Having been fortunate enough to work for a security company like Tripwire for a number of years, I’ve had the privilege to work with different teams in different verticals across the world. I am still amazed at how many organizations see security differently.
Some spend lots of time focusing on physical security, especially those with industrial control systems (ICS). Others are small one-man organizations that are worried about their personal data being stolen. And then there’s everything in between the two. The one great thing that I can say is that at least everyone is now talking more about security in some form.
Having dealt with all these different areas/verticals/geos, I’ve found that the end goal is usually the same for each entity, with the problem of understanding boiling down to language or some industry-specific phrasing.
A good example of that would be someone from the ICS world referring to their log management solution as the historian whereas someone in the commercial vertical knows it as a SIEM. Fundamentally, they do the same thing in gathering up all the activity or log data from devices to be forensically stored/analyzed at a later date.
Over the years, I have been trying to bridge the gap of industry jargon to try and explain that even though things might be known as something else does not mean it will provide a different function. The best way I have been able to overcome this is by using analogies.
Although there are a lot of areas that ‘security’ can play in from things like software, hardware or even physical access, below are four areas of security concerns that all ICS organizations should maintain or at least adhere to (at a minimum).
1. Asset Management
This refers to the consistent management or awareness of devices within an organization whether that means software, PCs or even hardware devices, such as a PLC on an ICS plant floor. Any entity found within an organization could be considered a threat, and not knowing what you have is almost as bad (or even worse) than leaving it unsecured.
Now this synopsis could be taken as absurd, and me claiming any device seems a bit far-fetched, but I personally know of a customer that was attacked via a vending machine that was placed on the office floor. As the vending machine had network capabilities, it was accessed and was found to have either no or very little security measures in place. It was then used to get onto the corporate network and, fortunately, was detected via the organization’s security tools.
Common analogy: Imagine a stranger on the street walks up to you and states that he is planning to or has already broken into your house and has or will take your favorite item and then walks away. You don’t know who he is or even what the item he is referring to. The first thing you think about is how did, or how will he get in?
So, the first thing you do when you get home is to do is an asset assessment. Where are your weak points? Windows, doors, etc. You then check that they are all secured. During your check, you discover that there is access to the house via the chimney you had fitted two months prior. Now that you realize that there is another potential entry point, you apply security measures. But is this too late? Not consistently doing checks on your property has led to a potential threat or loss. Now you can apply the same methodology to the items within the house, as well. When was the last time you took inventory of all your household items? Or even just the high-value items? Would you be able to work out what was taken a few months later only when you go to get your Rolex watch to find it missing?
My takeaway: Make sure every device that could potentially be compromised and used as a means of accessing sensitive information is inventoried and maintained. Not knowing what you don’t have is probably the biggest mistake a lot of organizations make. Remember that this does not always mean physical items. Unpatched/insecure software could be a big hole in an organization, as well. This process is usually found to be one of the hardest principles to maintain due to the ever-changing environments and costs associated with manual adoption.
However, there are a lot of security vendors available that are able to assist in maintaining assets automatically via their solution sets. A product called Tripwire Log Center is a good example of such a solution.
2. Network Segmentation
Network Segmentation is critical to good security hygiene as it segregates internal networks from each other. If someone were to access your network illegally, network segmentation could help keep them limited to the zone or area that they have accessed, thereby limiting the damage they could cause.
Now, the benefits of this control seem obvious but you will be amazed at how many organizations (both commercially and industrial) still have a ‘flat’ network, or one with no segmentation. Usually, this is just a result of an organization being built up over time. Most large organizations with planned infrastructure have integrated segmentation from the start.
However, I have found that a lot of ICS organizations have not planned for this segmentation due to either the gradual growth of the organization or the mentality that they don’t need to worry about cross-device access as nobody can physically access the site. This was most probably the case a few years ago, but as more and more IoT devices are being put online or being made available to remote access, this is now a big-ticket item that needs to be addressed.
