Getting Started with an ICS Cybersecurity Program
6 February, 2020 | Blog
The news headlines are regularly reminding us that critical infrastructure, industrial control systems and other cyber-physical systems are prime prey for nation states and hackers who want to cause real-world damage and chaos. And even if not specifically targeted, with the explosion of ubiquitous network connectivity and commodity platforms in these formerly segregated and isolated environments, they can fall victim to any of the multitude of generic malware campaigns spreading across the Internet, such as ransomware, cryptominers and botnets. Take, for example, the recent compromises suffered by Maersk, Norsk Hydro and Merck.
In light of these risks, it is essential that owners and operators establish cybersecurity programs for their industrial control system (ICS) and operational technology (OT) environments.
Setting up a cybersecurity program for your ICS and OT environments can be overwhelming and can appear like a near-superhuman undertaking when presented with wide-ranging cybersecurity tools and technologies. However, having the latest advanced security tools will not improve security if you don’t also address the basics. A simple, functioning and sustainable security program is better than an advanced program using an array of technologies that are not adequately maintained or sustainable.
In this blog article, we will be exploring some steps you need to take to set the foundation for your ICS cybersecurity program for future growth and maturity, regardless of any security framework or eventual security tools and technologies you might decide to adopt or implement. Even implementing just these basic measures will significantly reduce your vulnerability exposure.
The first step is to determine what cyber assets you have that you need to protect and secure. Be sure to consider all devices and components of your ICS/OT system, including servers, operator consoles, network switches, terminal servers, IEDs, PLCs, relays, IIOT devices, etc.
A physical walk-through of your facilities is a good way to ensure your inventory includes all the hardware deployed in the environment and often leads to unexpected discoveries, like finding a supposedly decommissioned server still online and connected to production. It is also an ideal time to validate and update network, as-built and other diagrams. Existing diagrams, system/asset purchase or maintenance contracts and other related documentation at your disposal are also helpful sources of inventory information when a physical inspection is not feasible.
Some key attributes to capture:
- Serial number
- Physical ports
- Modules and components installed on modular devices, such as communication interfaces or processors
The software inventory can also be compiled by physically accessing each device and manually enumerating the firmware, operating system and installed software. Another option is running a script or utility, either locally or remotely over the network, to automate the enumeration.
Other key attributes to capture:
- Host name of the device it is installed and running on
- Firmware or operating system and BIOS, for physical and virtualized systems
- Third party software:
- open source
- device drivers
- custom built
- Version numbers
- Patches or updates installed
Once the inventory is compiled, it is worthwhile to identify and categorize or rank the cyber assets in terms of criticality for process or operations, especially if you might need to focus on securing only a subset of cyber assets due to limited resources, whether personnel, financial or other.
It is critical to keep this inventory, with its various attributes (referred to as configuration baselines), current and updated. This can seem daunting, but the next step will make it easier.
Change and configuration management
Change and configuration management is a cornerstone of any cybersecurity program and does not have to be an onerous process. It can be accomplished with tools as rudimentary as a simple spreadsheet, although there are many affordable software options available.
Regardless of the method used to track and document changes, follow these guidelines:
- Identify and assign change approvers.
- These are the only individuals with authority to approve production changes; however, they cannot self-approve their own changes.
- Establish regular meetings and exchanges to discuss and approve upcoming changes. This:
- Allows change requestors to explain and share the planned change and its potential impacts on production and any associated mitigation measures and actions to reduce risks.
- Reduces risk for conflicting changes, as no change is made in isolation.
- Increases overall situational awareness.
- Unapproved changes are not rolled out in production environments. If this occurs, then update the change management documents and inventory as soon as possible after resolution.
- Update the inventory configuration baselines in a timely manner after any changes that impact the tracked attributes.
Now that we have a cyber asset inventory and a process to manage changes to that inventory, we can move to the next basic step that builds on these two steps.
New vulnerabilities and coding errors in existing software, including firmware and operating systems, are continually being discovered. What is secure today may well not be secure tomorrow.
Since you know what cyber assets you have and what software, including versions and patches, is installed or running on each of these assets, you should regularly monitor patch sources for patch releases or updates.
Here are a few examples of these materials:
- Vendor websites, emails or other publications
- Security researchers
- Private third-party vulnerability monitoring services
- Government agencies
When a new patch is released, it should be evaluated in a timely manner to decide whether it applies to any of your cyber assets. A decision should then be made to either skip the patch, implement it or mitigate the vulnerability another way.
Once you determine whether a patch or update will be installed, you should, based on criticality and risk exposure, schedule it for a time with minimal impact in the event the update does not work as expected. A good option is to first implement it on less critical assets or in a test/non-critical environment to assess the potential impact and risk to operations.
Then apply your change and configuration management process for patch/update rollout, with the associated configuration baseline updates.
We have briefly looked at three foundational steps to implement as you take your first steps down the path of ICS/OT cybersecurity. These three steps are key components of cyber asset lifecycle management and must be addressed when building a successful cybersecurity program.
These are by no means the only foundational measures; we have not covered access control, backup and recovery or incident response, just to name a few. We will discuss these in our future articles.
 Cyber assets are programmable electronic devices, including the hardware, software and data in those devices.
This content is for general information purposes only. All rights reserved ©BBA