Defensive Strategies for Industrial Control Systems
By Numaan Huq, Forward-Looking Threat Research Team
Securing Industrial Sectors
In today’s competitive global market for commodities and manufactured goods, the reliance on natural resources for economic development and the fluctuating geopolitical climates have all contributed to making industries targets of cyber espionage campaigns, which can also be disruptive and destructive cyber attacks. These cyber espionage campaigns are geared toward ensuring interest groups have access to the latest technical knowledge and intelligence that will help them maintain competitive advantage and thrive in a market-driven global economy. Cyber espionage campaigns are also used for conducting carefully planned strategic or retaliatory cyber attacks against a nation’s critical infrastructure.
Cyber attack and data breach prevention strategies should be considered an integral part of a businesses’ daily operations. Ultimately, no defense is impregnable against determined adversaries. The key principle of defense is to assume compromise and take countermeasures:
- Quickly identify and respond to ongoing security breaches
- Contain the security breach and stop the loss of sensitive data
- Apply lessons learned to further strengthen defenses & prevent repeat incidents
- Preemptively prevent attacks by securing all exploitable avenues
Cyber attacks and data breaches are inevitable. Thus having effective alert, containment, and mitigation processes are critical. In Defensive Strategies for Industrial Control Systems, we present recommendations for defense against attacks and breaches. We start with a framework on how ICS networks should be viewed, then discuss strategies on how to secure specific network-related components, include recommendations for working securely with third parties and finally, discuss how to deal with insider threats.
The Purdue Model for Control Hierarchy is a common and well-understood model in the manufacturing industry that segments devices and equipment into hierarchical functions.1 The International Society for Automation’s (ISA-99) Committee for Manufacturing and Control Systems Security identified the levels and logical framework shown as follows:
The framework identifies five zones and six levels of operations2
(CLICK A LEVEL TO LEARN MORE ABOUT IT)
Attacks against ICS environments not only cause business disruptions or financial loss, like in traditional office-based environments, but also include the possibility of injury, death or even a catastrophe–especially in the case of public service systems. Thus, security teams must assess ICS systems thoroughly to identify the different kinds and levels of risk and to install the corresponding safeguards. To help with this, Public Safety Canada created a list of recommended best practices that organizations should follow in order to secure their ICS environments:3
Collaborative Network Environments
Organizations regularly employ contractors and third-party vendors to provide them with goods and services such as equipment rental, catering, transportation, consultancy, maintenance, etc. Contractors in turn might hire sub-contractors, who will contribute to a challenging cyber ecosystem–especially when these vendors, contractors, and sub-contractors need to access the corporate network in order to fulfill their duties.ds
Partnerships expand opportunities, but they also increase cyber security risks. Threat actors are successfully compromising contractors and third-party vendors and leveraging them as backdoor pathways into their targeted corporate networks. The retailer Target, for instance, was victimized in one of the largest credit card data breaches ever in November 2013. Later, it was found that the attackers broke into the network via a third-party HVAC vendor who had access to the corporate network.4 After all, most third-party vendors and contractors don’t have uniform cyber security policies and practices. This creates exploitable weaknesses in the operations chain, as seen in the case of Target. IT collaboration described from a “castle” perspective means inviting partners across the traditional moat: not everyone inside is safe, not everyone outside is dangerous.5
Collaborative network environments pose unique challenges for the IT team. Thus, the IT team needs to be involved in the initial planning and development stages so they can do risk assessment to determine proper IT solutions design.6 If IT does not fully understand the terms and requirements of the partnership agreement, then they might be restricted to provide only tactical solutions in an ad hoc manner. Lack of IT involvement in the planning and development stages also means that IT solutions may not meet the required compliance standards. Incorrectly granting access to digital assets increases the risks of security breaches that can violate contractual agreements with third parties.New partnership considerations for IT include:7
- Insider threat complacency
- Insider threat ignorance
- Insider threat malice
- No operating agreement terms for digital assets
- No standardized operating agreements with partners
- Application licensing agreements
- Export compliance laws
- Risks of intellectual property leakage
- Privacy regulations
- Changes to the operating terms over time, etc.
