Last month, a power outage in the Ukraine left people in over 100 cities without electricity, but more concerning is the reason behind the blackout. A preliminary investigation by the Ukrainian government together with the U.S. Department of Homeland Security determined that hackers were responsible for taking the power grid offline. It was accomplished by infecting company computers with a high-powered malware called BlackEnergy.
This is concerning due to the fact that it could indicate the start of cyberwarfare. For manufacturers closer to home, it means their industrial control systems are definitely not safe. Not that we didn’t already know that. According to Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), in 2015, 295 incidents were reported, and many more went unreported or undetected.
To help companies be better prepared, ICS-CERT recently refreshed its recommendations to help companies prevent cyber incidents, which are increasing in frequency and complexity. The report details its top seven strategies that can counter common exploitable weaknesses in “as-built” control systems.
While the technologies required extend beyond ICSs to network architecture, patch management and administrative rights, it is important for organizations to implement a multifaceted approach that will weave together a variety of security techniques in a holistic manner.
According to the ICS-CERT report, the seven recommendations for securing ICSs include:
Application Whitelisting (AWL) - Used to detect and prevent unauthorized programs from running, which could include an attempted execution of malware. The static nature of some systems, such as database servers and human-machine interface (HMI) computers, make these ideal candidates to run AWL.
Configuration/Patch Management – Cyber adversaries target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help keep control systems more secure. Such a program will start with an accurate baseline and asset inventory to track what patches are needed. It will prioritize patching and configuration management of “PC-architecture” machines used in HMI, database server, and engineering workstation roles.
Reduce Your Attack Surface Area – Isolate ICS networks from untrusted networks, especially the Internet. Lock down all unused ports and turn off unused services. Only allow real-time connectivity to external networks if there is a defined business requirement or control function.
Build a Defendable Environment – Limit damage from network perimeter breaches. Segment networks into logical enclaves and restrict host-to-host communications paths. This can stop adversaries from expanding their access, while letting the normal system communications continue to operate.
Manage Authentication – Implement multi-factor authentication where possible. Reduce privileges to only those needed for a user’s duties. If passwords are necessary, implement secure password policies stressing length over complexity. For all accounts, including system and non-interactive accounts, ensure credentials are unique, and change all passwords at least every 90 days.
Implement Secure Remote Access – Some adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even “hidden back doors” intentionally created by system operators. Remove such accesses wherever possible, especially modems, as these are fundamentally insecure. Do not allow remote persistent vendor connections into the control network. Require any remote access to be operator controlled, time limited, and procedurally similar to “lock out, tag out.” Use two-factor authentication if possible, avoiding schemes where both tokens are similar types and can be easily stolen (e.g., password and soft certificate).
Monitor and Respond – Consider establishing monitoring programs and a response plan in the following five key places:
- Watch IP traffic on ICS boundaries for abnormal or suspicious communications.
- Monitor IP traffic within the control network for malicious connections or content.
- Use host-based products to detect malicious software and attack attempts.
- Use login analysis (time and place for example) to detect stolen credential usage or improper access, verifying all anomalies with quick phone calls.
- Watch account/user administration actions to detect access control manipulation.
Perhaps the biggest takeaway for manufacturers is that they need to change they way they secure their control systems. Just reinforcing the network perimeter with a firewall and loading virus detection software onto a computer won’t do the job these days. It requires layers of technologies, best practices, and more importantly, collaboration between the IT and the operations technology (OT) teams. Security tactics must be a continuous process that do not stand still, because there are always new threats emerging.
To that end, no system will ever be 100 percent secure. Remember, even these seven strategies can’t guarantee protection. But it’s an excellent start.