Defensive Strategies for Industrial Control Systems

By Numaan Huq, Forward-Looking Threat Research Team

Securing Industrial Sectors

In today’s competitive global market for commodities and manufactured goods, the reliance on natural resources for economic development and the fluctuating geopolitical climates have all contributed to making industries targets of cyber espionage campaigns, which can also be disruptive and destructive cyber attacks. These cyber espionage campaigns are geared toward ensuring interest groups have access to the latest technical knowledge and intelligence that will help them maintain competitive advantage and thrive in a market-driven global economy. Cyber espionage campaigns are also used for conducting carefully planned strategic or retaliatory cyber attacks against a nation’s critical infrastructure.

Cyber attack and data breach prevention strategies should be considered an integral part of a businesses’ daily operations. Ultimately, no defense is impregnable against determined adversaries. The key principle of defense is to assume compromise and take countermeasures:

  • Quickly identify and respond to ongoing security breaches
  • Contain the security breach and stop the loss of sensitive data
  • Apply lessons learned to further strengthen defenses & prevent repeat incidents
  • Preemptively prevent attacks by securing all exploitable avenues

Cyber attacks and data breaches are inevitable. Thus having effective alert, containment, and mitigation processes are critical. In Defensive Strategies for Industrial Control Systems, we present recommendations for defense against attacks and breaches. We start with a framework on how ICS networks should be viewed, then discuss strategies on how to secure specific network-related components, include recommendations for working securely with third parties and finally, discuss how to deal with insider threats.

Network Segmentation

The Purdue Model for Control Hierarchy is a common and well-understood model in the manufacturing industry that segments devices and equipment into hierarchical functions.1 The International Society for Automation’s (ISA-99) Committee for Manufacturing and Control Systems Security identified the levels and logical framework shown as follows:

The framework identifies five zones and six levels of operations2

Enterprise Zone
Level 5
Enterprise Network
Corporate level applications (like ERP, CRM, document management) and services (internet access and VPN entry points)
Level 4
Site business planning and logistics
Manufacturing facility IT services, may include scheduling systems, material flow applications, manufacturing execution systems (MES), and local IT services (phone, email, printing, security/monitoring)
Demilitarized Zone
Provides a buffer zone where services and data can be shared between the Manufacturing and Enterprise zones; allows for easy segmentation of organizational control; should be designed so that no traffic traverses the DMZ, i.e., all traffic should originate/terminate in the DMZ
Manufacturing Zone
Level 3
Site manufacturing operations and control
Includes the functions involved in managing the workflow to produce end products (detailed production scheduling, reliability assurance, site-wide control optimization, security management, network management, and potentially other required IT services such as DHCP, LDAP, DNS, and file servers)
Cell/Area Zone
Level 2
Area supervisory control
Control room, controller status, Industrial Automation and Control System (IACS) network/application administration, and other control-related applications (supervisory control, historian)
Level 1
Basic Control
Multidiscipline controllers, dedicated HMIs, and other applications may talk to each other to run a part of, or an entire, IACS
Level 0
Where devices (sensors, actuators) and machines (drives, motors, robots) communicate with the controller or multiple controllers
Safety Zone
Devices, sensors, and other equipment used to manage the safety functions of an IACS
Figure 1. The Purdue Model for Control Hierarchy

Security Strategies

Attacks against ICS environments  not only cause  business disruptions or financial loss, like in traditional office-based environments, but also include the possibility of injury, death or even a catastrophe–especially in the case of public service systems. Thus, security teams  must assess ICS systems thoroughly to identify  the different kinds and levels of risk and to install the corresponding safeguards. To help with this,  Public Safety Canada created a list of recommended best practices that organizations should follow in order to secure their ICS environments:3

