Implementing industrial cybersecurity countermeasures
By Daniel DesRuisseaux, Director, Industry Cybersecurity Program Schneider Electric
Monday, 09 September, 2019
The threat of cyber attack will continue to plague industrial systems, so it is better to implement countermeasures and improve them over time than to wait.
Industrial control system (ICS) operators recognise the need to improve cybersecurity, but many lack the understanding of how to start the process. End users attend cybersecurity conferences and webinars, or read articles in the trade press and learn about specific cybersecurity topics — like threat detection or defence-in-depth architectures. Many are tempted to start to take concrete steps to improve security — but it is critical to first create a detailed plan prior to acting. Once a plan is created, a defined deployment process should be followed.
Security lifecycle
There are several standards that touch on industrial cybersecurity. ISA/IEC 62443 is a major standard for ICS that is backed by both end users and equipment vendors. It is written to be applicable across industrial segments and has been accepted by many countries, and defines the cybersecurity lifecycle — a powerful framework used to secure an ICS. The cybersecurity lifecycle is a process consisting of four major phases as depicted in Figure 1:
- Assessment Phase: Analyse the ICS; organise assets into zones and define communications conduits between the zones; define vulnerabilities, calculate risk and prioritise based on relative risk.
- Implementation Phase: Input from the Assessment Phase is used to create detailed security requirements. The requirements are in turn utilised to design and implement countermeasures, including technology, corporate policies and organisational practices.
- Maintenance Phase: The organisation actively monitors the ICS, responds to incidents, performs maintenance tasks (back-up, patching, etc) and manages change.
-
Continuous Improvement: Lessons learned from incidents are analysed and necessary changes are implemented. Periodic audits are conducted.
This article will focus on the Implementation Phase, as it is critical to the successful deployment of countermeasures.
Output of the Assessment Phase
At the conclusion of the Assessment Phase, the team should have created the following documents:
- Architecture diagrams
- Network diagrams
- Asset inventories
- Vulnerability reports
- Zone and conduit drawings
- Risk analysis report
The documents produced as a result of the Assessment Phase are key to initiating the Implementation Phase of the security lifecycle.
Implementation Phase
The Implement Phase comprises a variety of sub-tasks. One of key factors that will influence success of the overall effort is the creation of a strong project team. The design and implementation of security countermeasures is a complex project and should be managed as such. Activities should be planned, documented and executed throughout the Implementation Phase.
The project team should consist of personnel with knowledge of the process, the OT control network and the IT network. A strong project manager should be assigned to manage the project team.
Security requirements
The first step in the implementation phase involves the definition of requirements. Examples of requirements include features tied to the specific countermeasure (firewall, IDS, SIEM, etc), and requirements that must be supported by all components that comprise the system. Examples of system requirements include regulatory requirements, monitoring requirements, configuration requirements, environmental requirements and access control requirements. For example, all elements in the system must be able to output log data in a specified format, or all elements must interface to a defined network clock to ground log information.
Requirements are captured in cybersecurity requirements documents. There can be multiple requirements tied to an overall project. The requirements document should capture all requirements, and should also define detailed use cases.
Design specification
The requirements document specifies features that the system must support, and the design specification details how the system addresses the requirements. Multiple design elements can be tied to each requirement. The design document typically contains a variety of sections to clearly define how the system works, including architecture diagrams, network diagrams and use cases.
Creating a detailed project plan
Once the design is complete, the project team will create a detailed project implementation plan. The plan will fully define the overall project, and should include the following sections:
- Project goal
- System scope
- Project deliverables
- Budget
- Resource requirements
- Dependencies
- Risks
- Schedule
Implementation
Securing a system typically requires the combination of two major efforts: hardening industrial components and deploying security appliances.
It is important to note that system hardening alone is not enough to protect an ICS. Additional employee training and corporate security policies are additionally required. Examples include policies that restrict employee access to critical locations and prevent the attachment of memory sticks to ICS equipment.
System hardening
Hardening refers to a process of securing a system by reducing its attack surface. An ICS is composed of a variety of devices including, databases, software applications, networking equipment, PLCs and drives to name a few. Each of these devices can be individually hardened.
Software hardening
Software hardening can refer to both OS and software application hardening. Techniques include patching software, removing or disabling unnecessary services/protocols and configuring proper access controls. Software hardening guidance is available from a variety of sources including National Institute of Standards and Technology (NIST) and security guidelines from automation equipment manufacturers.
Device hardening
In an ICS, devices refer to products with embedded software that is involved in the industrial process. Examples of devices include PLCs, DCS systems, HMIs, drives, sensors and I/O. Hardening techniques will vary by device. Examples include enabling logs, changing default passwords, installing firmware updates, disabling remote programming changes and disabling unused services/protocols. Device hardening guidelines are available from NIST and ICS vendors.
Network hardening
A network comprises a variety of elements, including switches, routers, firewalls and gateways. Network devices can be hardened using many of the same techniques discussed earlier — installing firmware updates, changing passwords and reviewing logs. There are a few techniques specific to networking equipment, including disabling unused physical switch ports and using protocols to validate that elements can connect to the network. Network hardening guidelines are available from NIST, the US National Security Agency (NSA) and network equipment providers.
Deploying security appliances
Hardened devices cannot by themselves effectively secure a system. For example, a traditional industrial system consists of a PLC, an HMI, a management workstation and some drives. Each of the devices can be hardened to reduce its attack surface, but additional security appliances may be required to secure the system. Some examples of security appliances are:
- Firewalls: Use rules to control incoming and outgoing network traffic. Firewalls can be hardware or software based.
