Industrial control system (ICS) cybersecurity is hardly a new topic and companies have been tackling the subject for years, yet it remains a challenge for many companies as gaps in protection persist. In some cases these difficulties are caused by complexity—multiple plant sites, multiple vendors, multiple lines of business, and legacy and proprietary equipment; in other cases it’s due to the piecemeal, asset-by-asset approach to cybersecurity employed by many companies.
To effectively address ICS cybersecurity, Eli Mahal of NextNine (a supplier of industrial operational technology security management software) advocates a security approach based on three principles:
- A top-down security approach with centrally defined plant-wide policies that are automated to ensure consistent shielding of all field assets.
- A focus on security essentials, i.e., securing what matters and doing the basic things right, repeatedly, to shield industrial assets from risk.
- Prioritize protection of field assets, which are key for production safety and integrity.
“We believe security hardening is a continuous process, with each iterative step closing the security gap bit by bit,” says Mahal.
The first step in addressing these principles is gaining end-to-end visibility, says Mahal. “Both the NIST framework and NERC-CIP v5 say that asset identification is foundational for knowing what must be protected. A comprehensive and up-to-date asset inventory is vital to developing and maintaining an appropriate defense of an industrial network and infrastructure. The owner/operator needs clear visibility into what devices are on the network; what they communicate with and how; the characteristics of the devices; and the presence of any known vulnerabilities.”
Conducting this asset discovery in an operational technology (OT) environment has its challenges. Because decades-old equipment might be sensitive to automated asset discovery methods, Mahal suggests using discovery methods in “an unobtrusive way to avoid disrupting its availability. A combination of passive and active approaches should be implemented to map the devices and understand what they communicate with and how.”
Once the organization has a clear picture of its cyber assets, it can establish defense-in-depth, put proper hardening processes in place and proceed with the next step: building secure connectivity and remote access control.
Because internal and external professionals increasingly need access to industrial control systems to maintain and monitor equipment, perform security processes such as patching and log collection, and improve the uptime of the assets, the attack surface for these assets is inevitably increased. “Organizations commonly use virtual private networks (VPNs) and proprietary remote access tools, but these practices pose risks to the organization from multiple communication lines across the enterprise and shared access credentials,” says Mahal. “A better means of secure communication is to funnel all remote access through a single location fully controlled by IT security professionals. This eliminates proprietary end-runs around security controls that go straight into the industrial assets.”
Best practices in such an approach include remote user authentication “without sharing assets' credentials, ideally through a password vault which enables access without sharing the actual password,” Mahal says. “All user access should be set to ‘least privilege’ mode, with exceptions to the policy on an individual basis. Finally, all users' activities should be monitored and audited with IT and OT being able to approve, deny or terminate a session as necessary.”
Once the organization has a thorough asset inventory and can reach all of those assets remotely through secure connections, Mahal says the next step is to apply continuous protection using a “top-down, integrated approach.” Mahal explains that “top-down" means the head operation and control office should be driving the policies, procedures and technology solutions that secure the entire environment. His use of the term "integrated" addresses the intersection points among IT and OT, including remote plants, the head office and third parties such as equipment vendors.
“ICS security policy creation, deployment and monitoring should be top-down with an integrated operation in mind, and the primary focus of this policy should be shielding the field assets,” says Mahal. “These are the assets that, if compromised, pose the biggest risk to the operation safety, integrity and efficiency. As such, security policies enforcement must be automated. Organizations should address the security essentials and focus on doing the basic things right, such as applying qualified operating system patches and anti-virus signatures, collecting and analyzing devices logs, and scanning IP address ranges to look for unexpected changes.”
