DHS Best Practices to Secure ICS Communications

By Daniel Crum, Content Marketing Manager, Owl Computing Technologies, Inc.
Modern advancements in industrial control systems (ICS) enable marked improvements in efficiency, production, reliability, and safety, all through increased use of “smart” assets and digital communications. However, this has led to a dependency on communication technology that is seemingly at odds with the ever increasing pressure to enhance cybersecurity in ICS networks.
To better balance the need for communication and security in OT networks, and to determine how best to secure them, it’s important to recognize the reasons behind each of their connections. The two primary reasons that organizations provide data paths into or out of their OT networks are:
- To provide information to remote users outside the OT network (production data, SIEM, files, historians, monitoring/maintenance information, etc.)
- To allow for remote command and control by users outside the OT network (error remediation, system adjustments, etc.)
To this end, the US Department of Homeland Security, in conjunction with the FBI and NSA, has released recommended best practices that any organization can use to help secure their ICS communications:
1. Map and identify all external connections within the OT network architecture
Until you have accurately mapped the network, there is no way of assuring that all points of entry into the OT network are secured, including connections to other networks within your organization. Therefore it is vital to take the time to thoroughly assess, map, and understand the literal ins and outs of your OT network, whether it is performed internally or by a respected third party. This mapping often proves incredibly useful not just for securing ICS communications, but also for any number of cybersecurity or operational projects you may consider.
2. Reduce the attack surface of your OT network
No matter what the purpose or number of authorized users, it’s very important to recognize that each external connection is a potential attack vector for cyberthreats both into and out of your OT network. In order to reduce the attack surface of the OT network, you must first reduce the number of connections to an as-needed or as-authorized basis only.
The DHS recommends that organizations, “Isolate ICS networks from any untrusted networks, especially the Internet. Lock down all unused ports. Turn off all unused services. Only allow real-time connectivity to external networks if there is a defined business requirement or control function.”
Further, the DHS suggests the logical use of network segmentation to restrict and further control communication paths. “This can stop adversaries from expanding their access, while letting the normal system communications continue to operate. Enclaving limits possible damage, as compromised systems cannot be used to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.”
Consolidating, limiting, or eliminating any unnecessary external connections and services makes it easier to monitor and defend those fewer remaining points of entry into (and exit from) your OT network. Segmenting your networks can also cut off malware proliferation before it finds its way throughout your organization.
3. If any of the remaining external connections are for monitoring purposes only, convert them to one-way connections
Many times it is thought that the only way to perform remote monitoring is to allow remote access into the network to gather data for monitoring. However pushing or replicating data (historians, databases, SIEM) out to the IT network has proven to be a secure way of getting data into the hands of end-users.
Again the DHS recommends “If one-way communication can accomplish a task, use optical separation (“data diode”). … Where possible, implement ‘monitoring only’ access enforced by data diodes.” Data diodes are one-way transfer devices that allow operational data to exit the organization for monitoring or use by a remote user, without opening a potential entry point or attack vector into the OT network.
4. If data transfers into the OT network are required (software updates, patches, etc.), convert as many as possible to one-way connections
Despite the desire to lock down the network and keep all threats out, data files, usually in the form of a software patch or update from a vendor, often need to be transferred into OT networks. With a locked down network this is typically achieved with some kind of portable media (thumb drive, laptop, etc.). However, this runs the significant risk of infecting the network when something other than the software update exists on the media. As the DHS notes, “ICS-CERT responded to a Stuxnet infection at a power generation facility. The root cause of the infection was a vendor laptop.”
The DHS recommends that organizations, “Get updates from authenticated vendor sites. Validate the authenticity of downloads. Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path, and use these to authenticate. Don’t load updates from unverified sources.” Data diodes can simplify this process for secure inbound transfers by utilizing a manifest and hash code verification to ensure the correct and unmodified file is transferred, including matching the file provided by the vendor on their website or portal. Any file or software that doesn’t appear on the manifest or have a matching hash code is placed in quarantine and is never transferred to the OT network.
5. Lock down any remaining two-way connections with defense in depth
Most likely, some business or support operations are going to require a two-way external connection. Whether it’s for remote command and control, error remediation, or some other critical purpose, it’s not always possible to eliminate two-way external connections completely, but it’s vital that these remaining connections be heavily controlled.
“Limit any accesses that remain,” says the DHS. “Some adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even ‘hidden back doors’ intentionally created by system operators. Remove such accesses wherever possible, especially modems as these are fundamentally insecure. … If bidirectional communication is necessary, then use a single open port over a restricted network path.” This can be accomplished through a highly secured firewall, or a specialized bilateral data diode implementation, using one data diode for each direction in and out of the network.
In addition, the DHS advises against any kind of persistent connections, especially from third parties (or the Internet) – “Do not allow remote persistent vendor connections into the control network.”
