What is the Security Posture for Industrial Control Systems-based Organizations?It is hard to get an accurate read on the security posture for critical ICS infrastructure today for a variety of reasons. It is not a requirement to publicly disclose a breach if and when one occurs. Indeed, ICS-based organizations are not required to follow the US Data Breach Disclosure Act 2015, which requires organizations to notify consumers when their personal information is compromised. There are also minimal enforceable compliance regulations to drive better security. Exceptions do exist, however, such as in the North American Energy sector with NERC. The following are emerging standards for ICS environments that offer some security guidance:
- ANSI/ISA- 62443-3-2 is a security standard specific to ICS environments. It focuses on the network segmentation and isolation of these environments.
- NIST SP800-82r2, Guide to Industrial Control Systems (ICS) Security is directed at ICS/SCADA systems and was published in February 2015.
OT? IT? To XTDay-to-day functions in ICS-based environments are managed by Operations Technology (OT) in many organizations, but cyber security is currently assigned to Information Technology (IT.) To meet tomorrow's threats, we need these two different types of technologies to work together. The blending of IT and OT is critical since more ICS devices are using network connectivity in order to improve automation and become more efficient To address the threats associated with connectivity, some organizations are working to “air gap” or isolate vulnerable ICS systems, but even then, most ICS devices are never fully disconnected or segmented from the network. For example, there might be a link for testing or a Wi-Fi link to the Internet. Another consideration is that many ICS devices are running legacy operating systems that have not been upgraded and are therefore more likely to have vulnerabilities. In general, OT typically does not upgrade because it would disrupt service and jeopardize uptime, whereas a good part of an IT professional’s job is to upgrade systems to improve functionality, performance and minimize vulnerabilities. This fundamental difference will need to be reconciled. Lots of people are talking about securing our critical infrastructure. Take Robert Westervelt, and information security research manager for IDC:
"A combination of factors is dramatically reshaping OT security. More Internet connected industrial automation devices and the convergence of OT and IT infrastructures, in addition to a shortage of security skills, means that accurate evaluation and mitigation of security risks is increasingly challenging.”Analysts are predicting that by 2020, IT security will be responsible for 25% of physical incidents in ICS environments. Some may ask why. It’s simple: many ICS devices are connecting to the Internet and the IT network, but most organizations do not have “security” professionals who can protect ICS devices. This makes IT security front and center to this issue.
What to Do about your Industrial Control Systems?Okay enough of the doom and gloom discussion. So what can you do? Basic security hygiene would include monitoring critical ICS-based assets by:
- Deploying anti-malware and breach detection where possible.
- Preventing unauthorized applications from running by deploying application whitelisting.
- Preventing unauthorized changes by deploying secure configuration.
- Minimizing known vulnerabilities by deploying vulnerability management where possible.
- Avoiding physical attacks by enabling USB lockdown on all ICS devices.
- Segmenting your network with firewalls/IPS between business and ICS networks.