SAN FRANCISCO - RSA CONFERENCE 2016 - The key to making industrial networks secure, resilient and reliable is a strong collaboration between information technology (IT) and operational technology (OT) teams.
In a talk at the RSA Conference this week in San Francisco, Jeff Lund, senior director of product line management at Belden’s Industrial IT Division, and David Meltzer, chief research officer at Belden-owned security firm Tripwire, provided a series of recommendations for both IT and OT professionals on what to do and what not to do when they are tasked with securing an industrial network.
The increasing number of incidents involving industrial control systems (ICS) has led many organizations to realize that steps must be taken to secure their infrastructure against attacks. However, the process of securing industrial systems brings several challenges that can only be overcome through collaboration between OT and IT security teams, which is not easy considering that each party has its own views and priorities.
As Meltzer and Lund pointed out in their presentation, IT security teams focus on — in this order — confidentiality, integrity and availability. On the other hand, for OT teams, the most important aspect is safety — the safety of both people and the environment. Furthermore, OT personnel prioritizes availability over integrity and confidentiality, mainly because the systems they supervise often cannot be shut down or restarted like the equipment IT people are used to.
Based on his recent experience with securing ICS, Meltzer said he learned some important things on how not to approach plant managers and control engineers. More precisely, the expert pointed out that it’s not wise to tell control engineers that they don’t “get” security, or that they are decades behind IT when it comes to security, or that they need IT security to make their networks more secure.
While it might seem easy from an IT perspective to secure an industrial network, the reality is that there are several issues that need to be understood before trying to secure ICS systems, such as the fact that even the slightest interference with critical systems can have serious consequences.
Meltzer advises IT security professionals who want to secure ICS to brush up on standards and best practices before getting to work. The expert recommends documentation such as NIST’s Guide to Industrial Control Systems Security, and ISA/IEC standards and technical reports that define procedures for implementing secure Industrial Automation and Control Systems (IACS). The Industrial Internet Consortium (IIC), an organization with more than 200 members, has also done some important work in this field over the past years.
As for OT teams, Meltzer believes a good place to start would be the SANS/CIS 20 Critical Security Controls, which provides specific and actionable advice for stopping the most pervasive and dangerous attacks.
Tripwire and Belden believe there are three main steps that need to be taken when securing ICS. One important step is securing the industrial network, which involves network segmentation and zoning, implementing monitoring systems, and securing wired and wireless communications.
Network zoning and segmentation, which involves separating various parts of the network, is useful not only against outside threats, as it prevents them from moving laterally in the network in case they gain access to a certain part of the system, but also against insiders, which account for many of the intentional incidents involving ICS.
“The common problem with insiders is ‘are there common credentials?’ — so if there is one password for all the systems, any insider could go break into all the systems,” Meltzer told SecurityWeek in an interview. “But if you have good password management, you’re using unique passwords, you’re segmenting out the network so that even an insider who is malicious is very limited in what they can actually cause damage to, and only in an area that you probably recognize who is responsible and who has access into those systems — that is good security hygiene.”
“The same good security practices that we apply to IT, are equally applicable to the OT side as well,” the expert said.
Another step is protecting industrial PCs, particularly machines running Windows, which are particularly vulnerable and most likely to get hacked. This phase involves inventorying connected assets, identifying unauthorized and malicious changes, identifying vulnerable and exploitable systems, and ensuring that systems are properly configured.
The third step is related to securing industrial controls, including detecting and responding to attacks, identifying unauthorized changes, identifying vulnerable and exploitable controls, and ensuring proper configurations.
The implementation of proper monitoring and logging systems is highly important. Such solutions don’t exist in many ICS environments, which translates into the inability of many organizations to determine the attack vectors used to target them.
When it comes to ICS systems, there are many cases where solutions that work for IT are not efficient for OT due to availability concerns. However, solutions do exist, from both Tripwire/Belden and other security firms. For example, Meltzer and Lund pointed out that there are products that can be used to assess and monitor control systems via non-invasive technologies that rely on readily available data.
Since securing ICS can only be done through collaboration between IT and OT teams, experts advise both sides to learn the basics of ICS, respectively IT, security. This would lead to each of them gaining a better understanding of what the other one is doing.
IT and OT staff should also work on building relationships. As for long-term goals, they should focus on driving or supporting efforts to create a collaborative environment and metrics that emphasize team work.