ICS/SCADA defence is doable - How to practically defend and secure your ICS/SCADA environment at low cost.

Hacked power stations, crashed airplanes or cars running amok … in dark streets; as a consequence of hacking attacks... is it really possible?

Well, actually, it is ... however, as the world has only seen 3 (three) pieces of targeted malware against ICS/SCADA (Stuxnet, Black Energy, Havex … Mandiant coming up with the fourth in June) and only a handful of actual targeted and attributable attacks against ICS/SCADA systems, besides all the ones happened due to 'ordinary' IT malware such as Conficker, it is not something that you, as a production manager, should lose your sleep about.

But you should still prepare and protect your plant against it if you value your production capability (and I know you do) ... The attacks seen so far have had some significant impact on the ability to deliver whatever the plant or site was producing.

 This article is a short brief of why and how you should change your tactics from old-fashioned IT 'buy-some-appliances', to a more Active Defence style with emphasis on Network Security Monitoring (NSM) and baselining of 'normal' traffic and (at least) some of your most valuable (read: critical) hosts, being servers as well as HMI endpoints in your ICS/SCADA environment. This approach is heavily inspired by the teachings at SANS and especially the approach thought by Robert M. Lee on the SANS ICS 515 course(c).

 So, if you were in charge of security in an ICS/SCADA environment, how should you deal with it?

 IT vs OT

No doubt, most of us have by now realized that there is a huge difference in the priorities of an office IT environment, and that of the manufacturing IT (OT) environment. It is often explained by using the CIA-triad, but inversed, AIC. The meaning is clear, though. In the production it will always be (A)vailability that holds that number one priority, because that is where the money is earned. Of cause, (I)ntegrity and (C)onfidentiality is also important for manufacturers, but they need their production systems to run close to 24-7, to be able to compete in an ever more competitive market. And to maximize on their investments in the often very expensive ICS/SCADA equipment utilized in manufacturing processes. So (production) time and money matters most. 

 Some big IT-companies would suggest a SOC/SIEM solution for your, but in reality, not that many of these service providers know anything about the actual real-life and real-time requirements of industrial Ethernet based network traffic and protocols, that you have. They excel (pun intended) in office IT environments where standard TCP and UDP are most common, and on a limited sets of standard ports. And by no means, they are good at that. But in an OT environment we are talking strange languages such as Modbus, DNP3, EtherNet/IP and many more. In reality, most SOCs would not know what to look for because they have properly never been responsible for running a manufacturing (OT) network or system before. And there is a huge difference.

 A good starting point

So keeping our feet on the ground, and a sound industrial mind set, how would you go about securing an ICS/SCADA installation in your plant?

Time to discuss some standards. I assume, that your manufacturing processes, that are supported by use of OT (that is SCADA/PLC, Historians, DCS/PCS and perhaps even a MES system) have been modelled and designed around the ISA 88 (C) and ISA 95(C) standards (at least to some extend). These standards forms an integral part of the Purdue Reference Model (C), and it so happens, that the next useful standard in the family is ISA99(C), or IEC 62443(C) as it is called today. And this is where your attention should be focused, when it comes to security in the OT (sorry for the buzzword) ICS/SCADA environment. 

You should be applying a so called 'Defence-in-Depth' approach to your security strategy. And it so happens, that IEC 62443 aids you with that. The beauty of it is that the IEC 62443 (ISA99) standard is industry neutral, so no matter if you run critical infrastructure, manufacturing or a nuclear power plant, you can use this approach. And what does it then say?

Defence-in-Depth means, that you build layers of protection, or controls (also known as onion-layers, because they are meant to be peeled off by intruders, giving them a very hard and much longer time to penetrate into your most critical hence valuable assets. Oh, and you do of cause know ALL your assets, and which of them are the most critical/valuable ones, right?). So you need to harden your platforms, both network equipment and servers/endpoints. And you need to segment your network. Do not run it all in one big flat network. If an intruder penetrates your perimeter defences they will compromise all of your production. Use VLANs and tactical deployed firewalls with DMZ zones to segment your production areas into logical and physical compartments, aligned with your ISA 88 and ISA 95 model (the Purdue Reference Model). And by all means, do buy appliances, say IDS/IPS boxes, and place them on strategically places. The IEC 62433 model, that you hopefully have made should show very clear, were  the best places for having these kind of appliances would be in your specific environment with your most critical/valuable assets. See the example figure, based on a pharmaceutical filling plant.

