Your industrial network security perimeter is one of your first and strongest defenses against malicious cyber adversaries and non-malicious errors and accidents against your industrial control system (ICS) network. Your network perimeter consists of protection devices that control the flow of information between interconnected security zones. Devices such as firewalls, gateways, routers, intrusion detection systems, and encrypted tunnels provide boundary protection and determine whether data transfer is permitted based on specific rule sets enabled.
Below are 3 tips to help you harden your critical infrastructure against cyber threats.
1. Know Your Network Connections
This is a big one. Not only in the amount of effort that it takes to determine communication connections, but also in the importance in protecting the entire ICS network. I’ve been involved in many projects where we started from nearly a blank slate and had to build a database of several thousand assets and connections, so I understand the pain involved in this step. But this hard work will pay dividends as you create a network segregation and segmentation diagram that shows all data links and understand what network traffics is being passed.
A few tips for making this less painful.
Break this step into small pieces. Find ways to segment the work either by facility area, equipment type, or control systems. Plan your time to focus on that one segment and complete it before you move to the next. This will help you develop momentum in get this done.
Develop a labeling system that allows easy comprehension and communication of the data.
Use a small digital camera to take lots of pictures so that you can create the architecture layout at your desk. This is a trivial idea but it helps reduce mistakes and re-visits when you have multiple facilities, cabinets, & sites to inventory.
Once all network connections are identified, develop a network segmentation and segregation diagram such as the one below to help clearly illustrate connections.
Network segmentation and segregation is one of the most effective architectural concepts that you can implement to protect ICSs. Network segmentation involves portioning the network into smaller networks. Segmentation establishes security domains that are typically managed by the same authority, require the same policy enforcement, or have a level of network trust between devices. Segmentation is generally allocated by ICS type such as turbine control, energy management, or lighting management systems. The aim of network segmentation and segregation is to ensure that sensitive information does not get in the hands of people who don’t need it but ensures business enterprise systems continue to operate effectively with the data from the ICS network.
2. Review Your Firewall Rule sets
Firewalls could be considered the heart and soul of a secure network. Firewalls are devices or systems that control the flow of network traffic between networks with differing security postures. They are key boundary protection devices in restricting ICS inter-network communication with corporate and 3rd party networks. Properly configured, they can greatly restrict undesired access to and from control system host computers and controllers. Network and ICS security architects must decide which domains are to be permitted direct communication.
Remember these tips when developing and reviewing rule sets.
Control network devices should not be allowed direct access to the Internet, even if protected via a firewall.
Configure the firewall to deny all traffic except for what’s absolutely required for the business need.
Be sure rule sets are both IP and port specific. The IP rules should restrict incoming traffic to a very small set of shared devices on the control network and corporate network. The port rules should be carefully restricted to secure protocols.
Add rules to deny hosts outside the control network from initiating connections with hosts on the control network.
If outbound traffic from the control network is necessary, communication should be limited to traffic originating from DMZ (demilitarized zone) servers.
All outbound traffic from the control network to the corporate network should be source and destination restricted by service and port.
The base rule set should be deny all, permit none. This ensures that packets which have not been fully vetted are not allowed to passed until the filter is intentionally enabled.
All firewall management traffic should be carried on either a separate, secured management network or over an encrypted network with multi-factor authentication.
Backed up your firewall policies immediately and prior to commissioning.
Periodically review and test your firewall policies. This should be done at least bi-annually if only a few changes are made but more frequently when there are several changes ongoing.
3. Monitor, Log, and Test What You Manage
To be certain that your policies are working as planned, they must be monitored, logged, and tested. The truism, “measure what you manage” is fitting for understanding the current state of the ICS network, validating that the system is operating as intended, and ensuring that no policy violations have occurred. Network security monitoring helps to characterize the normal state of the ICS and can provide indications of a system compromise. Incidents are inevitable, and detection, response, and system recovery plans are essential. When a system has been compromised, having a strong monitoring, logging, and auditing process in place helps to perform any necessary forensic analysis that may be needed to identify the attacker and expose the vulnerability that was exploited.
Karonn Blue P.E., PMP is an Industrial Control System (ICS) Engineer specializing in helping organizations successfully design, secure and integrate robust ICS solutions. After spending over 15 years in engineering, leadership, and consulting for industrial control systems, I know the challenges faced by owners of critical infrastructure and what it takes to ensure these systems remain safe, reliable and compliant. Our team continually seek ways that technology, global best practices, and strategic partnerships can help protect your assets as your business and threats continually evolve. If you have questions or to set up an appointment to discuss your organization's SCADA/ICS situation and needs, Contact me at: kblue@LLBLUEeng.com