Navigating ICS Basics: Part 2
In our previous blog Navigating ICS Basics: Part 1, we talked about industrial control systems (ICS) and their cyber threats. In part two of this series, we will talk about how to protect these systems and gain awareness in an organization.
The Value of Industrial Frameworks
Markets such as healthcare, financial services and retail are tightly regulated by cybersecurity frameworks to help them secure their environments. However, the industrial sector has yet to acquire this same level of regulation.
Why should you choose a framework if you're not legally mandated to? The reason is simple: leveraging a non-mandatory framework is one of the best ways to start a cybersecurity program, build a defensible network and ensure your industrial process stays operational. These frameworks give organizations a clear, step-by-step path for mitigating risk and keeping their names out of breach headlines. Think of aligning with a framework as an investment in your organization's future stability and profitability. With the Industrial Internet of Things (IIoT) driving connectivity, there is an increased cyber risk along with it. Frameworks like IEC 62443, NIST SP 800-82 and NERC CIP are a few that give industrial organizations actionable practices for safeguarding their industrial processes to take the guesswork out of cybersecurity programs.
- IEC 62443: Created to ensure flexible methods for secure processes with an emphasis on the safety of personnel and production, availability, efficiency and q
uality. As a consensus-
based standard, it’s a leading framework in industrial verticals such as discrete manufacturing, oil and gas, electricity and water/wastewater. - NIST SP 800-82: Gives clear instructions on how to secure SCADA systems, DCSs and PLCs. It outlines concrete steps for restricting unauthorized access to ICSs, protecting individual components for exploitation and maintaining functionality during adverse conditions.
- NERC CIP: An international regulatory organization that works to reduce risks to power grid infrastructure through development of standards as well as education, training and certifications for industry personnel.
Best Practices for ICS Decision Makers
Once you understand the industrial cyber threat landscape and the frameworks you can use to secure your ICS against cyber events and breaches, you’re ready to take action using proven methods leveraging a Defense in Depth strategy.
Defense in Depth
Defense in Depth is a layered strategy to defend networks where multiple levels would need to be breached before a cyberattack could reach its full damage potential. This strategy makes it more difficult to achieve the desired end goal as well as adds the capability of detecting and preventing the spread of an attack.
What does Defense in Depth look like in an ICS context? Imagine this: Your cloud network feeds through edge network firewalls, which lead to your plants, substations or field facilities. Your plants and field facilities then connect to another deep packet inspection device firewall, which leads to your final PLCs. That's one example of network segmentation achieved through Defense in Depth; the attacker would need to overcome several layers of security controls to carry out their goals.
Creating an ICS Cybersecurity Action Plan
It is one thing to understand the frameworks needed to keep an ICS secure, but getting organizational buy-in to implement those controls is an entirely different undertaking.
How to Spread Cybersecurity Awareness
- Create a Security Program Timeline: One way to improve industrial cybersecurity is to create a developmental timeline to share with key stakeholders. An ideal high-level timeline will include all the programs needed to initiate or optimize a cybersecurity framework.
- ICS Cybersecurity Assessment: When presenting leadership with the logistics of time and costs of investing in security, a good first step is an ICS security assessment. Use a trusted third party to conduct a cybersecurity assessment and present to stakeholders the current risk profile associated with safety, productivity and quality as well as a threat analysis.
- Proactively Foster IT/OT Collaboration: Encouraging internal organizational collaboration by creating cross-functional teams with representation from both the IT and OT side of the organization; internal workshops are often a great way to get everyone on the same page.
- Adopt a Framework to Use as a Guideline: An industrial framework like the ones discussed earlier are useful tools for illustrating industry priorities around ICS security.
These three activities should be top-of-mind when it comes to cybersecurity:
- Visibility: Know exactly what’s in network via a complete inventory of hardware and software assets. Specifically, what these devices are communicating with, if their configurations are changing, what vulnerabilities are applicable, etc.
- Protective Controls: After visibility is achieved, the right level of protective controls can be implemented, such as network segmentation.
- Continuous Monitoring: Once it is clear what is present, monitor it. This can take place across several parallel processes: vulnerability management, security configuration management, log management and file integrity monitoring.
For more information on this topic, please read this white paper from Tripwire.