Different partners will require different access privileges to project data, corporate data, applications, etc. and IT needs to carefully setup digital boundaries to prevent security breaches via third parties who have access to the corporate network. Third party requests should be reviewed by IT, Legal, and relevant departments. There should be rigorous implementation of the IT solutions, proper documentation, and regularly scheduled compliance reviews/revalidation, which will be based on assessed risks.Risk assessment considerations include:8
- Partner reputation
- International or domestic partnerships
- Cyber security risks in the country of operations
- Corruption in country of operations
- Joint operations risk scenarios
- Type of legal joint venture entity (IT should have pre-defined operation models to support different joint venture operating environments and their associated risks)
- Identifying intellectual property and safeguarding them
- Confining intellectual property access to a need-to-know basis, and
- Training employees to protect intellectual property
- Deploying Network Access Control (NAC) to build a secure front. This enables the authentication of users and devices before they are allowed to connect to the corporate network.
- Implementing identity awareness, the process of establishing and recording user and device identities and their associated access control policies. The stored identity defines and manages access for every type of network user and device used.
- Using identity-aware firewalls, which will enable control of the network and servers based on access policies defined for each connecting user or device.
- Strengthening policy enforcement by integrating the access control and identity- awareness components into a final network architecture solution that is capable of enforcing access policies on wired, wireless, and VPN networks, regardless of how and where users connect.
Securing Against the Insider Threat
An insider threat come from trusted individuals, or persons of authority, who have access privileges and then steals data. Motivations for insider threats could be: money, ideology, coercion, and ego. Frequently more than one of these motives are at play. Dealing with insider threats is possibly one of the most difficult tasks a security team must do. Broadly speaking, prevention and mitigation techniques can be grouped into two categories: technical, and non-technical.11
Technical Steps versus Insider Threats
Technical steps to prevent insider attacks make use of security best practices. Insider attacks should be prioritized the same way as external attacks. Similar to external attacks, insider attacks cannot be prevented and so we need to work on detecting them as quickly as possible.
Monitoring and logging of activities, such as what data is moving through the network and what is going out the network, can be used to detect potentially suspicious behavior by insiders. The key principle of defense is to assume compromise. This includes compromised insiders as well—for example, an attacker using compromised user accounts to navigate the corporate and ICS networks. Proper access controls should be in place to ensure that employees are not able to access information they do not need for their day-to-day functions. Credentials of employees who leave the organization should also be disabled immediately to prevent security leaks.
Non-technical Steps versus Insider Threats
Non-technical means of security are equally effective in preventing insider threats. Employee dissatisfaction increases the risk of insider attacks. Good management practices in handling delicate situations, recognizing and rewarding employees, and looking after the well-being of employees all help in diffusing potential insider threats. In a nutshell, happy employees are less likely to turn against their employers.
Trend Micro Solutions for ICS and SCADA
Trend Micro provides solutions which can be installed on networks that include ICS and SCADA devices to monitor the traffic to and from these systems. These solutions are good options for those devices which run non-standard operating systems or cannot support an agent.
- TippingPoint IPS is an appliance that can detect and block network traffic associated with vulnerabilities being exploited by threat actors targeting these ICS and SCADA devices.
- Deep Discovery and TippingPoint Advanced Threat Protection are appliances that can detect malicious traffic including command-and-control communications that may be found within these networks and associated with a breach. Unusual SCADA traffic can also be identified.
Trend Micro provides a variety of solutions which could be installed on ICS and SCADA devices.
- Deep Security includes virtual patching for known vulnerabilities associated with OS and applications that may be running on these devices. Application Control can allow the device to only run known and approved OS/applications on these devices. Malware can be detected and removed using multiple scanning technologies. Integrity Monitoring is able to quickly identify any un-authorized changes to critical files.
- OfficeScan includes a variety of technologies to detect and protect against malware as well as web reputation to detect malicious URLs and command-and-control communications. USB device control is also included.
- Trend Micro Vulnerability Protection supports detecting known vulnerabilities associated with OS and applications that may be running on these devices.
- Trend Micro Endpoint Application Control can allow the device to only run known and approved OS/applications on these devices by locking down the operating system or applications running.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.