Today's industrial control systems (ICS) face an array of digital threats. Two in particular stand out. On the one hand, digital attackers are increasingly targeting and succeeding in gaining unauthorized access to industrial organizations. Some actors use malware, while others resort to spear-phishing (or whaling) and other social engineering techniques. Those tactics notwithstanding, most of the major industrial control systems security incidents we heard about in 2016 fortunately caused only disruption, not destruction, to the organizations they affected. On the other hand, Trend Micro's researchers found, for example, that actors can leverage passive intelligence to eavesdrop on unencrypted pages sent between beepers used in industrial environments. Those attackers can then use that stolen information to conduct social engineering attacks, break into an organization, or create false alarm scenarios that could affect industrial operations. To protect against those threats, it's important that companies take adequate steps to create effective industrial security programs and prioritize organizational risks. Belden has developed a 1-2-3 approach to industrial cyber security, organized to help reduce complexity, prioritize risks and get started securing the industrial network, endpoints and control systems.
1. Securing the Industrial Network
Industrial organizations that want to secure their networks should begin by making sure they have a good network design with well-secured boundaries. Once they complete that initial step, enterprises should segment their networks by implementing the ISA IEC 62443 standard, secure all of their wireless applications, and deploy secure remote access solutions to help with fast troubleshooting and problem-solving. Companies should also monitor their networks. Katherine Brocklehurst of Belden feels it's increasingly important for them to do so in OT environments:
"Monitoring the security status of a network is common practice for IT security teams but less common in operations environments…[there is also] value in monitoring industrial network infrastructure equipment such as routers, switches, gateways etc. These systems connect the segments and can be compromised. They need to be assessed, a baseline taken and a monitoring effort applied."
2. Securing the Industrial Endpoints
OT professionals might feel their organization's endpoints are protected against digital attacks by perimeter firewalls, proprietary software, specialized protocols, and airgaps but that just isn't the case. The moment employees, contractors or supply chain personnel walk in with their laptop or a USB to conduct maintenance, these safeguards are bypassed. As a result, Kathy Trahan of Tripwire says companies should be doing more to secure their industrial endpoints:
"To mitigate OT attacks, PC-based endpoints in the OT environment need to be protected, and organizations need to defend their IT endpoints against attacks that traverse over to the OT environment. An overarching endpoint security strategy needs to be in place for OT and IT environments."
A starting place for many organizations is to gather and maintain an accurate inventory of all endpoints' hardware and software, tracking the vulnerabilities in OT assets, assuring secure and hardened configurations are in place at each endpoint, and monitoring and alerting on unauthorized changes.
3. Securing the Industrial Controllers
In every industrial environment, there are physical systems – mechanical devices such as accuators, calibration devices, valves, and an array of sensors for temperature, pressure, etc. that interact with the physical world. Bad actors have gained access to these mechanical devices in many documented cases, causing those systems to malfunction, but they have no direct way of doing so without gaining access to the control level. To get around that obstacle, some attackers target the industrial controllers responsible for managing those systems. Brocklehurst explains in another blog post:
"…[P]hysical systems are connected back to a type of specialized computer that actually controls it. It is these specialized computers that make the bridge between controlling the physical systems and receiving programming or instructions from a network. These are the industrial controllers, and they are the systems being targeted to create physical damage or disrupt a revenue generating industrial process in cyber attacks. Industrial controllers come in different varieties, but you will hear terms such as PLC (programmable logic controllers) and DCS (distributed control systems) used commonly to refer to different types of these."
Here's an example of an easy-to-remember controller we come into contact on a daily basis.
It's a regular old thermostat that interacts with a heating system to warm a house or building. Organizations can protect industrial controllers against digital attacks by enhancing their detection capabilities and visibility into industrial control systems changes and threats, implementing security measures for vulnerable controllers, monitoring for suspicious access and change control, and detecting/containing threats in a timely manner.
What can you do to Help Protect Your Industrial Control Systems?
Given the growing complexity of industrial environments, it's important that organizations make an effort to adequately protect against digital threats. Doing so requires a multi-step approach that focuses on network security, endpoint security, and industrial controller security. Interested in learning more about how to defend your industrial control systems with Tripwire? Click here to find out more. Alternatively, you can read the SANS 2016 State of ICS Security Report here. If you are interested in learning more about Industrial Cyber Security you can download our new e-book, “Industrial Cyber Security For Dummies” here.