Common analogy: Imagine your family comes over to visit during the winter holidays, and during their visit, they ask you for your local Wi-Fi password.
Obviously, you will hand that over no problem as you (hopefully) trust your family members. However, you have not enabled guest access (which most routers do provide but is disabled by default), and you provide them with the full admin account credentials. They thank you, and the day carries on as planned. Now, let’s assume you work from home and are using a flat network for all your devices, including your work laptop. The fact that your family members phone has automatically saved your Wi-Fi credentials means that a sophisticated attacker could compromise their phone and move laterally across your network to your corporate laptop/network.
Assuming that your security measures are strong enough is not good enough these days, as your weakest link could be someone else connected to the network. Your solution could be to either say no to your family member, to change your password on your Wi-Fi network when they leave, or to enable segmentation (a guest network) that only has access to limited resources. Even if they were hacked and managed to get into your guest network, they would not be able to do any damage or gain valuable information from your laptop.
My takeaway: Segment as many devices as possible. Understandably, segmenting networks and placing firewalls in could be an expensive effort; however, not doing so could cost more in the long run when you try to explain to your customer base that their details were stolen or inform the board of directors that the plans to their product were stolen.
3. Vulnerability Assessment
“What is a vulnerability assessment?” You won’t believe how often I hear that question. Oftentimes, it is also referred to in the same sentence as patch management, and yes, there is a correlation. However, it is a standalone area of security that should be (in my opinion) better understood.
Vulnerability assessment is the means of looking for potential or known weaknesses within an entity. Having visibility on where your potential weak points are within your estate is critical to not only closing out potential attacks but also to maintaining operational effectiveness.
Most people only think of vulnerability assessment as a way to alert/plug up security holes; however, having a device that is potentially open up to receiving unexpected information could result in the device ‘crashing’ or going offline due to being overloaded with information. This is more commonly seen within the ICS industry and obviously, having a device such as a PLC go offline during a manufacturing plant run could be devastating and fatal in some cases.
Being able to see where not only all the potential security holes might be on the device but also what applications or services that are running could be a major benefit for an organization to determine the risk It poses.
Common analogy: Imagine you are a security guard tasked with locking down an office block after a workday. After everyone has left the building, you find yourself standing outside, looking at all the potential security risks that need to be closed or locked e.g. windows, doors, etc. When you look up at the windows, you should hopefully be able to see most of the windows have been closed by the employees when they left for the day.
However, you see that there are a few windows still left open. Some are wide open, and some are left ajar. Consider this assessment the equivalent of a vulnerability assessment scan i.e. you have scanned your perimeter and have determined that you have a few potential risks that could be exploited.
Due to the fact that you do not have access to the levels, all you can do is determine the risk. Some tools stop at that point stating that you have a risk and you have potential high-risk items (wide open windows) and low-risk items (ajar windows), and they rely on you like the security guard to determine what is the highest risk and what breach would have the biggest impact on the office.
Although the information is useful, without offering a solution or context to the value behind the windows, how will you determine which window needs to be watched all night until the employees come back to work the next day? With the correct vulnerability solution that can offer more details on the risk, the high levels should be considered higher value assets. You could then be provided with a list of instructions, such as “if any windows on the top three levels are left open, please call xxx.”
Just to finish off my analogy, having a patch management system would be equivalent to installing automatic window closing hinges on all the windows. Should you as the guard see that a window was left open, you could click a button, and the window closes.
My takeaway: Every organization should have at least some form of vulnerability assessment tools in place; however, just having a solution should not be considered an automatic security tick, as there are a lot of vendors out there that get away with the bare minimum.
Providing information is good but not great. Imagine how much more effective your organization could be if each vulnerability was detected and then displayed with the recommended remediation advice, such as which patch would resolve the security flaw.
