In December 2015, three Ukraine power distribution companies were affected by a cyber-attack on their Industrial Control System (ICS) networks. The perpetrators — likely Russian hackers — infiltrated the power companies’ enterprise networks, leveraging a lack of security controls to take over the ICS networks.
The attackers’ illicit activity included remotely opening breakers at substations, rendering the systems inoperable and causing hundreds of thousands of customers to lose power for several hours. The immediate result was lost productivity for the three companies and a major inconvenience for customers. The power companies had to resort to manually running their equipment to restore power and resume operations until all damaged components were replaced.
This is the first known cyber attack to successfully blackout a power grid.
Defense in depth
ICS asset protection is vital for ensuring the safety and integrity of operations in industrial environments. ICS environments prioritize the safety, availability, integrity and reliability of systems and operations over confidentiality. In contrast, traditional IT environments tend to prioritize confidentiality above all else. Traditional security has not been a part of ICS system development.
Implementing a solid defense in depth strategy is a proven method for protecting critical assets. Within ICS environments in particular, defense in depth can present many challenges due to (a) the extremely limited solutions and vendors supporting ICS in the industrial environment, and (b) the inability of ICS devices to run standard security tools used in traditional IT environments.
Most ICS devices are programmable logic controllers (PLC), remote terminal units (RTU), programmable logic units (PLU), or interfaces that run firmware or locked lightweight versions of popular operating systems unable to run software agents, generate meaningful logs or even support authentication.
ICS communication protocols are very often complex and proprietary, being strictly used in non-IP industrial settings, but now they’re run over TCP/IP. Traditional IT security tools do not provide the visibility necessary for collecting, decoding and analyzing these protocols, so protecting assets associated with ICS environments can be disruptive to ICS devices. A simple port scan — a widely used technique in IT security — will cause some ICS devices to stop working, sometimes permanently.
This article reviews the following tools and techniques used in implementing defense in depth strategies that should be considered when securing ICS environments:
- Physical security
- Network Access Control (NAC)
- Multi-factor authentication (MFA)
- Asset discovery
- Network monitoring
- Intrusion detection
- Threat intelligence
- Change management
Following this roadmap can help secure the availability and integrity of systems within ICS environments while ensuring operational reliability.
Let’s explore some of these tools and techniques in a little more depth.
Physical security is vital in the protection of Industrial Control Systems. Traditional IT assets are usually contained in a data center behind locked doors. ICS assets, on the other hand, often reside in remote and sometimes unmanned locations. Requirements for such asset protection vary depending on the environment, location, access and criticality. The goal of a well-rounded security plan is asset protection and loss prevention by controlling the physical access, manipulation, destruction and introduction of unauthorized systems or devices. A physical security plan for ICS assets should contain provisions for access control, intrusion detection, situational assessment, communication and response.
The next line of defense for ICS is the implementation of a segmentation strategy that separates ICS networks from enterprise networks. Often, upon successfully compromising a host, adversaries scan networks to discover other hosts. Separating the ICS network from the enterprise network prevents adversaries from seeing and scanning ICS devices. This segmentation model can integrate with an IT/OT integration demarcation zone (DMZ) for management tools, security tools, jump hosts, etc. It can also establish security zones to ensure devices are logically isolated to allow only required communications and prevent unauthorized communications in and out of the network.
Network Access Control
Network Access Control (NAC) is a concept that helps take segmentation a step further by preventing unauthorized devices from joining the network. NAC requires a device to authenticate and meet certain requirements (e.g., up-to-date patches, current antivirus signatures, etc.) before allowing it access to the network. Unauthenticated and unchecked devices have zero visibility into the ICS network.
Multi-factor Authentication (MFA), which has been used extensively in traditional IT environments to prevent unauthorized access to mission critical assets, requires more than one method of authentication before granting access. It provides additional security layers to existing authentication mechanisms. If a password is guessed or compromised, there’s still a second mechanism (e.g., a token) preventing an adversary from gaining access.
While most ICS devices don’t have the capability to support the implementation of MFA due to their limited-yet-specific functionality, MFA is still a viable tool. One method of implementing MFA in an ICS environment uses a security zone in the IT/OT integration DMZ to funnel connections through a jump host that itself requires MFA, then allows connection to the security zone within the ICS network. This helps prevent unauthorized access and direct connections from a lower security network into a higher one.
Asset inventories are generally non-existent in ICS environments. This, along with the complexity of such environments, presents a challenge when trying to implement a security strategy. It’s simply not possible to protect that which is unknown. Unfortunately, ICS environments often resort to shadow IT methods due to a lack of IT involvement or understanding of the environment. Using shadow IT practices can open new attack vectors, often unidentified, that can introduce vulnerabilities and expose critical equipment to compromise.
Automated asset discovery has finally reached a level of maturity in the ICS space, making it possible to inventory, baseline, map and continuously monitor ICS environments to detect changes in the network. This also provides a way to monitor for security-related patches and firmware updates, allowing the system administrator to have a much higher level of awareness of the state of the system.
Automated patching of ICS systems should be avoided without proper testing to prevent affecting system reliability and stability. Detailed ICS inventories can be helpful in deploying an ICS vulnerability assessment and remediation program. Though many devices can’t withstand the rigorous process of a vulnerability scan, awareness of software and firmware versions in the network can help identify vulnerable devices and allow a system administrator to implement fixes or mitigate controls to reduce the risk.
The use of antivirus (AV) software is another critical component in the implementation of a layered defensive ICS network strategy. AV software is typically used on systems like supervisory computers or human-machine interfaces (HMI) that run standard operating systems (e.g., Windows). AV software typically works by comparing files to known malware signatures and/or performing heuristics (i.e., behavioral analysis) to identify code that resembles malware. Files identified as malware are then cleaned or removed.
Another method of protecting a device is whitelisting. Whitelisting allows a predetermined list of applications to run and prevents any application not on the list from running.
Network monitoring, intrusion detection, threat intelligence
Network monitoring provides a non-intrusive way to continuously monitor and maintain awareness of events occurring in real time. This is an important tool in baselining and identifying possible breaches (i.e., intrusion detection) or configuration issues that might otherwise go unnoticed. A network monitoring system performs anomaly detection and warns system administrators and operators to take remediating actions in a timely manner. Systems can also be configured to automatically filter malicious or unauthorized traffic.
Threat Intelligence services add to the effectiveness of network monitoring tools by providing identified threat signatures, indicators of compromise and zero-day vulnerabilities discovered to aid in the detection and response to anomalies and threats.
Ultimately, a good change management program ensures all changes are properly submitted, tracked and approved. Change management also helps in the correlation of changes with detected ICS network anomalies.
WWT has been working with different vendors to develop a comprehensive strategy to protect ICS networks and systems. We have the expertise to provide and implement robust toolsets that enable industries to implement a strategy of layered monitoring and protection solutions within their respective ICS environments — all in a non-intrusive and transparent manner.
Sign up for a Security Tools Rationalization Workshop or contact your WWT sales representative to learn more about how we can ensure your ICS network is adequately protected.