Modern advancements in industrial control systems (ICS) enable marked improvements in efficiency, production, reliability, and safety, all through increased use of “smart” assets and digital communications. However, this has led to a dependency on communication technology that is seemingly at odds with the ever-increasing pressure to enhance cybersecurity in ICS networks.
To better balance the need for communication and security in OT networks, and to determine how best to secure them, it’s important to recognize the reasons behind each of their connections. The two primary reasons that organizations provide data paths into or out of their OT networks are:
- To provide information to remote users outside the OT network (production data, SIEM, files, historians, monitoring/maintenance information, etc.)
- To allow for remote command and control by users outside the OT network (error remediation, system adjustments, etc.)
To this end, the US Department of Homeland Security, in conjunction with the FBI and NSA, has released recommended best practices that any organization can use to help secure their ICSs
1. Map and identify all external connections
Until you have accurately mapped the network, there is no way of assuring that all points of entry into the OT network are secured, including connections to other networks within your organization. Therefore, it is vital to take the time to thoroughly assess, map, and understand the literal ins and outs of your OT network, whether it is performed internally or by a respected third party.
2. Reduce the attack surface of your OT network
No matter what the purpose or number of authorized users, it’s very important to recognize that each external connection is a potential attack vector for cyber threats both into and out of your OT net work.
The DHS recommends that organizations, “Isolate ICS networks from any untrusted networks, especially the Internet. Lock down all unused ports. Turn off all unused services. Only allow real-time connectivity to external networks if there is a defined business requirement or control function.”
Further, the DHS suggests the logical use of net work segmentation to restrict and further control communication paths. “Enclaving limits possible damage, as compromised systems cannot be used to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.”
3. Convert external connections for monitoring purposes to one-way (out)
Many times it is thought that the only way to per form remote monitoring is to allow remote access into the network to gather data for monitoring. However pushing or replicating data (historians, databases, SIEM) out to the IT network has proven to be a secure way of getting data into the hands of end-users.
Again the DHS recommends “If one-way communication can accomplish a task, use optical separation (“data diode”). … Where possible, implement ‘monitoring only’ access enforced by data diodes.” Data diodes are one-way transfer devices that allow operational data to exit the organization for monitoring or use by a remote user, without opening a potential entry point or attack vector into the OT network.
4. Convert data transfers into the OT network to one-way (in)
Despite the desire to lock down the network and keep all threats out, data files, usually in the form of a software patch or update from a vendor, often need to be transferred into OT networks. With a locked down network this is typically achieved with some kind of portable media (thumb drive, laptop, etc.). However, this runs the significant risk of infecting the network when something other than the software update exists on the media.
The DHS recommends that organizations, “Get updates from authenticated vendor sites. Validate the authenticity of downloads. Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path and use these to authenticate. Don’t load updates from unverified sources.”
5. Lock down any remaining two-way connections with defense in depth
Most likely, some business or support operations are going to require a two-way external connection. Whether it’s for remote command and control, error remediation, or some other critical purpose, it’s not always possible to eliminate two-way external connections completely, but it’s vital that these remaining connections be heavily controlled.
As part of a layered, “defense in depth” cybersecurity strategy for ICS communications, a variety of tools are employed, from role-based access controls, multi-factor authentication, whitelisting, and more. Beyond these baseline tools, the two major transfer technologies used to control access points within OT networks, firewalls (software-based) and data diodes (hardware-based) provide the strongest means to secure ICS communications.
6. Keep in Mind
While defending the perimeter may have fallen out of vogue recently in favor of intrusion detection, advanced biometric authentication, and other measures, keeping intruders out is still one of the best methods to prevent damage to or hijacking of critical systems. Following these five concrete steps from the DHS can help to dramatically improve the cybersecurity of industrial control systems with minimal disruption to normal business operations.