Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

ICS-CERT Issues Security Guidance for Critical Infrastructure Operations

In an effort to help organizations responsible for maintaining the nation’s critical infrastructure address targeted cyber threats, ICS-CERT has published guidance addressing intrusion detection and mitigation strategies.

In an effort to help organizations responsible for maintaining the nation’s critical infrastructure address targeted cyber threats, ICS-CERT has published guidance addressing intrusion detection and mitigation strategies.

The technical advice is for organizations whose networks have already been compromised and for those looking to strengthen their existing risk management and response posture. Taking the smart approach, the document explains the “why” and “what” when it comes to detection, prevention, and mitigation, but leaves the “how” up to the individual organization.

Critical Infrastructure Operators

“The impacts of a cyber intrusion will likely be different for every organization depending on the nature of the compromise and the organization’s capabilities to respond. Each organization must assess its particular situation, identify the criticality of the impacted devices, and develop a prioritized course of action,” the guide explains.

“Unfortunately, a simple and prescriptive remedy that can be applied uniformly to every organization does not exist. However, basic principles and recommendations exist that are essential to maintaining a sound network security posture and that will provide the necessary capabilities to respond to an incident.”

Fittingly, the first recommendation is the preservation of forensic data. This includes detailed notes of observations and logs, but the guide explains that the more information that can be protected the better, such as system images and live system data.

Logging is another item that must be kept current. ICS-CERT says that firewall logs, proxy logs, DNS, IDS, and router / switch logs should all be considered. Again, the key point is that the more information that can be made available to the incident response teams, the better.

Rounding out the recommendations are network segmenting and role-based access control. According to ICS-CERT, effective network segmentation reduces the extent to which an adversary can move across the network. “In an ideal world, the business and control system networks would be physically separated. However, this is not practical in many situations,” the guide notes, so organizations will need to do some legwork.

“Implementing strict role-based access control allows better auditing and reduces risk by minimizing the privileges associated with each group. In addition, this logical network segmentation makes it harder for an adversary to move laterally through the network after the initial intrusion,” the guide adds.

The full list of mitigations and advice is available here

Related: Addressing SCADA Endpoint Protection Concerns

Related ReadingA New Cyber Security Model for SCADA

Related ReadingPutting SCADA Protection on the Radar

Written By

Click to comment

Expert Insights

Related Content

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

ICS/OT

The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.

ICS/OT

Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Incident Response

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations...

Application Security

Data Protection

Artificial intelligence is more artificial than intelligent.

Mobile & Wireless

US authorities announced a ban Friday on the import or sale of communications equipment deemed "an unacceptable risk to national security" -- including gear...