It is always said that security is never a one-size-fits-all solution. This is true not only because of the apparent infinite varieties of equipment in each individual organization, but also, and perhaps more importantly, the different ways that every organization views security. Some spend lots of time focusing on physical security, especially those with industrial control systems (ICS). Others are small organizations, where the primary concern is personal data theft. There is also everything in between those two ideologies.
Fortunately, the end goal is usually the same for each entity, with the disparities amounting to a misunderstanding of language or some industry-specific phrasing.
An example of that would be someone from the ICS world referring to their log management solution as “the historian,” whereas someone in the commercial vertical knows it as a SIEM. Fundamentally, they do the same thing; gathering up all the activity or event data from devices to be forensically stored/analyzed at a later date.
How can one bridge the gap of industry jargon to try and explain that even though one thing might be known as something else, it does not mean that it provides a different function? The time-honored analogy may be the best method.
Although there are broad expanses where security is important, there are four key areas of security concerns that all ICS organizations should maintain.
1. Asset Management
This refers to the consistent management or awareness of devices within an organization, whether that means software, PCs or even hardware devices, such as a PLC on an ICS plant floor. Any entity found within an organization could be vulnerable to compromise, and not knowing what you have is no different than intentionally leaving it unsecured. Ignorance is not bliss.
There was a time when the idea that any device could be a target was looked upon with severe skepticism, however, we have since seen network breaches through seemingly innocuous devices, such as a vending machine, and an aquarium thermometer.
Common analogy: Imagine a stranger on the street walks up to you and states that he is planning to break into your house to take an item. You don’t know who he is or even what item he is referring to. The first thing you think about is will he get in?
The first thing you do when you get home is to perform an asset assessment. Where are the physical weak points? Perhaps the windows, doors, or maybe the thief has a Santa Claus obsession, planning to use the chimney for access? You apply security measures, but has your haste caused you to overlook anything? Inconsistent monitoring can lead to potential vulnerabilities.
You can apply the same methodology to the items within the house, as well. When was the last time you took inventory of all your household items, or even just the high-value items? Would you be able to work out what was taken a few months later only when you go to get your Rolex watch to find it missing?
The security takeaway: While it is unfeasible to constantly inventory every object in your house, keeping an accurate network inventory is not that difficult. Make sure every device that could potentially be compromised and used as a means of accessing sensitive information is inventoried and maintained. Not knowing what devices are on your network is probably the biggest mistake a lot of organizations make. Remember that this does not always mean physical items. Unpatched and outdated software could create a security gap as well.
The difference between attempting to continually monitor your personal household belongings, and an enterprise’s assets, is that there are automated tools to assist an organization.
2. Network Segmentation
Network Segmentation is critical to good security hygiene, as it segregates internal networks from each other. If someone were to access your network illegally, network segmentation could help keep them limited to the zone or area that they have accessed, thereby limiting the damage they could cause.
The benefits of this control may seem obvious, but many organizations, both commercial and industrial, still have “flat” network topologies. Usually, this is just a result of organizational growth. This is particularly true in ICS organizations. The primary concern at industrial facilities has always been physical security. However, as more and more IoT devices are introduced into these networks, this has now become an attack vector that needs to be addressed.
Common analogy: Imagine your family comes over to visit during the winter holidays, and during their visit, they ask you for your local Wi-Fi password.
Obviously, you will disclose the password, since you (hopefully) trust your family members. However, if you have not enabled the guest network, you are then allowing any device into the same network where you conduct your personal business. The problem here is that these guest devices may store the Wi-Fi password, and if one of those devices is already compromised, it has the same access as any other device on the network. This could extend to compromising the computer on which you perform your banking transactions.
Assuming that your security measures are strong enough is not good enough these days, as the weakest link could be someone else connected to the network. The best solution would be to either say no to your family member, to change your password on your Wi-Fi network when they leave, or to enable segmentation (a guest network) that only has access to limited resources. This would prevent any compromised devices from accessing the internal, sensitive network.
The security takeaway: Segment as many devices as possible. Understandably, segmenting networks and installing firewalls and other protective technologies could be an expensive effort, however, not doing so could cost more in the long run if a breach occurs.
3. Vulnerability Assessment
A vulnerability assessment looks for known weaknesses within an entity. Having visibility on where your potential weak points are within your organization is critical to not only preventing potential attacks, but also to maintaining operational effectiveness.
