Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Three Questions Every ICS Security Team Should Ask

ICS Network Security

ICS Network Security

Securing ICS networks is an extremely challenging task. Primarily because they lack many of the threat monitoring, detection, and response capabilities commonly found in IT infrastructures. To put ICS security in context, let’s consider the top three questions every organization should ask themselves about securing their network.

1. Do we know what needs to be protected?

To protect the network, the first step is to create an inventory of the technologies and critical assets in place. Without this baseline understanding, it’s impossible to secure it. Generally, industrial controllers (PLCs, RTUs, DCSs) are the most critical components of ICS networks, since they are responsible for the entire lifecycle of industrial processes. Automation controllers ensure continuous and safe operations.

Securing controllers requires accurate knowledge of the firmware they are running, the code and logic they execute, and their current configuration. Any change to controller firmware, logic or configuration can cause operational disruptions.

Since most ICS networks were deployed decades ago, it is commonplace for some assets to be forgotten about. Most organizations don’t have a clear picture of the critical assets that need to be protected in their environment. Manual processes used to document them are not only inaccurate, but they are also tedious and resource intensive. 

This lack of automated asset discovery and management forces many organizations to rely on manual documentation using spreadsheets. This outmoded approach not only results in employee burnout and gross inaccuracies, it also creates opportunities for network breaches.

Automated asset discovery and management provides ICS security teams an accurate, up-to-date inventory, empowering them to plan and roll-out effective security controls.

2. What is happening in the ICS network?

Advertisement. Scroll to continue reading.

Unfortunately, a great deal of what happens in ICS networks is unknown. Inherently different from IT networks, they  not only lack visibility and security controls, but also use specialized technologies and vendor specific communication protocols. This makes IT controls unsuitable for these environments.

ICS Cyber Security Conference

Some ICS network monitoring solutions focus on HMI/SCADA application activity, which occurs at the data-plane of ICS networks. This activity is executed over known and standardized communication protocols that are easier to monitor. 

However, the core engineering activities performed on industrial controllers, including changes to control-logic, configuration settings and firmware uploads/downloads, can’t be monitored  in these data-plane network protocols. That’s because these control-plane activities are executed in proprietary vendor-specific protocols, which are are often undocumented and unnamed. This makes them very difficult to monitor. 

In IT networks, performing control-plane activities typically requires special privileges. However, most ICS networks lack authentication or encryption controls. Therefore, anyone with network access can execute the above activities. In addition, there are no audit trails or logs that capture changes and activities which can be used to support forensic investigations. 

Gaining visibility into the engineering activities executed in the industrial control-plane should be a top priority for ICS security teams. This is where malicious activity and human error can cause the greatest disruptions.

3. Can we effectively manage and respond to security events?

Due to the general absence of visibility and controls in ICS networks, most organizations are unable to respond to events in a timely and effective manner. Their failure to do so not only  weakens their defences, but also increases the overall costs of mitigation.

Real-time visibility into industrial networks is the key to ICS security. To protect against external threats, malicious insiders, and human error, industrial organizations must monitor all ICS activities — whether executed by an unknown source or a trusted insider, and whether the activities are authorized or not.

Only with full visibility into data-plane and control-plane network activity  can organizations  apply effective security and access management policies that govern who is allowed to make what changes,  when and how.

The implementation of accurate security policies can also ensure that ICS security teams get timely alerts when unauthorized and unexpected activity occurs. These can provide  the information required  to quickly pinpoint the source of problems and mitigate them to minimize disruptions and damage.

Related: Learn More at the ICS Cyber Security Conference

Related: The Top 3 Threats to Industrial Control Systems

Related: Flaw Allows Attackers to Modify Firmware on Rockwell PLCs

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.