In an effort to help organizations responsible for maintaining the nation’s critical infrastructure address targeted cyber threats, ICS-CERT has published guidance addressing intrusion detection and mitigation strategies.
The technical advice is for organizations whose networks have already been compromised and for those looking to strengthen their existing risk management and response posture. Taking the smart approach, the document explains the “why” and “what” when it comes to detection, prevention, and mitigation, but leaves the “how” up to the individual organization.
“The impacts of a cyber intrusion will likely be different for every organization depending on the nature of the compromise and the organization’s capabilities to respond. Each organization must assess its particular situation, identify the criticality of the impacted devices, and develop a prioritized course of action,” the guide explains.
“Unfortunately, a simple and prescriptive remedy that can be applied uniformly to every organization does not exist. However, basic principles and recommendations exist that are essential to maintaining a sound network security posture and that will provide the necessary capabilities to respond to an incident.”
Fittingly, the first recommendation is the preservation of forensic data. This includes detailed notes of observations and logs, but the guide explains that the more information that can be protected the better, such as system images and live system data.
Logging is another item that must be kept current. ICS-CERT says that firewall logs, proxy logs, DNS, IDS, and router / switch logs should all be considered. Again, the key point is that the more information that can be made available to the incident response teams, the better.
Rounding out the recommendations are network segmenting and role-based access control. According to ICS-CERT, effective network segmentation reduces the extent to which an adversary can move across the network. “In an ideal world, the business and control system networks would be physically separated. However, this is not practical in many situations,” the guide notes, so organizations will need to do some legwork.
“Implementing strict role-based access control allows better auditing and reduces risk by minimizing the privileges associated with each group. In addition, this logical network segmentation makes it harder for an adversary to move laterally through the network after the initial intrusion,” the guide adds.
The full list of mitigations and advice is available here.
Related Reading: A New Cyber Security Model for SCADA
Related Reading: Putting SCADA Protection on the Radar