Most people only think of vulnerability assessment as a way to alert about security holes, however, having a device that is potentially open to receiving unexpected information could result in the device going offline due to being overloaded with information. This is more commonly seen within the ICS industry, and obviously, having a device such as a PLC go offline during a manufacturing plant run could be devastating in some cases.
Being able to see where all the potential security holes might be on the device, and also what applications or services are running, could be a major benefit for an organization to determine the potential risk it poses.
Common analogy: Imagine you own a convenience store, and you are locking up for the evening. A simple scan of the area would indicate that all the access points to the store are closed and locked. Part of that inspection would also include any basement or roof access points. Of course, locking the safe would also be an important part of this evening assessment, as well as leaving the cash register empty with the cash drawer fully open to show any casual thieves that no money is present. As a final step, the motion detectors and alarm system would be set and turned on, and then the store could be locked up.
If you had to contemplate that any one of your security systems was not working, what would your action be to correct the problem before you could consider the store safe to leave unattended? This impromptu risk assessment is an important part of business operations.
The security takeaway: Every organization should have some form of vulnerability assessment in place. However, having a solution should not be considered a security panacea, as you need more than just a notification tool. Imagine how much more effective your organization could be if each vulnerability was detected and then displayed with the recommended remediation advice, such as which patch would resolve the security flaw.
This would save your team hours of research time and effort. Another important point is to separate the vulnerability assessment tool from the patch management solution. It should not be assumed that a security flaw has been remediated purely because a patch version has been found on the device. Sometimes, a patch will be run on a system and seem to be 100 percent successful, but when scanned for risks again, certain vulnerabilities are still present.
A great practice would be to use your vulnerability solution to detect the risk, inform the patch management solution to run the recommended patch, and in turn kick off a new scan from the vulnerability solution to verify that everything has been remediated, i.e. double check each other’s work.
4. Continuous Monitoring
Continuous monitoring should hold the highest priority when it comes to security hygiene. People often don’t know where to start with this, and are usually directed to frameworks that can assist. Most frameworks across all industries emphasize that the first security step is asset discovery. Once that is achieved, continuous monitoring, and in particular, configuration management and integrity monitoring should be deployed for all devices.
Integrity monitoring is commonly referred to as File Integrity Monitoring (FIM), but the “file” aspect is not strictly true, as monitoring should be on all elements found within the organization, not just files. If you were able to see when a change occurs within a critical configuration and were able to react in real-time, any damage could be prevented.
Common analogy: Imagine you owned a small sweet shop in the middle of town and decided not to spend money on a security device such as a CCTV camera. One day, a school bus stops by and all the children enter the shop in one large group. Obviously, your attention is pulled in all directions, and there is a lot of activity. When everyone has left, you notice that a jar of your most expensive sweets has been halved, and you don’t recall selling a single item that day. You decide to go through your receipts to see if you have just forgotten or missed that transaction during the rush. This would be equivalent to looking through your log data for certain activities.
Sadly, you are correct, and there were no sales of that particular sweet that day. So, as you and most organizations used to do, you just sweep it under the rug and promise to yourself to be more vigilant next time. Now, imagine that you had installed a CCTV camera. You would easily be able to see who not only opened the jar (a configuration change), but that the content of the jar was being altered (an integrity change).
On a grander scale, this is what a large supermarket does by installing CCTV cameras and hiring people to monitor them in real-time in the back office. As a person attempts to pass the point of sale without paying for the stolen goods, the security team could react and stop them.
The security takeaway: The above analogy seems obvious, and we know people have been using this type of security for years, and it deepens the need for integrity and configuration management, even over vulnerability management. It is reasonable to assume that not much damage could take place on a network with someone making an actual change.
In Conclusion
The idea of starting with change management could be seen as controversial, however, it is important to stress that all types of security measures should be in place, as they each offer their own values and benefits when working together. All four (FIM, configuration management, log management, and vulnerability assessment) should be adopted in parallel for a full security picture to be achieved. Network segmentation is also vital to limit the possible scope of damage.
Leaving any of those items out would leave a gap for some malicious actors to exploit.
The Tripwire ICS Security Suite extends to each of these critical layers I have discussed above. With Tripwire Log Center and Tripwire Enterprise with Tripwire Data Collector, you’ll have the assurance of interconnected, automated highly visible ICS security best practices. When your OT environment's security system is running smoothly, you can put your focus where you want it: on safety, quality and productivity.