Network Segmentation
The purpose of network segmentation is to partition the system into distinct security zones and implement layers of protection that will isolate critical parts of the system using a policy enforcement device.
Remote Access
Firewalls, Virtual Private Networks (VPN), callback (for dial-up), multi-factor authentication, user access control, and intrusion detection provide “secure” remote access to computer networks. ICSs are often used in remote locations where connectivity is limited. For this reason, ICSs often use dial-up connections, which should be secured.
Wireless Communications
Wireless access to the ICS network introduces risks similar to the risks associated with remote access– with some additional threat vectors (e.g. unauthorized individual accessing the wireless network from outside the physical security perimeter of the plant). Additionally, the wireless medium is extremely susceptible to denial of service (DoS) attacks.
Patch Management
Patch management is an important component of any strategy involving overall control system security . In many cases, the only effective mitigation for a newly discovered vulnerability is to install a vendor-released software patch or update.
Access Policies and Control
Access control covers all aspects of controlling access to a network, device or service, including physical and electronic access, from defining the security roles and responsibilities to establishing authentication policies and procedures.
System Hardening
Hardening the components of a system means locking down the functionality of various components within the system to prevent unauthorized access or changes, remove unnecessary functions or features, and patch any known vulnerabilities.
Intrusion Detection
All systems require some method to monitor system activity and identify potentially malicious events in the network. Without this, minor security issues will remain undetected until they become critical security incidents.
Physical and Environmental Security
Physical access to critical ICS assets, through the use of approved or authorized equipment, should be limited to those who require access in order to fulfill their duties. In addition to physical access control, critical equipment such as ICS needs to be appropriately protected from environmental hazards.
Malware Protection and Detection
In general, the benefits of running antivirus software on ICS hosts far outweigh the risk that the antivirus software may have a negative impact on the system.
ICS security training and awareness of personnel is an essential tool in reducing cyber security risks. It is critical that any ICS security program include a training and awareness program so that employees understand what their role is and what is expected of them. A knowledgeable and vigilant staff is one of the most important lines of defense in securing a system.
Periodic Assessment and Audits
Numerous factors affect the security of a system throughout its life cycle. Therefore, periodic testing and verification of the system is important in achieving optimal security.
Change Control and Configuration Management
Change management policies and procedures are used to control modifications to hardware, firmware, software, and documentation. They are set to ensure that the ICS is protected against improper modifications prior to, during, and after commissioning.
Incident Planning and Response
A comprehensive cyber incident response plan should include both proactive measures and reactive measures. Proactive measures are those that can help prevent incidents or better allow the organization to respond when one occurs, whereas reactive measures can help detect and manage an incident once it occurs.

Collaborative Network Environments

Organizations regularly employ contractors and third-party vendors to provide them with goods and services such as equipment rental, catering, transportation, consultancy, maintenance, etc. Contractors in turn might hire sub-contractors, who will contribute to a challenging cyber ecosystem–especially when these vendors, contractors, and sub-contractors need to access the corporate network in order to fulfill their duties.ds

Partnerships expand opportunities, but they also increase cyber security risks. Threat actors are successfully compromising contractors and third-party vendors and leveraging them as backdoor pathways into their targeted corporate networks. The retailer Target, for instance, was victimized in one of the largest credit card data breaches ever  in November 2013. Later, it was found that the attackers broke into the network via a third-party HVAC vendor who had access to the corporate network.4 After all, most third-party vendors and contractors don’t have uniform cyber security policies and practices. This creates exploitable weaknesses in the operations chain, as seen in the case of Target. IT collaboration described from a “castle” perspective means inviting partners across the traditional moat: not everyone inside is safe, not everyone outside is dangerous.5

Collaborative network environments pose unique challenges for the IT team. Thus, the IT team needs to be involved in the initial planning and development stages so they can do risk assessment to determine proper IT solutions design.6 If IT does not fully understand the terms and requirements of the partnership agreement, then they might be restricted to provide only tactical solutions in an ad hoc manner. Lack of IT involvement in the planning and development stages also means that IT solutions may not meet the required compliance standards. Incorrectly granting access to digital assets increases the risks of security breaches that can violate contractual agreements with third parties.

New partnership considerations for IT include:7
  • Insider threat complacency
  • Insider threat ignorance
  • Insider threat malice
  • No operating agreement terms for digital assets
  • No standardized operating agreements with partners
  • Application licensing agreements
  • Export compliance laws
  • Risks of intellectual property leakage
  • Privacy regulations
  • Changes to the operating terms over time, etc.

