Defense in Depth: 4 Essential Layers of ICS Security

  • November 14, 2018
  • Feature
Defense in Depth: 4 Essential Layers of ICS Security
Defense in Depth: 4 Essential Layers of ICS Security

By Dean Ferrando, Senior Systems Engineer, Tripwire

From large industrial control systems to one-man organizations, everyone is talking about security these days. And while the industry jargon they use may differ, all share four areas of security concern.


Asset Management

This refers to the consistent management or awareness of devices within an organization— whether that means software, PCs or even hardware devices such as PLCs found on industrial plant floors. Any entity within an organization could be considered a threat, and not knowing what you have is almost as bad (or even worse) than leaving it unsecured.

Sound absurd? I know of a customer who was attacked via a vending machine that was placed on the office floor. As the vending machine had network capabilities, it was accessed and was found to have very little security measures in place. The attacker was using it to get onto the corporate network, but fortunately the organization’s security tools detected the breach.

Here’s a common analogy: Imagine a stranger on the street walks up to you and states that he is planning to or has already broken into your house and has or will take your favorite item.  You don’t know who he is or even what item he is referring to. The first thing you think about is how did, or how will, he get in?

So, the first thing you do when you get home is an asset assessment. Where are your weak points? You check that your windows and doors are secured. During your check, you discover that there is access to the house via the chimney you had fitted two months prior. Now that you realize there is another potential entry point, you apply security measures. But is this too late? Not consistently doing checks on your property has led to a potential threat or loss. Now you can apply the same methodology to the items within the house, as well. When did you last take inventory of all your household items? When would you realize an item had gone missing?

From a security standpoint, then, make sure every device that could potentially be compromised and used as a means of accessing sensitive information is inventoried and maintained. Not knowing what you don’t have is most probably the biggest mistake a lot of organizations make. Just remember that this does not always mean physical items; unpatched/insecure software could be a big hole in an organization. This process is usually found to be one of the hardest principles to maintain due to the ever-changing environments and costs associated with manual adoption.

However, a number of security vendors offer products that can assist in maintaining assets automatically via their solution sets – for example, log management solutions.


Network Segmentation

Network Segmentation is critical to good security hygiene as it segregates internal networks from each other. If your network is accessed illegally, network segmentation could help keep the attackers limited to the zone or area that they have accessed, thereby limiting the damage they could cause.

The benefits of this control seem obvious, and most large organizations with planned infrastructures have integrated segmentation from the start. Still, many organizations—both commercial and industrial—have a “flat” network, or one with no segmentation.

However, I have found that many ICS organizations have not planned for segmentation due to either the gradual growth of the organization or the mentality that they don’t need to worry about cross-device access because nobody can physically access the site. This was most probably the case a few years ago, but as more and more IoT devices are being put online or being made available to remote access, this is now a big-ticket item that needs to be addressed.

Imagine, for instance, that your family comes over to visit during the winter holidays, and during their visit, they ask you for your local Wi-Fi password. Obviously, you will hand that over, as you (hopefully) trust your family members. However, you have not enabled guest access (which most routers do provide, but is disabled by default), and you provide them with the full admin account credentials. They thank you, and the day carries on as planned. Now let’s assume you work from home and are using a flat network for all your devices, including your work laptop. The fact that your family members’ phone has automatically saved your Wi-Fi credentials means that a sophisticated attacker could compromise their phone and move laterally across your network to your corporate laptop/network.

Assuming that your security measures are strong enough is not good enough these days, as your weakest link could be someone else connected to the network. Your solution could be to either say no to your family members, change your password on your Wi-Fi network when they leave, or enable segmentation (a guest network) that only has access to limited resources. Even if they were hacked and managed to get into your guest network, they would not be able to do any damage or gain valuable information from your laptop.

Segment as many devices as possible. Understandably, segmenting networks and placing firewalls in could be an expensive effort; however, not doing so could cost more in the long run when you try to explain to your customers that their details were appropriated or inform the board of directors that the plans to their product were stolen.


