A Security Short List

Wednesday, September 27, 2017 @ 02:09 PM gHale

By Katherine Brocklehurst
Have you been feeling “cyber security breach fatigue?” We don’t blame you.

Cyberattacks or employee errors that cause disruption and revenue losses to industrial and critical infrastructure organizations are particularly popular in news media today. That’s partly because a successful disruption within critical infrastructures can cause physical consequences that get the public’s attention.

Industrial automation and process control engineers often feel cyber risk is overplayed because there are safety instrumented systems (SIS) designed specifically to take over when unsafe conditions occur.

CRASHOVERRIDE Designed for Grid Takedown
IT-OT Convergence: Conflict Resolution
Cyber Defense: A Tale of 2 Movies
Lessons Learned with Water Utility Breach

Unfortunately, sophisticated malware designers have demonstrated the capability of using the power grid’s own SIS protections to cause power outages, and this framework is extensible to many industries, not just power.

There are hazards and risks with any industrial application, making the protection of personnel, processes and the surrounding environment a significant part of any industrial automation strategy. Organizations have said for some time cyber security and safety are interrelated; a system cannot be safe if it is not secure.

Are you already convinced of the need to improve industrial cybersecurity at your site? Would you like to move beyond the heavy drumbeat of concern over inevitable cyber threats? But are you still not sure where to start? The likelihood of experiencing a disruptive incident, like a systems outage, is high by many metrics – even if you don’t think you’re a target. While challenging, proactively preparing for incidents in your functioning industrial plan is vitally important.

Here is a prioritized “short list” of what to do now to avoid significant business disruption.

This list comes from multiple industrial standards, experts and governance bodies and is oriented toward proactive steps to take before an incident occurs. These steps are non-disruptive and will shorten your time-to-recovery and minimize the business impact of a cyber incident in the plant, regardless of your industry.

In addition, this list also makes three assumptions: 1) You have some degree of perimeter defense in place with firewalls; 2) a demilitarized zone (DMZ) separating the plant from corporate assets, and 3) a plant that has fully embraced network segmentation.

1 – Prioritize Your Assets
Identify the most important systems to your plant/business functions and where they’re located. This is not an exhaustive list of all assets – it should be the most highly prioritized subset, without which the business immediately begins to feel the impact and lose revenues. You might be surprised to find how difficult it is to determine the locations of assets, both physical and virtual. It also usually takes a bigger group than just plant operations to discuss and agree upon the prioritization.

2 – Continuous Security Monitoring
At a minimum, monitoring your critical assets is now a business cyber security essential. Just like monitoring your industrial automation and process controls, industrial security requires continuous monitoring to assure the cyber health and hygiene of the systems within your plant operations.

If you have servers, databases and other systems running on Windows or Linux, you should prioritize these inherently weak and unpatched systems for monitoring. They can help you know when those systems’ configurations and services need to be hardened against typical and often highly ranked cyber risks.

One service of particular note is remote access. Most experts recommend you discontinue remote access to any critical asset, especially your control systems. Sometimes this can be done, other times it won’t be possible. One valuable capability is to discover and profile wireless access points and also identify systems that have remote access software loaded where you didn’t expect it. Plants are continuously surprised in these areas.

You also should consider a log and event monitor. Think of this passive security device as your “security-centric data historian.” Use it to non-invasively gather and correlate logs and event activity from servers, asset management systems, databases, firewalls, routers and even HMIs – since HMIs are one of the many assets within the plant typically targeted for compromise. If an adversary owns (or “powns” – in threat parlance) your HMI or FTP servers, he or she can cause disruption and potentially impact the ICS and the I/O they control, causing physical damage. Even just introducing latency in many environments can disrupt processes and impact manufacturing.

As a forensic tool, logs are the first thing investigators ask for and most sites? Facilities? Operators? don’t have them enabled or attackers turned them off without the target organization realizing it. Having a correlation tool that automatically brings the logs together and flags events of interest with the entire context required can be invaluable toward piecing things back together and understanding how an incident may have occurred.

3 – Disaster Recovery Plan
For these critical and prioritized systems, be certain that you have implemented a disaster recovery plan inclusive of regular, recent and tested backups and critical hardware spares. Backups should include all physical and virtualized critical assets, operating systems (OS), documented and “known good” configuration files and all application and system software, including integrations and customizations, if applicable.

Current ransomware typically spreads automatically across networks and system-to-system, and many organizations discover after an attack hits their backups were encrypted too. Therefore, keep these backups in a safe location that is not “online” – in other words, don’t just copy to a file server and forget about it. Have a controlled and limited list of personnel (with contact information) who knows where these backups and spares are kept, and preferably have documented details for recovery.

Just a Beginning
There are obviously many other steps to take along the path toward improved industrial cyber security, and every organization approaches the topic with its own priorities.

However, these three steps will significantly lower cyber risk in the plant from external and internal sources.

If undertaken now, you can be far better prepared for recovery activities when an incident does occur.

Knowing your most critical assets, monitoring them for security and system state, and having reliable and tested backups can help.

This “Industrial Cyber Security Short List” will ultimately shorten your time-to-recovery and reduce business and revenue losses when an incident does strike within your plant.

Katherine Brocklehurst is with Belden’s Industrial IT group. Her area of responsibility covers industrial networking equipment and cyber security products across four product lines and multiple market segments. She has 20 years of experience in network security, most recently with Tripwire. Click here to view Katherine’s full blog.

Leave a Reply

You must be logged in to post a comment.