Industrial control systems: what does security hardening mean?
As many in the security industry are aware, industrial control systems (ICS), which are responsible for monitoring and controlling processes in critical infrastructure, are under attack from a number of sources including state-sponsored, hacktivists and cybercriminals.
Due to management and financial pressures, more and more ICS are being connected to the Internet so they can be accessed remotely and certain tasks can be carried out through automation. However, while the benefits of this increased connectivity come with great advantages, it also means these systems are now potentially discoverable to anyone looking, which leaves them vulnerable to cyber attack.
As a result, it is important that ICS operators take steps to reduce their attack surface and risk exposure by hardening their systems. Though, what does hardening in the industrial space mean and what are the key steps that need to be taken to improve industrial control security?
The evolution of industrial security
Traditional ICS were not designed with security in mind as they were often kept isolated from other networks through the use of air-gap and diode architecture. To keep intruders away from ICS, operators relied on physical security — gates, fences, barriers, and guards. However, the interconnection of ICS to corporate networks and subsequently the Internet has led to a situation where the ICS is far more susceptible to digital intruders.
In addition to this, operators often feel that they can’t take these systems down for routine maintenance to improve security because an update might not work without interrupting availability or affecting reliability. While concern about reliability and availability is understandable, a successful cyber attack could be devastating, with disastrous implications that could disrupt critical services, cause environmental damage, and threaten public safety.
As a result of the increased risk to ICS, it is vital that operators take steps to improve security, without impacting the availability or interrupting the supply of critical services. To improve industrial security, security experts recommend that operators carry out a self-service or third-party security assessment in order to identify gaps and gain a good overall picture of their current security posture. Additionally, it is also advised that operators look to build a digital security strategy which will help them harden their systems against attacks. But what exactly does this involve?
Hardening systems and overcoming key challenges
Hardening systems essentially mean to increase security by reducing your attack surface.
When looking specifically at ICS, hardening refers to securing the configurations of all components of the industrial networks, communication gateways including wireless and bluetooth, network devices such as firewalls, routers and switches, IT equipment including Windows or Linux based management servers, engineering consoles, the data historian, and the human machine interface (HMI). Other non-standard equipment includes control systems such as programmable logic controllers (PLC), remote terminal units (RTU), and intelligent electrical devices (IED), and any of the more advanced physical endpoint devices that include processing capability, switches, rotors, valves, gauges, motors etc. This involves verifying that the security configurations on all systems, devices, and endpoints are appropriately set, given the job each of them needs to do. For hardening to be effective, operators should ensure this is carried out continually, using as much automation as possible.
ICS operators looking to harden their systems will first need to carry out assessments of all devices and endpoints on the industrial network to see if software and firmware are up to date, if vulnerabilities exist and require patching, and if other weaknesses exist which attackers could exploit to gain access to the network. However, one of the key challenges with this is ensuring you have an accurate inventory of exactly what devices and endpoints you have on your network. Due to the sensitive nature of ICS and the reliance on availability, it’s usually more difficult to run an automated scan of all devices in the industrial than it would be in a traditional IT environment. These types of scans can potentially disrupt operations, so you want to be strategic about how you plan scan profiles and schedules.
It is also important that you have the right technology that suits your environment. In an IT environment, you can do agent-based scans that are more robust and which provide much more detail about devices on the network. By comparison, in operational technology (OT) you are likely to require agentless scanning which is known as a ‘light touch’ approach. This approach minimises any risk of impact to availability or service provision. A good example would be: agent-based scanning will open the door, search through your draws, empty the cabinets, and turn over the mattress; agentless will stare through the windows, peeks through the letterbox, and check the content of your outside waste bin.
The considerations for assessing OT has two elements. Firstly, the operator needs to have good inventory so that they know where to look and, more importantly, where not to look. Secondly, a vendor that knows how to conduct the proper type of scan in this environment is necessary, not just for the assessment but for the on-going monitoring, too.
For an industrial company to assess IT and ICS network to identify any potential gaps, the operator will want to have a complete inventory of network and IT devices, including switches, routers, firewalls, and sensors, with all associated security configurations. This will make checking for configuration changes and carrying out vulnerability assessments more efficient and will help to avoid disruption.
Improving industrial security
Until recently many ICS operators solely relied on physical security to protect against intruders; however, since so many of these systems are now being connected to the corporate network, and as a consequence the Internet, they are now also susceptible to cyber attack. As a result, it is important that industrial control operators take steps to improve security and harden their systems to help reduce their attack surface.
Tripwire’s key recommendations
- Select a partner with the right credentials in IT, ICS and security.
- Establish and maintain an asset inventory of all hardware and software, including documenting ports, services, and protocols in use and then prioritise according to your most critical assets.
- Carry out an industrial cyber security assessment and prioritise the security gaps for remedial action.
- Secure all network and Internet connections to the control systems and minimise the connectivity and accessibility wherever possible.
- Secure wireless and remote access and minimise who has the authorisation to use it.
- Secure and harden the configurations of industrial networks, endpoints, and control systems, and continually assess for change and new vulnerabilities.
- Continuously monitor and respond to change at the endpoints and control system levels.
- Implement strong authentication mechanisms and educate your employees on how to protect those credentials.
- Establish, apply, and communicate security policies and then monitor changes to those policy configurations.
- Increase defence‐in‐depth layers to secure the ICS, including network segmentation and the creation of secure zones, maintaining system log management, and controlling who has access (physical and electronic).
- Increase cyber security awareness with training and enforce policies with employees, contractors, and visitors to the facilities.