Vulnerability Assessment

This stand-alone area of security is the means of looking for potential or known weaknesses within an entity. Having visibility on where your potential weak points are within your estate is critical to not only closing out potential attacks but also to maintaining operational effectiveness.

Most people only think of vulnerability assessment as a way to alert or plug up security holes, but having a device that is potentially open to receiving unexpected information could result in the device “crashing” or going offline because it is overloaded with information.

Every organization should have some form of vulnerability assessment tools in place, although just having a solution may not be enough, and many vendors provide only the bare minimum. For instance, being able to see where not only all the potential security holes might be on the device but also what applications or services are running could be a major benefit for an organization to determine the risk it poses.

Simply providing information is good but not great. Imagine how much more effective your organization could be if each vulnerability was detected and then displayed with the recommended remediation advice such as which patch would resolve the security flaw. This could save your team hours of research time and effort.

Finally, find a solution that is NOT tied to a patch management solution. Sometimes a patch will be run on a system and seems to be 100 percent successful, but when scanned for risks again, it will be revealed that certain vulnerabilities were not removed.

A great practice would be to doublecheck your security measures by using your vulnerability solution to detect the risk, inform the patch management solution to run the recommended patch, and in turn kick off a new scan from the vulnerability solution to verify that everything has been remediated.

Please also consider using a vulnerability tool to scan your home network. You will be shocked to see how many devices are unsecure by default in your home, and there might be some quick fixes you are not even aware of.


Continuous Monitoring

I have left this final point until the end, as I see it as the highest priority when it comes to security hygiene.

People often don’t know where to start when it comes to security and are usually directed to frameworks that can assist such as the Center for Internet Security, which is a great place to start. Both the Center for Internet Security and the IEC62443 recommend asset discovery as the top item to address.

The problem with these frameworks is that they focus on the easy items first such as log management. Collecting log files is critical, and I am in complete agreement that this should be in place. However, the buck should not stop there. After all, people can only damage systems by making changes first. If nothing changes, then all they are doing is watching the systems, which is why continuous monitoring and in particular integrity monitoring should be on all estate devices.

Integrity monitoring is commonly referred to as FIM (file integrity monitoring), but the “file” aspect is not strictly true, as monitoring should be on all elements found within the estate (not just files). If you were able to see when a change occurs within a critical configuration and were able to react in real-time, how much damage could a potential hacker do?

Most of the hacks or threats that have been reported on have been based on a hacker being in an organization’s network for months if not years, making changes and moving through the network until the hacker finds the crown jewels.

Imagine you owned a small sweet shop and decided not to spend money on a security device such as a CCTV camera. One day, a large group of kids descends on the shop. Obviously, your attention is pulled in all directions, and there is a lot of activity. When the kids have all left, you notice that a jar of your most expensive sweets has been halved, and you don’t recall selling a single item that day. You decide to go through your slips to see if you have just forgotten or missed that transaction during the rush. This would be equivalent to looking through your log data for certain activities.

Sadly, you are correct, and there were no sales of that particular sweet that day, but there’s little you can do to find the culprit. Now imagine if you had installed a CCTV camera. You would easily be able to see who not only emptied the jar but also exactly what he or she took. Finally, if you had installed a CCTV camera and hired somebody to monitor it in real-time, you could easily nab the crook.


To Close Out

Based on this analogy, I recommend starting with a change management solution before log collection or vulnerability management. However, I would recommend that all four measures (FIM, log management, vulnerability assessment, and network segmentation) be adopted in parallel for proper security to be done.

Leaving any of those items out would leave a big hole in the estate for some malicious actors to exploit.

About the Author

Dean Ferrando is a senior systems engineer at Tripwire, a leading global provider of security and compliance solutions for enterprises and industrial organizations. At Tripwire, Dean is responsible for technically selling and supporting Tripwire company products and services into customers and channel resellers in the company’s UK/EMEA Market. He works closely with field sales, inside sales, resellers, customer service/technical support and various corporate key contributors. Dean possesses a pre-sales/sales/professional services and architecture background in enterprise application technologies and various software applications and has the ability to enable and train others.

Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..