This would save your team hours of research time and effort. One final point I would add or recommend would be to find a solution that is NOT tied to a patch management solution i.e. do not assume a security flaw has been remediated purely because a patch version has been found on the devices. Sometimes a patch will be run on a system and seem to be 100 percent successful, but when scanned for risks again, certain vulnerabilities were not removed.
A great practice would be to use your vulnerability solution to detect the risk, inform the patch management solution to run the recommended patch and in turn kick off a new scan from the vulnerability solution to verify that everything has been remediated, i.e. double check each other’s work.
Please also consider using a vulnerability tool to scan your home network. You will be shocked to see how many devices are unsecure by default in your home, and there might be some quick fixes you are not even aware of.
4. Continuous Monitoring
I have left this final point until the end, as I see it as the highest priority when it comes to security hygiene. People often don’t know where to start when it comes to security and are usually directed to frameworks that can assist, such as the Center for Internet Security that provides a great place to start.
In fact, they state that asset discovery is the number one item to address. Other frameworks such as IEC62443 also address this type of recommendation within the ICS industry. The problem with these frameworks is that they focus on the easy items first such as log management. Collecting log files are critical, and I am in 100 percent agreement that this should be in place. However, the buck should not stop there. If you think about it practically, people can only do damages to systems by making changes first. If nothing changes, then all they are doing is watching the systems, which is why I believe continuous monitoring and in particular integrity monitoring should be on all estate devices.
Integrity monitoring is commonly referred to FIM (file integrity monitoring), but the “file” aspect is not strictly true, as monitoring should be on all elements found within the estate (not just files). If you were able to see when a change occurs within a critical configuration and were able to react in real-time, how much damage could a potential hacker do?
Most of the hacks or threats that have been reported on have been based on a hacker being in an organization’s network for months if not years, making changes and moving through the network until they find the crown jewels.
Common analogy: Imagine you owned a small sweet shop in the middle of town and decided not to spend money on a security device such as a CCTV camera. One day, a school bus stops by and all the kids descend on the shop in one large group. Obviously, your attention is pulled in all directions, and there is a lot of activity. When the kids have all left, you notice that a jar of your most expensive sweets has been halved, and you don’t recall selling a single item that day. You decide to go through your slips to see if you have just forgotten or missed that transaction during the rush. This would be equivalent to looking through your log data for certain activities.
Sadly, you are correct, and there were no sales of that particular sweet that day. So, as you and most organizations used to do, you just sweep it under the rug and promise to yourself to be more vigilant next time. Chalk that up to an “oops” moment. Now imagine you had installed a CCTV camera. You would easily be able to see who not only emptied the jar but also exactly what they took i.e. how many.
Now imagine you had installed a CCTV camera and hired somebody to monitor it in real-time in the back office. As the culprit grabs the candy, you could react and stop them.
My takeaway: The above analogy seems obvious, and we know people have been doing this type of security for years, which brings me to the point of why you would not want the equivalent security measures within your organization.
Why are organizations happy with only making a note of how many kids walked into the store and not worried about what actually moves or changes? In my opinion, I would recommend starting with a change management solution before log collection or vulnerability management. If you stop to think – not much damage could take place on a network with someone making an actual change.
I am aware that my last claim to start with a change management solution could be seen as controversial; however, let me stress that you should have all three types of security measures in place, as they each offer their own values and benefits when working together. I would just make sure that not only one solution is implemented at a time. I would recommend that all four (FIM, log management, vulnerability assessment, and network segmentation) be adopted in parallel to for proper security to be done.
Leaving any of those items out would leave a big hole in the estate for some malicious actors to exploit.
The Tripwire ICS Security Suite extends to each of these critical layers I have discussed above. With Tripwire® Log Center® and Tripwire Enterprise with Tripwire Data Collector, you’ll have the assurance of interconnected, automated highly visible ICS security best practices. When your OT environments security system is running smoothly, you can put your focus where you want it: on safety, quality and productivity.