Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Three Questions Every ICS Security Team Should Ask

ICS Network Security

ICS Network Security

Securing ICS networks is an extremely challenging task. Primarily because they lack many of the threat monitoring, detection, and response capabilities commonly found in IT infrastructures. To put ICS security in context, let’s consider the top three questions every organization should ask themselves about securing their network.

1. Do we know what needs to be protected?

To protect the network, the first step is to create an inventory of the technologies and critical assets in place. Without this baseline understanding, it’s impossible to secure it. Generally, industrial controllers (PLCs, RTUs, DCSs) are the most critical components of ICS networks, since they are responsible for the entire lifecycle of industrial processes. Automation controllers ensure continuous and safe operations.

Securing controllers requires accurate knowledge of the firmware they are running, the code and logic they execute, and their current configuration. Any change to controller firmware, logic or configuration can cause operational disruptions.

Since most ICS networks were deployed decades ago, it is commonplace for some assets to be forgotten about. Most organizations don’t have a clear picture of the critical assets that need to be protected in their environment. Manual processes used to document them are not only inaccurate, but they are also tedious and resource intensive. 

This lack of automated asset discovery and management forces many organizations to rely on manual documentation using spreadsheets. This outmoded approach not only results in employee burnout and gross inaccuracies, it also creates opportunities for network breaches.

Automated asset discovery and management provides ICS security teams an accurate, up-to-date inventory, empowering them to plan and roll-out effective security controls.

2. What is happening in the ICS network?

Advertisement. Scroll to continue reading.

Unfortunately, a great deal of what happens in ICS networks is unknown. Inherently different from IT networks, they  not only lack visibility and security controls, but also use specialized technologies and vendor specific communication protocols. This makes IT controls unsuitable for these environments.

ICS Cyber Security Conference

Some ICS network monitoring solutions focus on HMI/SCADA application activity, which occurs at the data-plane of ICS networks. This activity is executed over known and standardized communication protocols that are easier to monitor. 

However, the core engineering activities performed on industrial controllers, including changes to control-logic, configuration settings and firmware uploads/downloads, can’t be monitored  in these data-plane network protocols. That’s because these control-plane activities are executed in proprietary vendor-specific protocols, which are are often undocumented and unnamed. This makes them very difficult to monitor. 

In IT networks, performing control-plane activities typically requires special privileges. However, most ICS networks lack authentication or encryption controls. Therefore, anyone with network access can execute the above activities. In addition, there are no audit trails or logs that capture changes and activities which can be used to support forensic investigations. 

Gaining visibility into the engineering activities executed in the industrial control-plane should be a top priority for ICS security teams. This is where malicious activity and human error can cause the greatest disruptions.

3. Can we effectively manage and respond to security events?

Due to the general absence of visibility and controls in ICS networks, most organizations are unable to respond to events in a timely and effective manner. Their failure to do so not only  weakens their defences, but also increases the overall costs of mitigation.

Real-time visibility into industrial networks is the key to ICS security. To protect against external threats, malicious insiders, and human error, industrial organizations must monitor all ICS activities — whether executed by an unknown source or a trusted insider, and whether the activities are authorized or not.

Only with full visibility into data-plane and control-plane network activity  can organizations  apply effective security and access management policies that govern who is allowed to make what changes,  when and how.

The implementation of accurate security policies can also ensure that ICS security teams get timely alerts when unauthorized and unexpected activity occurs. These can provide  the information required  to quickly pinpoint the source of problems and mitigate them to minimize disruptions and damage.

Related: Learn More at the ICS Cyber Security Conference

Related: The Top 3 Threats to Industrial Control Systems

Related: Flaw Allows Attackers to Modify Firmware on Rockwell PLCs

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.