And you should of cause patch both OS and applications used, to the extent that patching is supported by the vendors supplying you. Use endpoint protection such as host firewalls and antivirus or even whitelisting software. Ensure that these kinds of solutions are supported by the vendors of your ICS/SCADA equipment. Did I mention segregation of duties? Also very important for the case were an intruder should end up in your network. No need to give him/her full access right away. Let them earn the credentials by hard work at least. Oh, and do remove most or all of the Local Admin Rights, since these are very rarely really necessary for local applications running on an endpoint.  Again, do it together with your vendors to ensure the needed functionality for their ICS/SCADA equipment in your plant. And ensure logging of events all over your systems. Finally, you should baseline most of your equipment electronically. That means keeping vaulted digital images of the critical servers and endpoints, so that you once every half year can compare the running configuration to the baseline. The benefit is that in and ICS/SCADA environment not many changes are made, when it first runs. So it will become quite easy to spot 'evil' or 'abnormal' elements in the configuration, giving your Incident Responders a firm starting point to work from - let’s face it, most of you will eventually be breached, so it will be an advantage to know exactly how things should look and to have a copy for quick restoration. Modern day malware are hardly ever caught by antivirus or even firewalls, since the intruders know how to hide (in memory that is) and to utilise standard OS functionality. That's what happened in Ukraine in December 2015. Even though Black Energy 3 (BE3) and KillDisk was used, it was the use of compromised Office documents and exploits of VPN, that eventually made the intruders capable of turning off circuit breakers via the SCADA HMI's hence promoting a blackout for more than 255 thousand citizens of Ukraine. So your best defence is to know the 'Last known good configuration' and then do a comparison once in a while, to spot perpetrators in your network. This was actually also the conclusion made by the SANS ICS Response team in Ukraine, that had they (the power plants) only been looking, they would have being able to spot the initial intrusions quit easily and long before the attack was finally launched. An even better thing is to support this action with Network Security Monitoring, were you collect 'known good' network traffic for later comparison - again, to spot 'abnormal' traffic patterns. These steps are actually very cheap and don’t need expensive appliances to run and be maintained (and serviced/supported) or even looked at each day/weeks. But admitted, it does require for someone to sit down and do the comparison once and a while. And that requires certain ICS/SCADA knowledge and skills because you will be searching through industrial (Ethernet) network packet traffic, and not standard IT Ethernet traffic, which most big IT-Security provider only knows.

 Conclusion

What I've highlighted above is all part of a Security Architecture, or Strategy, that you should form depending on how your production environment looks.

Apply the IEC 62443 framework along with SANS 20 Controls recommendations, and form an OT Reference Architecture based on sound Security basics. Then, combine the 

Defence-in-Depth strategy with Active Defence mechanisms such as Network Security Monitoring and Baselining - And you will have a doable defence for your ICS/SCADA environment.

Some big IT-Security companies would sell you a Risk Assessment or Security Framework Compliance report. And that matters, if you are in a compliance required business. But what we offer is a little different. We believe that you should also focus on actual practical and doable work in the field (that is after all, where your equipment resides ...), that eventually will give you back (reclaim) power and control over your ICS/SCADA environment after a breach - well, this approach will even make you aware of the breach, which many fine and well worked compliance reports want give you, at all...

 If you want to know more, feel free to contact us at info@ics2secure.com or call +4530293079 for an appointment so we can discuss how we best can assist you on your journey towards a defendable ICS/SCADA environment, where you can sleep safe at night with the light turned off - that is, turned off by you and not an intruder... 

ics2secure sees the world as our turf and aim at assisting companies’ worldwide in keeping their ICS/SCADA environments as safe and in control as possible, helping to fight off intruders.

 

Copyright 2016 ics2secure.com

Phil Guimond

Information Security Leader | Application & Cloud Security | Red Team | DFIR | Programmer

6y

This architecture also makes a lot of sense outside of SCADA systems as well. :)

Ray Sefchik

Information Security & Compliance Professional

7y

Good article Michael. Agree with the defense in depth model for OT as well as IT. Just gave a presentation that mirrors the points you make, and will be sharing your article with the attendees to reinforce the strategies. Best regards!

Like
Reply
Richard Asch

Head of Cyber Security at Western Power

7y

Good article! What's your take on the NIST standards (SP 800-82 etc)? I find NIST to be more "user friendly" and explanatory than IEC

Jack Gaines

In service to help form a more perfect union through justice, domestic tranquility, a common defense, promote the general welfare, and secure the blessings of liberty and Posterity

7y

Enrico Gassmann, any thoughts or comments?

Like
Reply

To view or add a comment, sign in

Insights from the community

Explore topics