Depth Defense: 4 essential layers of ICS security

 Depth Defense: 4 essential layers of ICS security 

  Deep Defense: 4 Essential Layers of ICS Security

By Dean Ferrando, Senior System Engineer, Tripwire

From large industrial control systems to one-man organizations, everyone today speaks of safety. And although the jargon they use may be different, they share all four areas where safety concerns exist.

Asset Management

This refers to the consistent management or discovery of devices within an organization - whether they are software, PCs or even hardware devices such as PLCs in industrial plants. Any entity within an organization can be considered a threat, and it's almost as bad (or worse) than knowing what you have left it unsecured.

Sounds absurd? I know a customer who was attacked by a vending machine placed on the office floor. As the vending machine had network capabilities, it was accessed and very few security measures introduced. The attacker used it to penetrate the corporate network, but luckily the organization's security tools detected the violation.

Here's a common analogy: Imagine a stranger walking up the street on the street, stating that he's planning or has already planned to break into your house and has or will bring your favorite item. They do not know who he is or not, what he refers to. The first thing to think about is how or did it happen?

The first thing you do when you get home is an asset valuation. Where are your weak points? You check if your windows and doors are secure. During the check, you find that you have access to the house via the chimney that you had installed two months ago. After realizing that there is another potential entry point, apply security measures. But is that too late? Failure to constantly review your property may result in a potential threat or potential loss. Now you can apply the same method to the elements in the house. When did you last inventorise all your household items? When would you find that an item has disappeared?

For security, ensure that any device that may be compromised and used to access sensitive information is inventoried and managed. Not knowing what you do not have is most likely the biggest mistake many organizations make. Remember that this does not always mean physical objects. Unpatched / unsafe software could be a big hole in an organization. This process is one of the most difficult to maintain processes due to ever-changing environments and the cost of manual overhaul.

However, a number of security vendors offer products that support automated asset management through their solution sets - for example, log management solutions.

Network segmentation

Network segmentation is critical to good hygiene hygiene because internal networks are separated. If your network is accessed illegally, network segmentation can help restrict the attackers to the zone or area they accessed. This limits the damage they can do.

The benefits of this control seem to be obvious, and most major organizations are planning this infrastructure has integrated the segmentation from the beginning. Nevertheless, many organizations - both commercial and industrial - have a "flat" network or a non-segmented network.

However, I've found that because of the gradual growth of the organization or the company, many ICS organizations have not planned a segmentation mentality that they do not have to worry about cross-device access because no one can physically access the site. This was most likely a few years ago, but with more and more IoT devices being put online or being made available for remote access, this is now a big element to address.

Imagine, for B., that your family visits during the winter holidays and asks you for your local Wi-Fi password during your visit. Of course you will give that up as you (hopefully) trust your family members. However, you have not enabled guest access (which most routers offer, but it is disabled by default) and provide you with the full credentials of the administrator account. Thank you and the day continues as planned. Now suppose you work from home and use a flat network for all your devices, including your working laptop. The fact that your family's phone automatically saves your Wi-Fi credentials means that a sophisticated attacker can compromise your phone and get to your company's laptop or network from the side of your network. Suppose your security measures are not strong enough enough these days because your weakest connection could be another person connected to the network. Your solution might be to either say no to your family members, change your password on your Wi-Fi network when leaving, or enable segmentation (a guest network) that has limited resource access. Even if they've been hacked and managed to get into your guest network, they can not do any harm or get valuable information from your laptop.

Segment as many devices as possible. Segmenting networks and deploying firewalls is understandably expensive. Otherwise, this could cost more in the long run if you try to explain to your customers that their information has been provided or inform the board that the plans for their product have been stolen.

Vulnerability Assessment

This self-contained security area is the means to look for potential or known weaknesses in an entity. If you want to know where your potential vulnerabilities are in your possession, it is extremely important not only to eliminate possible attacks, but also to maintain the effectiveness of the operation. If a device may receive unexpected information, it may cause the device to fail Crashes or goes offline because it is overloaded with information.

