Best Practices for ICS and OT Security

Critical infrastructure is in serious trouble as industrial control systems (ICS) have come under attack from ransomware. These attacks can cause real-world service interruptions and cost millions of dollars. ICS security is particularly challenging because operational technology (OT) is frequently isolated from information technology (IT) on so-called air-gapped networks or demilitarized zones (DMZ). In theory, this network isolation is supposed to protect OT and ICS, but in practice, it makes management much more complex. It is crucial for organizations to implement compensating controls to ensure that the process of maintaining and upgrading OT and ICS does not introduce new sources of risk.

A Pipeline of Attacks

The recent outbreak of ransomware attacks against critical infrastructure companies has placed the industry on high alert. The Colonial Pipeline attack was one of the most high-profile of these events since it caused a public crisis and cost more than $5 million. Similar attacks have impacted JBS food processing, hundreds of hospital facilities and municipal water treatment facilities, emboldening further copycat attacks. 

The U.S. Department of State started offering rewards for information about foreign government-backed cyberattacks. Beyond ransomware, these nation-state attacks may even cause physical damage to ICS, such as the way the Stuxnet worm caused nuclear centrifuges to overheat until they were destroyed.

The U.S. Cybersecurity Incident Security Agency (CISA) frequently publishes advisories for ICS vulnerabilities. Just like any other technology, ICS and SCADA systems need to be updated and patched as vulnerabilities are identified. These patches are often applied directly by a portable media device, such as a USB key, which can serve as another threat vector for the compromise of ICS. In 2016, a fake update containing ransomware for Rockwell programmable logic controllers (PLC) surfaced on multiple internet forums.

A Separation of Duties

Three closely related best practices for managing OT and ICS are network segmentation, air-gapped networks and demilitarized zones (DMZ). Network segmentation is implemented in the form of virtual networks and firewalls. Air-gapped networks isolate critical OT networks from internet-connected IT networks. DMZs establish a hierarchy of network zones called the Purdue Model which states that data communication and file transfers should only occur between adjacent zones. 

While these best practices work well to reduce risk, they can be circumvented by portable media, such as USB keys. Portable media is often required to update SCADA systems or download certain log files for analysis, but USB keys can also be the source of an attack, as was the case with Stuxnet. 

A Checkpoint for Cross-Domain Security

CISA provides many recommended best practices for ICS security, including how to update antivirus and software patches for control systems.

Installing antivirus on industrial control systems is already problematic because any single engine is less than 90% effective. Antivirus definitions need to be constantly updated or their detection rates fall even lower. IT systems may be able to directly update from an antivirus vendor, but isolating ICS makes it much more difficult.

CISA recommends:

  • Downloading updates to a dedicated host
  • Writing the updates to portable media
  • Using that media to update the patch server

These recommendations come paired with a warning that precautions must be taken to reduce the risk of introducing malware or otherwise compromising the ICS during updates. Organizations must be able to verify the source of the update and scan downloads for malware. This is very important because attackers have been able to compromise update servers and spoof malware within them.

Patch management is similarly important and similarly difficult. ICS vulnerabilities are common because there are many legacy systems in use, so any network connectivity could expose a single vulnerability to attack. The first step in patch management is to determine if systems are vulnerable to attack, and the rest of the process is similar to updating antivirus: Verify the source of the patch and scan it for malware.

Portable media can be essential for updating antivirus and patch management, so a policy that forbids their access is impractical. Portable media is used to export log files from ICS, so caution must be applied to avoid the unintentional loss or leakage of sensitive data. Verifying the source of files may be imperative for organizations that must follow certain compliance mandates, such as those that forbid installing software from certain geographic locations. It is important to ensure that the portable media itself is not compromised.

Real-World Security for Real-World Threats

Critical infrastructure has always incorporated strong physical security controls such as cameras, guards and checkpoints because a physical attack could cause a service interruption. Now that cyberattacks on critical infrastructure increasingly threaten service interruptions, their providers are tasked with improving their cybersecurity, as well. It is interesting to note that the cybersecurity solution is also physical: Physically isolating IT and OT environments. However, USB keys will still represent a physical source of cybersecurity risk. Therefore, organizations should consider a second layer of physical security, such as a cybersecurity kiosk that can scan portable media to enforce cross-domain security.

Source link

Sign up for our daily OT Cyber Analysis and Threat Intelligence news.