Implementing DHS Best Practices to Secure Industrial Control Systems

Implementing DHS Best Practices to Secure Industrial Control Systems


Modern advancements in industrial control systems (ICS) enable marked improvements in efficiency, production, reliability, and safety, all through increased use of “smart” assets and digital communications. However, this has led to a dependency on communication technology that is seemingly at odds with the ever-increasing pressure to enhance cybersecurity in ICS networks.

 

To better balance the need for communication and security in OT networks, and to determine how best to secure them, it’s important to recognize the reasons behind each of their connections. The two primary reasons that organizations provide data paths into or out of their OT networks are:

  • To provide information to remote users outside the OT network (production data, SIEM, files, historians, monitoring/maintenance information, etc.)

OR

  • To allow for remote command and control by users outside the OT network (error remediation, system adjustments, etc.)

To this end, the US Department of Homeland Security, in conjunction with the FBI and NSA, has released recommended best practices that any organization can use to help secure their ICSs

1. Map and identify all external connections

Until you have accurately mapped the network, there is no way of assuring that all points of entry into the OT network are secured, including connections to other networks within your organization. Therefore, it is vital to take the time to thoroughly assess, map, and understand the literal ins and outs of your OT network, whether it is performed internally or by a respected third party.

2. Reduce the attack surface of your OT network

No matter what the purpose or number of authorized users, it’s very important to recognize that each external connection is a potential attack vector for cyber threats both into and out of your OT net work.

The DHS recommends that organizations, “Isolate ICS networks from any untrusted networks, especially the Internet. Lock down all unused ports. Turn off all unused services. Only allow real-time connectivity to external networks if there is a defined business requirement or control function.”

Further, the DHS suggests the logical use of net work segmentation to restrict and further control communication paths. “Enclaving limits possible damage, as compromised systems cannot be used to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.”

3. Convert external connections for monitoring purposes to one-way (out)

Many times it is thought that the only way to per form remote monitoring is to allow remote access into the network to gather data for monitoring. However pushing or replicating data (historians, databases, SIEM) out to the IT network has proven to be a secure way of getting data into the hands of end-users.

Again the DHS recommends “If one-way communication can accomplish a task, use optical separation (“data diode”). … Where possible, implement ‘monitoring only’ access enforced by data diodes.” Data diodes are one-way transfer devices that allow operational data to exit the organization for monitoring or use by a remote user, without opening a potential entry point or attack vector into the OT network.

4. Convert data transfers into the OT network to one-way (in)

Despite the desire to lock down the network and keep all threats out, data files, usually in the form of a software patch or update from a vendor, often need to be transferred into OT networks. With a locked down network this is typically achieved with some kind of portable media (thumb drive, laptop, etc.). However, this runs the significant risk of infecting the network when something other than the software update exists on the media.

The DHS recommends that organizations, “Get updates from authenticated vendor sites. Validate the authenticity of downloads. Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path and use these to authenticate. Don’t load updates from unverified sources.”

5. Lock down any remaining two-way connections with defense in depth

Most likely, some business or support operations are going to require a two-way external connection. Whether it’s for remote command and control, error remediation, or some other critical purpose, it’s not always possible to eliminate two-way external connections completely, but it’s vital that these remaining connections be heavily controlled.

As part of a layered, “defense in depth” cybersecurity strategy for ICS communications, a variety of tools are employed, from role-based access controls, multi-factor authentication, whitelisting, and more. Beyond these baseline tools, the two major transfer technologies used to control access points within OT networks, firewalls (software-based) and data diodes (hardware-based) provide the strongest means to secure ICS communications.

6. Keep in Mind

While defending the perimeter may have fallen out of vogue recently in favor of intrusion detection, advanced biometric authentication, and other measures, keeping intruders out is still one of the best methods to prevent damage to or hijacking of critical systems. Following these five concrete steps from the DHS can help to dramatically improve the cybersecurity of industrial control systems with minimal disruption to normal business operations.

Insights to your Inbox

Stay informed with the latest cybersecurity news and resources.

Daniel Crum Director, Product Marketing

AI’s Role in Defense – Accelerating Decision Dominance in the Next Era of Warfare

"AI is not just another technology. It is a transformative technology that will change the way we fight and defend our nation." Kathleen Hicks, Deputy Secretary of Defense   Techn...
November 26, 2024
Daniel Crum Director, Product Marketing

Hidden Threats in AI Data: Protecting Against Embedded Steganography

As the 2023 Executive Order on Artificial Intelligence (AI) specifically lays out, "Harnessing AI for good and realizing its myriad benefits requires mitigating its substantial risks." On...
November 19, 2024

Owl Cyber Defense Featured on Fed Gov Today Television

Data Mobility: The Edge Advantage in Real-Time Operations Originally Broadcast on Fed Gov Today, November 3, 2024 Dan O’Donohue emphasizes that data’s power is in its mobility. ...
November 13, 2024