How to Improve ICS Security

Monday, September 26, 2016 @ 12:09 PM gHale

While it may not be abundantly clear to the population in general, but industrial control systems (ICSs) are an integral part of critical infrastructures, and keeping them out of the hands of bad guys is a 24-hour-a-day operation.

The catch is, not every user in the ICS world — like electricity, oil and gas, water, transportation, manufacturing, and chemical manufacturing — is on top of their security games.

The growing issue of cybersecurity and its impact on ICS highlights fundamental risks to the Nation’s critical infrastructure. Efficiently addressing ICS cybersecurity issues requires a clear understanding of the current security challenges and specific defensive countermeasures.

DHS Looks to Fund CoE
Federal Cyber Incident Response Plan
DHS Seeks Input to Protect Mobile Devices
DHS Awards Funding for Security R&D

That is why the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) developed a recommended best practice paper in an effort to reduce risks within and across all critical infrastructure sectors and to share common control systems-related security mitigation recommendations.

A holistic approach — one that uses specific countermeasures implemented in layers to create an aggregated, risk-based security posture — helps to defend against cybersecurity threats and vulnerabilities that could affect these systems. This approach, often referred to as Defense in Depth, provides a flexible and useable framework for improving cybersecurity protection when applied to control systems.

Defense in Depth is not new — organizations already employ Defense-in-Depth measures within their information technology (IT) infrastructures; however, they do not necessarily apply it to their ICS operations. In the past, most organizations did not see a need to do so. Legacy ICSs used obscure protocols and were largely considered “hack proof” because of their separation from IT and because of having physical protection measures in place. But with the convergence of IT and ICS architectures, recent high-profile intrusions have highlighted the potential risk to control systems.

The last five years have brought a marked increase in concern regarding the potential for cyber-based attacks on critical infrastructures, and the number of cyber-based incidents across critical infrastructure sectors that asset owners reported to ICS-CERT has risen. In response, both government agencies and sector-specific regulatory authorities issued cybersecurity guidance and imposed sanctions for noncompliance.

The threat of an intrusion by malicious actors on critical infrastructure using computer-based exploits has also grown. A number of high-profile incidents have increased awareness of this threat and the individuals and groups who pursue it with malicious intent. The availability of ICS-specific security solutions has not kept up with the mounting threat, so organizations must deploy a robust Defense-in-Depth solution — making their systems unattractive targets to would-be attackers.

This recommended practice document offers guidance for developing mitigation strategies for specific cyber threats and direction on how to create a Defense-in-Depth security program for control system environments.

The document presents this information in four parts:
1) “Background and Overview” outlines the current state of ICS cybersecurity and provides an overview of what defense in depth means in a control system context
2) “ICS Defense-in-Depth Strategies” provides strategies for securing control system environments
3) “Security Attacks” outlines how threat actors could carry out attacks against critical infrastructures and the potential impact to ICSs and networks
4) “Recommendations for Securing ICS” provides resources for securing ICSs based on the current state-of-the-art methods and lessons learned from ICS-CERT activities, national and sector-specific standards for ICS security, and tools and services available through ICS-CERT and others that can end up used to improve the security posture of ICS environments.

As ICSs grow in complexity and connect to business and external networks, the number of potential security issues and their associated risks grows as well.

The wide variety of attack vectors that target multiple resources on control systems can give rise to asynchronous attacks over an extended period of time and could target multiple weaknesses within a control system environment.

Organizations cannot depend on a single countermeasure to mitigate all security issues. In order to effectively protect ICSs from cyber-based attacks, organizations must apply multiple countermeasures — thus reducing risk using an aggregate of security mitigation techniques.

One should note that Defense-in-Depth measures do not and cannot protect all vulnerabilities and weaknesses in an ICS environment. They are applied, primarily, to slow down an attacker enough to allow IT and OT personnel to detect and respond to ongoing threats, or to make the effort on the attacker’s side so cumbersome that they decide to put their effort toward easier prey.