Different partners will require different access privileges to project data, corporate data, applications, etc. and IT needs to carefully setup digital boundaries to prevent security breaches via third parties who have access to the corporate network. Third party requests should be reviewed by IT, Legal, and relevant departments. There should be rigorous implementation of the IT solutions, proper documentation, and regularly scheduled compliance reviews/revalidation, which will be based on assessed risks.

Risk assessment considerations include:8
  • Partner reputation
  • International or domestic partnerships
  • Cyber security risks in the country of operations
  • Corruption in country of operations
  • Joint operations risk scenarios
  • Type of legal joint venture entity (IT should have pre-defined operation models to support different joint venture operating environments and their associated risks)
Security best practices include:9
  • Identifying intellectual property and safeguarding them
  • Confining intellectual property access to a need-to-know basis, and
  • Training employees to protect intellectual property
Strategies for securing the corporate network include:10
  • Deploying Network Access Control (NAC) to build a secure front. This enables the authentication of users and devices before they are allowed to connect to the corporate network.
  • Implementing identity awareness, the process of establishing and recording user and device identities and their associated access control policies. The stored identity defines and manages access for every type of network user and device used.
  • Using identity-aware firewalls, which will enable control of the network and servers based on access policies defined for each connecting user or device.
  • Strengthening policy enforcement by integrating the access control and identity- awareness components into a final network architecture solution that is capable of enforcing access policies on wired, wireless, and VPN networks, regardless of how and where users connect.

Securing Against the Insider Threat

An insider threat come from  trusted individuals, or persons of authority, who have access privileges and then steals data. Motivations for insider threats could be: money, ideology, coercion, and ego. Frequently more than one of these motives are at play. Dealing with insider threats is possibly one of the most difficult tasks a security team must do. Broadly speaking, prevention and mitigation techniques can be grouped into two categories: technical, and non-technical.11

Technical Steps versus Insider Threats

Technical steps to prevent insider attacks make use of security best practices. Insider attacks should be prioritized the same way as external attacks. Similar to external attacks, insider attacks cannot be prevented and so we need to work on detecting them as quickly as possible.

Monitoring and logging of activities, such as what data is moving through the network and what is going out the network, can be used to detect potentially suspicious behavior by insiders. The key principle of defense is to assume compromise. This includes compromised insiders as well—for example, an attacker using compromised user accounts to navigate the corporate and ICS networks. Proper access controls should be in place to ensure that employees are not able to access information they do not need for their day-to-day functions. Credentials of employees who leave the organization should also be disabled immediately to prevent security leaks.

Non-technical Steps versus Insider Threats

Non-technical means of security are equally effective in preventing insider threats. Employee dissatisfaction increases the risk of insider attacks. Good management practices in handling delicate situations, recognizing and rewarding employees, and looking after the well-being of employees all help in diffusing potential insider threats. In a nutshell, happy employees are less likely to turn against their employers.

Trend Micro Solutions for ICS and SCADA

Network Security

Trend Micro provides solutions which can be installed on networks that include ICS and SCADA devices to monitor the traffic to and from these systems. These solutions are good options for those devices which run non-standard operating systems or cannot support an agent.

  • TippingPoint IPS is an appliance that can detect and block network traffic associated with vulnerabilities being exploited by threat actors targeting these ICS and SCADA devices.
  • Deep Discovery and TippingPoint Advanced Threat Protection are appliances that can detect malicious traffic including command-and-control communications that may be found within these networks and associated with a breach. Unusual SCADA traffic can also be identified.

Device Security

Trend Micro provides a variety of solutions which could be installed on ICS and SCADA devices.

  • Deep Security includes virtual patching for known vulnerabilities associated with OS and applications that may be running on these devices. Application Control can allow the device to only run known and approved OS/applications on these devices. Malware can be detected and removed using multiple scanning technologies. Integrity Monitoring is able to quickly identify any un-authorized changes to critical files.
  • OfficeScan includes a variety of technologies to detect and protect against malware as well as web reputation to detect malicious URLs and command-and-control communications. USB device control is also included.
  • Trend Micro Vulnerability Protection supports detecting known vulnerabilities associated with OS and applications that may be running on these devices.
  • Trend Micro Endpoint Application Control can allow the device to only run known and approved OS/applications on these devices by locking down the operating system or applications running.

    Like it? Add this infographic to your site:
    1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

    Image will appear the same size as you see above.