How to Start Up ICS Security

Wednesday, August 19, 2015 @ 02:08 PM gHale

By Heather MacKenzie
It is often the case when you don’t know how to do something, you avoid or delay doing it. That means taking on a new challenge or learning best practices about a new topic is often put on the back burner.

If cyber security is a new area for you, there are three important basic concepts that once you know, you can start putting into practice right away.

Think of it this way, cyber security is a topic of high concern at the top levels for all companies.

IT, OT Must Adapt for IoT: Experts Share How
Duqu 2.0: Defend Against APTs
Industrial Security: A CEO’s Perspective
Realize IIoT Benefits

Plus, the Industrial Internet of Things (IIoT) is connecting more devices and systems to the control network, increasing the likelihood of cyber incidents. It’s more important now than ever before to understand the principles of cyber security.

1. Start with a Risk Assessment
A risk assessment is a best practice recommended by any solid security consulting firms and standards groups. You need to understand your network’s level of risk and rate the state of cyber defenses at your facilities.

This might sound like a big project, or a costly consulting engagement. However, it is possible to do it internally and at no cost. While this may not be for everyone, it could be a viable option if a third-party assessment is not in your budget right now. It is also a heck of a lot better than doing nothing about improving the security of your Industrial Control System (ICS) network.

The steps for implementing a zero-cost industrial security risk assessment include the following:
• Determine who should help with the risk assessment (consider IT personnel, an executive and a person from each type of job in your company)
• Identify critical assets
• Prioritize and list the largest risks for each asset
• Prioritize the list of industrial security assets
• Determine and rate existing protection measures

Learning this process is important and it is not a one-time exercise. Good security requires monitoring, evaluating and improving your plans regularly in order to ensure current measures are working effectively. This will also help you to recognize new or developing risks to the network.

2. Plan a “Defense in Depth” Strategy
After completing the risk assessment, you need to create a plan to secure your network. The approach you want to take is called Defense in Depth (DiD), which includes multiple layers of defense distributed throughout the control network.

A well-developed DiD strategy includes:
• Multiple layers of defense instead of relying on a single point of security
• Differentiated layers of defense, ensuring an attacker can’t access all subsequent layers after getting past the first
• Context and threat-specific layers of defense, meaning each layer is optimized to deal with a specific class of threats

If your network is protected by a DiD strategy, the impact of an accidental security incident or a malicious attack will be limited to the zone where the problem began. You want to set up your systems so the right people or teams receive an alarm and the work to identify the issue begins in a timely fashion.

3. Protect the Crown Jewels First
Lastly, you must prioritize the crown jewels. What are the crown jewels? Think of the systems that would cause a complete disaster for your network if they were shut down (either unintentionally or maliciously).

These might be the safety integrated system (SIS) in a refinery, the programmable logic controller (PLC) managing chlorine levels in a water filtration plant, or the remote terminal unit (RTU) in an electrical substation. Every control engineer knows what really matters to his or her particular operation. Aggressively protect this asset and the chance of a truly serious cyber incident is greatly reduced.

Control systems have become complex and difficult to protect at all times, so focus your resources on securing those assets that really matter to the survival of the company.

Don’t let the complications brought on by the IIoT’s increased connectivity or the high cost of formal risk assessments keep you from protecting your network effectively. By taking the right steps to understand your risks, choosing a layered approach to your ICS security, and prioritizing your most important assets, you can successfully protect your network in our increasingly connected world.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to view Heather’s blog.