- Intrusion Detection Systems: Can be host or network based. They monitor events occurring in a system and detects possible incidents. Incidents generate alerts that are forwarded to the system administrator.
- Security Information and Event Management (SIEM): Used to aggregate logs from ICS equipment and generate reports that are valuable for troubleshooting and compliance purposes.
- Data Diodes: Enable more stringent network segmentation by restriction traffic flow to a single direction.
-
Certificate Authority: An appliance that issues digital certificates, which are used to authenticate individuals or equipment and secure protocols.
The process tied to the effective deployment of security appliances is influenced by the appliance in question. For example, the process to deploy a firewall will differ from the process used to deploy an SIEM. The process can be divided into five major phases, so to better illustrate concepts, we will walk through each of the steps assuming that we are deploying a firewall.
Select the security appliance
Device selection is influenced by the risk assessment and the end system architecture created as part of the Implementation Phase, as well as the security requirements document discussed earlier. The team uses the information to select the technology and ensure that the necessary features are supported by the appliance. A secondary task associated with selection involves determining where the appliance will be placed in the network and determining if the existing architecture will change.
As an example, let’s assume the team needs to deploy firewalls. The team would have to determine the locations where the firewalls would be placed to segment the network, and determine the firewall requirements for each placement. There are a variety of firewall types, including stateful inspection firewalls and deep packet inspection firewalls. Each firewall type has different capabilities, so detailed requirements designed to guide selection would be developed for each prior to selection.
Install and configure the security appliance
Once the appliance is selected, the team works with the organisation to have it installed. In this stage key stakeholders in the organisation are informed and consulted, and an installation schedule is created.
We will again use a firewall to illustrate the process. The firewall would be installed in the network and firewall policies designed and configured. Configuration includes the creation of Access Control Lists which define source and destination addresses, port numbers and packet flow direction. Additional deep packet inspection rules can be created for specific protocols.
Test the security appliance
Once the appliance is installed, it should be tested — a test plan should be written and approved by the organisation in advance of testing. Test results are documented and any tests that have failed should be reviewed and addressed or waived by the organisation.
For a firewall, examples of areas that would be tested include device performance, interoperability and logging. In addition, there may be specific features that should be tested, such as the ability to filter specific protocols.
Deploy the security appliance
Once the appliance has been tested, it can be formally deployed. During this phase, key departments will be notified that the appliance is operational. Additional monitoring may be required to insure the appliance is not impacting network performance, and device configuration files should also be backed up.
Plan for ongoing appliance management
In the final phase, the team plans for ongoing maintenance of the appliance. The maintenance phase will require the appliance to meet corporate security rules. Key issues addressed in this phase include patching, the ability to track and verify configuration changes, and auditing.
Access control
Access control refers to policies and technologies implemented to control access to control networks. Properly implemented access controls define techniques to create, modify and remove user accounts. Features typically associated with access control include role-based access control, multi-factor authentication, session locking and concurrent session control.
Remote access
A critical task to consider when securing an ICS involves effectively managing remote access. Remote access provides significant operational benefits, but it also introduces significant risk as it provides a path for individuals outside of the facility to access the control system.
Several variables can impact the design of remote access solutions, including:
- Role of users
- Quantity of users
- ICS nodes accessed
- Security level of accessed elements
- Performance requirements
- Regulatory and policy restrictions
- Services
Some examples of remote access best practices include using two-factor authentication for access, encrypting traffic travelling through untrusted networks, enabling on-demand session termination and requiring corporate-owned laptops that meet company security policies for access.
There are a variety of technologies available today for secure remote access. Users must evaluate security features, potential risk and cost to select the best alternative for their application.
Acceptance testing
Applications may require additional system cybersecurity acceptance testing prior to implementation. Acceptance testing can take place at the factory, at a staging site or both.
Cybersecurity acceptance testing is designed to accomplish two objectives. The first objective verifies that the system meets cybersecurity design requirements. In this phase, the testing verifies that the security settings of ICS devices are properly configured, that security appliances are properly installed and configured, that detection appliances are operational and able to identify and report events and that access controls are properly configured and effective.
The second objective focuses on proving that the system is robust. In this phase, penetration testing is conducted to ensure that the system can resist attacks. The system will be scanned for vulnerabilities, and the system will be challenged by a variety of attacks. There are many published accepting test guidelines and best practices that can be used as references to create detailed test plans. Documentation detailing the test plan and results is required prior to the release of the system to operations.
Conclusion
The threat of cyber attack will continue to be an issue plaguing industrial control systems for the foreseeable future. IEC 62443 standards create a framework that allows operators to strengthen system security. The key first step in the process is the Assessment Phase, which enables end users to analyse their system and understand which threats to address first. Countermeasures are deployed in the Implementation Phase, and the process outlined in this article can be of assistance through this process. The key is to stop waiting and avoid analysis paralysis — it is better to begin to implement countermeasures and improve them over time than to wait.
Anticipating maintenance problems with predictive analytics
By utilising predictive analytics, process manufacturers can predict failures, enhance...
Air-gapped networks give a false sense of security
So-called 'air-gapped' OT networks can still fall victim to cyber attacks, so what is the...
Maximising automation flexibility: the ISV-driven approach
Vendor lock-in has long been a significant barrier to innovation in the industrial sector, making...