Every organization should have some form of vulnerability assessment tool, although there is only one solution, and many providers offer only the bare necessities. For example, it could be of great benefit to a business to see where not only all potential security vulnerabilities exist on the device, but also which applications or services are running.

Providing information is just good but not great. Imagine how much more effective your business could be if each vulnerability was detected and then displayed with the recommended troubleshooting recommendations, such as: For example, which patch would fix the security error. This can save your team a lot of time and effort on research.

Finally, find a solution that is NOT tied to a patch management solution. Sometimes a patch runs on a system and seems to be 100 percent successful. However, re-scanning for risks reveals that certain vulnerabilities have not been resolved.

A good course of action would be to check your security measures by using your vulnerability solution to detect the risk, inform the patch management solution to run the recommended patch, and launch a new scan of the vulnerability solution to verify that everything has been resolved ,

Please also consider using a vulnerability tool Scan your home network. You'll be shocked to see how many devices in your home are unsafe by default, and there may be some quick fixes that you do not even know about.

Continuous monitoring

I have left this last point until the end, since I place the highest priority in the hygiene of safety.

People often do not know where to start with security. They usually target frameworks that can be helpful, such as the Center for Internet Security. Both the Center for Internet Security and IEC62443 recommend Asset Discovery as its top priority.

The problem with these frameworks is that they initially focus on the simple elements, such as: For example, the log management. Collecting log files is crucial, and I fully agree that this should be the case. The dollar should not stop there. After all, people can only damage systems first by making changes. If nothing changes, they only need to monitor the systems, so there should be continuous monitoring and, in particular, integrity monitoring on all floor standing devices.

Integrity monitoring is commonly referred to as FIM (File Integrity Monitoring) The aspect of the "file" is not necessarily true, as it should monitor all elements of the estate (not just the files). If you could see when a change occurs in a critical configuration and could react in real time, how much damage could a potential hacker do?

Most of the reported hacks or threats are based on it. If a hacker is in an organization's network for months or years, making changes and moving through the network until the hacker finds the crown jewels.

Imagine that you owned a small candy store and decided not to spend money on such a security device as a surveillance camera. One day a large group of children come to the store. Obviously your attention is drawn in all directions and there is a lot of activity. When the children are all left, you notice that one glass of your most expensive sweets has been halved and you do not remember selling a single product that day. You decide to go through your receipts to see if you have just forgotten or missed this transaction during the rush. This would mean searching your log data for specific activities.

Unfortunately, you are right, and that day there were no sales of this particular candy, but you can do little to find the culprit. Imagine that you have a CCTV camera installed. You can easily see who has emptied not just the glass, but also exactly what he or she has taken. Finally, if you installed a CCTV camera and hired someone to monitor it in real time, you can easily catch the crook.


Because of this analogy, I recommend starting with a change management solution before log collection or vulnerability management. However, I would recommend that all four measures (FIM, log management, vulnerability assessment, and network segmentation) be performed in parallel to ensure proper security.

Dropping one of these elements would leave a big hole in the plant

About the Author

Dean Ferrando is a senior systems engineer Tripwire, a global leader in security and compliance solutions for enterprises and industrial organizations. At Tripwire, Dean is responsible for the technical sales and support of Tripwire's products and services to customers and distributors in the company's UK / EMEA marketplace. He works closely with the field, back office, resellers, customer service / technical support, and various key companies. Dean has pre-sales / sales / professional services and architecture background in enterprise application technologies and various software applications and can enable and train others.

Did you like this article?

Check out our free e-newsletter
for more great articles.

Subscribe now

2018-11-14 21:19:46
we are supplier of ABB,endress hauser,MTL Intrinsic Safety Eaton MTL,Pepperl+Fuchs International. Industrial Sensors, Factory Automation ,P+F ,SMAR – Industrial Automation
for get this brands items please send us your inquiries as following link

Please send us your request with full details via the following link to supply your equipment in the fields of power, instrumentation and industrial computers. We will try to respond to you as soon as possible.

Click to Send inquiry to Ocean Part

More Products  Binder USA publishes Series 696 HEC (Harsh Environment Connector)

Leave a Reply