Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Protecting your Industrial Control System (ICS) from a cyber-attack is not an easy task, because these systems are characterized by a complex cyber threat landscape and many organizations suffer from a shortage of ICS cyber security experts who can select among available options. The threat landscape is expanding year by year due to demand for more complex networking, adding Industrial Internet of Things (IIoT) devices to the architecture and the fact that these systems cannot be frequently patched, updated and upgraded. Your selection must be based on the level of risk, possible options, urgency for deployment and the available budget. While being exposed to a broad range of technologies, even experts can find it difficult to determine which one is right for your system. This paper will follow the famous statement “there is no silver bullet”, and I’ll describe multiple approaches which may help you reduce the risk of ICS Cyber-attacks.
Cyber Risk Challenges
Cyber risk challenges are either a) inherent/ originally included, b) unintentionally created or c) caused by negligent actions. The attacker will always search for an easy penetration spot, probability of not being instantly detected, the level of harm he may cause and, finally, expecting his reward for a job well done. Attackers are always in a better position than defenders, because they decide on the 4 “Ws”: whom, what, when, which-way.
Defenders must protect the entire ICS perimeter 24/7 because their task is to minimize risks by instant detection, activating the correct response action and return to normal operation according to the Business Continuity Planning (BCP). This process is clearly defined by the NIST Cybersecurity Framework illustration. The chart on the right is correct and suitable for ICS Cyber defense except for ‘Protect’. Instead of “information assets” it should say: Form and manage a cyber security program to protect the operating Safety, Reliability and Productivity (SRP). Simply said, “expect the unexpected”, no matter which kind of vulnerability allowed that attack to happen.
Determining the attack surface
Obviously, it doesn’t matter if the attack vector starts with an inherent /originally included vulnerability in the architecture or is caused by negligent or unintentional actions. Attackers might detect such vulnerabilities through a simple scan process and compromise your system. In every ICS, and especially in the legacy architecture, the attack surface is large and hard to protect.
Therefore, the only way of boosting the cyber resiliency for an ICS is by deploying layered defense, utilizing principles outlined in the RDC Triad. It calls for Redundancy- wherever needed and possible, Diversity – utilizing different technologies and vendors, and Complexity – preventing easy attack processes.
Optimal and Cost-effective solutions
As previously mentioned, the selection of a combined set of ICS cyber defense solutions must be based on the level of risk, possible options, urgency for deployment and the available budget. Among the cyber defense options which can be considered for protecting your ICS, refer to the following (partial) list:
- Strengthening the physical security around remote installations by using surveillance sensors
- Hardening of all computers and control devices to prevent easy compromising by an attacker
- Firewall-based segregation among zones, which shall not communicate with each other
- Unidirectional security diode to prevent attacks on the IT zone from accessing the ICS network
- Demilitarized Zone (DMZ) type solutions to prevent direct data flow among unsecured zones
- Periodic ICS-oriented security assessment for detecting unauthorized devices and connections
- Visibility analysis performing asset monitoring and asset management across the ICS network
- Intrusion Detection Systems (IDS) performing anomaly behavior detection where needed
- Strong authentication of people who are locally connecting for system maintenance actions
- Encrypted communication to remotely installed sites, especially if these include control devices
- File sanitizing where possible using the Content Disarm & Reconstruction (CDR) process
- Dedicated ICS-oriented Security Information and Event Management (SIEM) to detect an attack
- White listing processes for preventing foreign programs running on all ICS-related computer
- Detecting GPS spoofing attacks on ICS, which are sensitive to accurate time synchronization
- Connecting the SIEM to a private or 3rd party ICS-oriented Security Operation Center (SOC)
Careful system handling
In addition, you may enhance the ICS resiliency by preventing incorrect or negligent actions which might expose your system to attackers, who are constantly scanning many systems for vulnerability detection.
- Remote access to the ICS unless it is required for an urgent reason and under strong supervision
- Utilizing USB devices directly connecting to the network for downloading data intended to the ICS
- Updating, patching, upgrading any part of the ICS, unless the process is pre-tested and approved
- Penetration testing or active scanning on a live ICS. These should be performed on a digital twin
- Any connection which might create a “hybrid link” and expose the ICS network to the internet
In this article we listed a few well-known cyber defense measures and best practices and also precaution measures which must be prevented. It’s Important to emphasize that ICS oriented cyber defense measures must be selected according to the level of risk and harm caused by a cyber-attack and a solution which fits the deployed architecture. The management in every organization should take proactive steps and invest in RDC oriented technologies in order to mitigate the risk and prevent cyber-attacks as much as possible.
About Daniel Ehrenreich
Daniel Ehrenreich, BSc. is a consultant and lecturer acting at Secure Communications and Control Experts, and periodically teaches in colleges and present at industry conferences on integration of cyber defense with industrial control systems; Daniel has over 27 years of engineering experience with ICS for: electricity, water, gas and power plants as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as the Chairman for the ICS Cybersec 2019 conference taking place on 16-9-2019 in Israel and for the Asia ICS Cyber Security conference taking place in Singapore on 7-11-2019.