prepared?
These were the questions that a Tripwire sponsored webcast answered on November 12th, 2019. The webcast was moderated by Tripwire’s Tim Erlin and included Kristen Poulos, VP for Belden’s Industrial Cybersecurity; Matthew Luallen, executive inventor of CYBATI and certified instructor for the SANS Institute; and Joseph Blankenship, VP Research Director for Security and Risk at Forrester, as speakers.
The three panelists focused on four themes: visibility, network segmentation, defense and response, and responsibility and accountability. Here is their advice.
Visibility, the need to understand what is in your environment, is a critical topic not only for industrial cybersecurity but also for all IT security because it allows the organization to understand their environment and the assets attached to this environment. Focusing on the ICS environment, having visibility into your assets is crucial because many ICS assets can create threats and vulnerabilities to other assets within your organization. It is therefore important to understand the vulnerable nature of those assets to implement the appropriate security strategies and policies to mitigate these vulnerabilities.
In addition to asset discovery, visibility is important to understand the network traffic between your assets as well to be able to shut down any data flows that are not legitimate. How do you know if data is coming in or going out of your network? How do you know if there are external connections being set up for ease of use for employees, contractors or vendors? To be able to answer these “how do you know” questions, you need to be able to know your network.
Just like we monitor and measure quality characteristics of the output of our industrial processes (such as inventory, scrap, rework, physical dimensions, overall equipment effectiveness, accidents, etc.), we need to monitor and measure our environments for abnormal behavior—configuration changes, communication pattern changes, exploitation of vulnerabilities, new or unexpected network connections, etc. Doing so will help us recover from special causes that impact the operation of our process.
One challenge impacting the efficiency of visibility is the lack of knowledge by the IT personnel of what processes and protocols are required for the OT business to operate and function smoothly. The use of specific ICS devices is what differentiates ICS visibility from IT visibility. That is why it is important not only to identify your assets but also to be knowledgeable of the specific protocols that are required for the OT to function properly. Bridging the gap between IT and OT in terms of understanding both the ICS assets and the way they communicate is important to be able to defend yourself against adversaries seeking to exploit vulnerabilities in your ICS environment.
Network Architecture and Segmentation
Managing your ICS cybersecurity is not a one-time project. It is rather a program. Once you have identified your assets within your ICS environment, the next step is to develop your network architecture and segmentation. ICS environments are different from other IT environments because there aren’t any changes in the way they function nor are there any equipment turnovers. ICS environments are rather stable. What needs to change is the way their networks are structured. In the past, all devices were connected to “flat” networks, communicating directly to all parts of the industrial environment. This should not be the case any longer.
ICS assets need to be segmented. Once you have achieved visibility, you can start moving assets of similar functionality and business purpose together, thus creating zones of ICS assets. These zones are then easier protected individually. ISA/IEC 62443 standard proposes to segment between controlled system networks and uncontrolled system networks. Although segmentation cannot be considered as a silver bullet, attacks like WannaCry and NotPetya would have been prevented or at least their impact would have been minimized if network segmentation had been in place. These attacks started on the corporate side of business and crippled the OT side because of lack of segmentation.
Once you have zoned-off critical ICS assets, then you should establish conduits between these zones and the outside world as well as protect these conduits so as to not allow unknown traffic interfering with OT environment. But we have to be very careful to not introduce latency into the process and not to diminish availability. The key to a successful network segmentation is for IT and OT to work together to effectively segment the ICS assets, not to “break” the functionality of OT environment.
How to Defend and Respond
Responding to cyber-attacks on an ICS environment can be very challenging because of the inherent physical risk of these attacks. Attacks on industrial environments and especially critical infrastructure entities can create crippling effects not only on the affected organization but also in society. A physical impact could negatively impact the surrounding world through multiple means, including the release of hazardous materials (e.g., pollution, crude oil), damaging kinetic forces (e.g., explosions) and exposure to energy sources (e.g., electricity, steam). The physical incident could negatively impact the ICS and supporting infrastructure, the various processes performed by the ICS or the larger physical environment.
Therefore, when designing defensive practices, we must cater for fallback considerations, especially when relying on cloud based provided services. These considerations must account for all kinds of compromise, not only for adversaries’ actions. The compromise could as well be a Mean-Time-Between-Failure (MTBF) issue or a natural disaster, such as Hurricane Katrina.
Contingency considerations are essential because when it comes to ICS environments, unlike other IT sectors, reliability is a critical factor. The critical tasks in managing a network in an ICS environment are ensuring reliability and availability to support safe and efficient operation. Although the “divine triad” of confidentiality, integrity and availability are driving factors for ICS security, when an incident strikes in critical infrastructure, the crucial factor is availability. For industries like healthcare, utilities, telecommunications, logistics and transportation, while data loss is bad, loss of productivity and availability is worse. If a power company is attacked and customer records are lost, that’s bad. But power outages for millions of customers for hours (or days, if the incident is severe enough) is worse.
While the previous paragraphs tackled our responsiveness to cyber incidents, it is equally important to be able to defend ourselves. The panelists indicated two possible solutions. The first one is to be able to correlate data flows. Having established visibility over our assets and network, we are aware of what our devices communicate, to whom and most importantly what normal communication between these devices is. By correlating data flows, we will be able to discover indicators of compromise, such as abnormal traffic activities or lateral movements because of credential compromise.
Network access controls (NAC) can also be a great tool for defense in our arsenal. The use of NAC can help organizations develop policies for controlling devices, set privileges and restrictions and develop profiles for connected devices. NAC solutions are particularly useful when they integrate with IoT or IIoT devices because the access policies can block unknown devices.
Finally, the panelists highlighted the issue of supply chain challenges. Although “suppliers are not our enemy,” as Martin Smith correctly pointed out in a recent podcast with Jenny Radcliffe, they can be our single point of failure. We have all experienced many supply chain attacks, and the only way to counter them is for suppliers and vendors to comply with the industrial organization’s security policies and practices.
That is especially important when manufacturers of large industrial machinery provide remote monitoring of the asset as well as remote control from their centralized control room. That connectivity creates a backdoor to the control network and the systems running the operations.
Responsibility and Accountability
Although cybersecurity is everyone’s responsibility, industrial organizations are creating “task forces” who are responsible for maintaining a cross-functional security level. Behind the various titles used for identifying the individuals responsible for ICS security, it all comes down to the personality of the individual. The security principal must not silo security issues. It is critical to have agreement on the problems and how these problems map to the business needs of the technology. When you don’t have that alignment, trust erodes, attitudes form and silos occur. This is incredibly detrimental to the overall cybersecurity of technology.
Authority is another critical aspect of ICS cybersecurity. The person responsible for developing and implementing the organization’s cybersecurity policy must have the authority to promote security policies and practices. It is not a matter of who is the individual rather of where in the organizational hierarchy he/she is. Apart from that, it must be widely understood that the ultimate authority must be with the CEO because, after all, it is a business risk.
Technology alone will never be the solution. Only by people working together will risk be managed and exposure to cyberattacks reduced.
You can watch the webinar here below.