Bottom line, make sure all external connections are limited in capability, restricted in their paths, and if possible, only exist for a limited amount of time.
Defense in Depth
As part of a layered, “defense in depth” cybersecurity strategy for ICS communications, a variety of tools are employed, from role-based access controls, multi-factor authentication, whitelisting, and more. Beyond these baseline tools, the two major transfer technologies used to control access points within OT networks, firewalls (software-based) and data diodes (hardware-based) provide the strongest means to secure ICS communications. Yet it’s important to point out that the fundamental differences, and reasons for using both of these tools, either together or separately, in different situations, to increase the security of your ICS systems.
Software solutions, such as firewalls, are highly versatile cybersecurity tools that can be augmented with a number of security information and event management (SIEM) capabilities, from intrusion detection to deep packet inspection. However, they are also inherently vulnerable to configuration changes, bugs, and they will always require regular updates (or replacement) to stop new and emerging threats.
Hardware-enforced solutions utilize physical components to prevent access to secured networks. For instance, data diodes contain specialized circuitry that only allows data to flow in one direction. The sending circuit is incapable of receiving data, and the receiving circuit is incapable of sending data. For this reason, hardware-based transfer solutions cannot be hacked, and when used to transfer data out of an OT network, cannot be used as a threat vector back into the network.
These fundamental differences don’t necessarily have much of an impact in environments where cybersecurity is less important, but they have a big impact when it comes to the most secure environments. For example, data diodes are used in US military and intelligence cross domain deployments, to transfer data between networks of different security levels, while software solutions cannot be used in these cases, as they are simply not secure enough. On the other hand, well configured firewalls can be useful to secure a vital two-way connection, or used in conjunction with a data diode solution.
Keep in Mind
So in summary, the DHS advises that organizations reduce the number of connections to ICS networks, use hardware-enforced one-way transfers where possible to limit exposure, anticipate one-way transfers may have to be made into and out of OT networks based on business needs, and for those two-way connections that cannot be eliminated, limit their capability, their communication paths, and the amount of time they are connected.
While defending the perimeter may have fallen out of vogue recently in favor of intrusion detection, advanced biometric authentication, and other measures, keeping intruders out is still one of the best methods to prevent damage to or hijacking of critical systems. Following these five concrete steps from the DHS can help to dramatically improve the cybersecurity of ICS communications with minimal disruption to normal business operations. Those that may have considered data diodes years ago may have found them “out of their league” or prohibitively expensive. However, with recent advances in technology and the corresponding dramatic decreases in cost, data diodes are now actually more accessible and widely distributed than ever and are being used every day in a variety of industries and applications. For more information on data diodes, visit www.owlcti.com.

Check out our free e-newsletters
to read more great articles.
- Posted in:
- Article
- Related Portals:
- Cybersecurity, Industrial Networks
MORE ARTICLES
-
Inside the Advantages of Sensorless Closed Loop Control
By Mark Checkley, KEB Automation
While feedback devices may be the usual choice for control of motors, sensorless closed loop control can provide... -
Manufacturing Automation - Inside Universal Robots Efforts to Empower the Small/Medium Enterprise
By Bill Lydon, Editor, Automation.com
Collaborative robots are re-defining the way manufacturers operate today. To help further that process is... -
Predicting the Future of Industrial Maintenance
By Gernut van Laak, Group Automation Solutions Leader, ABB Food and Beverage
The need for factory maintenance often goes unnoticed. This article... -
Integrators Talk about Collaborative Robots: A Roundtable Discussion
By Jeff Burnstein, A3
The Association for Advancing Automation (A3) reached out to several large automation integrators to get their input on the... -
Lean Manufacturing and the Global Digital Process Automation Market
By Thomas R. Cutler
Digital Visual Management on the manufacturing plant floor is secure by creating virtual meeting rooms for real-time, 24/7,...
RELATED
-
Valve Manufacturers Association of America (VMA) announces 2019 Annual Valve Industry Knowledge...
The 2nd Annual Valve Industry Knowledge Forum will be held April 9-11, 2019 at the Doubletree Hotel at Perimeter Park in Birmingham, AL.
-
Northrop Grumman Corporation announces appointment Om Prakash as Chief Executive, Japan
As chief executive, Northrop Grumman Japan, Prakash will be responsible for ensuring effective performance on current programs, as well as...
-
Beckhoff Automation announces Kevin Barker as President
As the new president, Barker will oversee all sales, engineering, marketing and administrative operations from the headquarters of Beckhoff...
-
CyberX partners with Spire Solutions to strengthen industrial cybersecurity solutions in the...
CyberX is an industrial cybersecurity company to have been awarded a patent for its ICS-aware threat detection analytics and machine learning...
-
Inductive Automation announces partnership with FreeWave Technologies for enhanced IoT data...
The two companies span many common verticals to include oil & gas, utilities, and agriculture markets that require the collection of sensor data...