In today’s competitive global market for commodities and manufactured goods, the reliance on natural resources for economic development and the fluctuating geopolitical climates have all contributed to making industries targets of cyber espionage campaigns, which can also be disruptive and destructive cyber attacks. These cyber espionage campaigns are geared toward ensuring interest groups have access to the latest technical knowledge and intelligence that will help them maintain competitive advantage and thrive in a market-driven global economy. Cyber espionage campaigns are also used for conducting carefully planned strategic or retaliatory cyber attacks against a nation’s critical infrastructure.
Cyber attack and data breach prevention strategies should be considered an integral part of a businesses’ daily operations. Ultimately, no defense is impregnable against determined adversaries. The key principle of defense is to assume compromise and take countermeasures:
Cyber attacks and data breaches are inevitable. Thus having effective alert, containment, and mitigation processes are critical. In Defensive Strategies for Industrial Control Systems, we present recommendations for defense against attacks and breaches. We start with a framework on how ICS networks should be viewed, then discuss strategies on how to secure specific network-related components, include recommendations for working securely with third parties and finally, discuss how to deal with insider threats.
The Purdue Model for Control Hierarchy is a common and well-understood model in the manufacturing industry that segments devices and equipment into hierarchical functions.1 The International Society for Automation’s (ISA-99) Committee for Manufacturing and Control Systems Security identified the levels and logical framework shown as follows:
The framework identifies five zones and six levels of operations2
Attacks against ICS environments not only cause business disruptions or financial loss, like in traditional office-based environments, but also include the possibility of injury, death or even a catastrophe–especially in the case of public service systems. Thus, security teams must assess ICS systems thoroughly to identify the different kinds and levels of risk and to install the corresponding safeguards. To help with this, Public Safety Canada created a list of recommended best practices that organizations should follow in order to secure their ICS environments:3
Organizations regularly employ contractors and third-party vendors to provide them with goods and services such as equipment rental, catering, transportation, consultancy, maintenance, etc. Contractors in turn might hire sub-contractors, who will contribute to a challenging cyber ecosystem–especially when these vendors, contractors, and sub-contractors need to access the corporate network in order to fulfill their duties.ds
Partnerships expand opportunities, but they also increase cyber security risks. Threat actors are successfully compromising contractors and third-party vendors and leveraging them as backdoor pathways into their targeted corporate networks. The retailer Target, for instance, was victimized in one of the largest credit card data breaches ever in November 2013. Later, it was found that the attackers broke into the network via a third-party HVAC vendor who had access to the corporate network.4 After all, most third-party vendors and contractors don’t have uniform cyber security policies and practices. This creates exploitable weaknesses in the operations chain, as seen in the case of Target. IT collaboration described from a “castle” perspective means inviting partners across the traditional moat: not everyone inside is safe, not everyone outside is dangerous.5
Collaborative network environments pose unique challenges for the IT team. Thus, the IT team needs to be involved in the initial planning and development stages so they can do risk assessment to determine proper IT solutions design.6 If IT does not fully understand the terms and requirements of the partnership agreement, then they might be restricted to provide only tactical solutions in an ad hoc manner. Lack of IT involvement in the planning and development stages also means that IT solutions may not meet the required compliance standards. Incorrectly granting access to digital assets increases the risks of security breaches that can violate contractual agreements with third parties.
New partnership considerations for IT include:7Different partners will require different access privileges to project data, corporate data, applications, etc. and IT needs to carefully setup digital boundaries to prevent security breaches via third parties who have access to the corporate network. Third party requests should be reviewed by IT, Legal, and relevant departments. There should be rigorous implementation of the IT solutions, proper documentation, and regularly scheduled compliance reviews/revalidation, which will be based on assessed risks.
Risk assessment considerations include:8An insider threat come from trusted individuals, or persons of authority, who have access privileges and then steals data. Motivations for insider threats could be: money, ideology, coercion, and ego. Frequently more than one of these motives are at play. Dealing with insider threats is possibly one of the most difficult tasks a security team must do. Broadly speaking, prevention and mitigation techniques can be grouped into two categories: technical, and non-technical.11
Technical steps to prevent insider attacks make use of security best practices. Insider attacks should be prioritized the same way as external attacks. Similar to external attacks, insider attacks cannot be prevented and so we need to work on detecting them as quickly as possible.
Monitoring and logging of activities, such as what data is moving through the network and what is going out the network, can be used to detect potentially suspicious behavior by insiders. The key principle of defense is to assume compromise. This includes compromised insiders as well—for example, an attacker using compromised user accounts to navigate the corporate and ICS networks. Proper access controls should be in place to ensure that employees are not able to access information they do not need for their day-to-day functions. Credentials of employees who leave the organization should also be disabled immediately to prevent security leaks.
Non-technical means of security are equally effective in preventing insider threats. Employee dissatisfaction increases the risk of insider attacks. Good management practices in handling delicate situations, recognizing and rewarding employees, and looking after the well-being of employees all help in diffusing potential insider threats. In a nutshell, happy employees are less likely to turn against their employers.
Trend Micro provides solutions which can be installed on networks that include ICS and SCADA devices to monitor the traffic to and from these systems. These solutions are good options for those devices which run non-standard operating systems or cannot support an agent.
Trend Micro provides a variety of solutions which could be installed on ICS and SCADA devices.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.