Author: Daniel Ehrenreich, SCCE, Consultant and Lecturer on OT Cybersecurity
Recent conferences focusing on ICS cyber security revealed that there are about two dozen companies worldwide, which deliver ICS Cyber defense solutions. I have no intention to commercially promoting any of them, but just to list a few guidelines which may help you to select the most suitable one among few defense alternatives. Majority of them are performing data collection on asset inventory and communication analysis within the ICS network. No doubt that answering the critical questions: “what I have installed on the shop floor?”, “which device is communicating with other devices?”, “which among the published ICS-related vulnerabilities shall raise my concern?”, “is our defense strategy effective?” is not an easy task even for experts. I dedicate this article to few guidelines on these topics.
What do we need to know?
Cybersecurity experts know well the famous slogan: “you cannot protect what you do not know”. It means that in order to activate any kind of cyber defense process for your ICS, you need to have a comprehensive data on your specific system:
- Complete an accurate inventory on all installed devices (PLCs, computers, communication equipment, etc., including their hardware type, firmware and software versions.
- Definition of preconfigured communication paths among all devices connected to the control network. This allows you detecting anomalies in communication sessions.
- List of published announcements (CVE-Common Vulnerabilities and Exposures) on known vulnerabilities related to devices (PLCs, RTUs, IEDs, etc.) connected to your control network.
Having this information allows you to conduct a basic cybersecurity assessment without performing risky penetration tests on-site. The advantages of this approach are that this is a completely passive process generating no risk to your ICS. Being aware of these vulnerabilities is important, as some might lead to an operation outage, and also a Zero-Day type cyber-attack.
Can we go a step further?
While the passive inventory-data collection performed through “data sniffers” and port mirroring (via LAN switches) are helping to enhance cyber defense, experts believe that it is not enough. These measures will not explore the incorrectly configured equipment (firewalls, switches, gateways, etc.), which might explore your control network to hostile attackers.
When dealing with IT networks, we can mitigate cyber security risks by performing penetration testing and detect vulnerabilities caused by incorrect configuration of computers and devices connected to the network. Can we do the same for ICS networks? If you ask this question to any of the ICS experts, the answer will be “Absolute No”. The reason is that control programs were written by process experts and not IT experts and IT-type penetration test might create new risks.
Furthermore, most ICS deployments (water, electricity, oil and gas, etc.) are utilizing legacy-type hardware devices and the programmers of these systems did not leave accurate documentation. These factors increase the risk of unexpected system behavior followed by penetration or other intrusive testing, which in some way might interfere with the normal process.
Other defense alternatives
You may consider deployment of Host based or Network based Intrusion Detection Systems (HIDS/NIDS). Their defense process can be based on detecting communications anomalies or process anomalies. When detecting communications anomalies, the system is seeking the following:
- Trying to detect a new IP address which communicates with any of the system devices.
- Detecting a communication with a known IP address, but unusual high data volume.
- Detecting a communication with a known IP address but unusual high access rate.
When detecting process anomalies, the system is analyzing commands and conditions:
- One of the system’s parameters or combination of parameters are out of the safe boundary.
- A device receives unusual/unsafe commands such as temperature or pressure change.
- A device receives normal, but repeating commands to increase temperature or pressure.
Note: It’s important to mention that IPS-based cyber defense is typically not allowed for ICS, because the risks (already mentioned for penetration testing) caused by proactive intervention. One may overrule this directive only for unusual risk conditions which might have an impact on people’s lives.
Complementing cyber defense measures
Cybersecurity experts know well that all software-based measures might be compromised and therefore for stronger cyber defense you shall consider the following:
- Refrain from frequent updating of the operating system, antivirus signatures and application programs, as any software change might create new risk to operating safety and reliability.
- Strengthen the physical security around remote-unmanned installations by using surveillance cameras and sensors which detect opening of doors and control cabinets, etc.
- Deploy unidirectional security gateways (data diode) where possible and needed to prevent accessing the ICS from an external and less secure network or environment.
- Deploy network segmentation by using VPNs and firewalls as applicable, in order to prevent lateral movement of a malware which was “successfully” inserted to the ICS.
- Prevent remote access to the ICS for purpose of maintenance by employees of your organization or external service people. For maintenance purposes of critical installations always use a dedicated/private laptop computer, which you own and one that never leaves your facility.
Summary and conclusions
In this article we listed a few well-know cyber defense measures and best practices. It’s Important to emphasize that specific cyber defense measures for any ICS must be selected according to the risk and level of harm caused by a cyber-attack. Management in every organization shall take proactive steps and invest in technologies, training and development of policies (PPT Triad) in order to be at least one step ahead of attackers.