For security teams, monitoring the security status of an IT network is common practice, while the routers, switches, and gateways of industrial networks go largely unchecked. Fortunately, this is changing. With the rapid increase in cybersecurity incidents affecting industrial control systems (ICS), more and more organizations are adopting ICS security programs to keep their operations running and people safe. If your organization plans (or is already underway) to develop its own ICS security program, here are four foundational elements to help you build the most effective program possible.
1. Getting Started
- Establish executive buy-in. The most effective ICS programs are administered from the top down. Having the Board and Senior Executive Leadership understand the risks to business assets and give their support is crucial.
- Understand regulatory requirements. In critical infrastructure industries, regulatory requirements often drive behavior and mandate certain requirements from a security perspective.
- Involve external help. While your organization may have very effective, smart people on the IT and OT side of the house, involving external help can provide much needed subject matter expertise and arbitration when internal teams disagree on items.
- Involve major internal groups. When addressing physical and safety challenges to your IC assets, major groups such as corporate communications; health, safety & environmental; and government relations are already involved. Make sure they are also involved in your cybersecurity
- Don’t work in silos without oversight. Quite often you can divvy up tasks between IT and OT, but you will need someone with authority to oversee the initiative.
- Don’t think compliance equals security. While this mantra has been professed by enterprise IT, the OT side of the house is more accustomed to thinking that compliant systems are also secure, which is not the case.
- Don’t ignore cross-contamination risks. Just because you see something on your OT network that is more targeted to enterprise IT, or vice versa, don’t ignore the risk. We have found that because the IT and OT worlds are closely married for business reasons a risk on one side of the fence can quickly propagate to the other side.
2. Taking Inventory
- Incorporate data inputs from known systems. At a macro level, most companies have a good understanding of what systems they have in the field. However, at a micro level, the picture becomes less clear. It is critical all systems get cataloged.
- Provide a system for multiple business units to add inputs. There may be infrastructure dependencies that can be mapped by business units more effectively than by other organizations in your environment. Ensure they can get their information into the catalog.
- Use passive scanning tools to collect information. Quite often you cannot put sensors directly on lower level systems, but there are new technologies that can passively scan and pull configuration data from systems into your system of record.
- Update information regularly. We advocate you have a system where data inputs happen in real-time. If that is not available, at least adopt a process where assets and dependencies are updated regularly.
- Don’t leave out vendors as a source of information. Vendors can give you infrastructure and dependency information that is difficult to find elsewhere.
- Don’t use static data systems. Systems, such as Excel spreadsheets, quickly become outdated or become untrusted due to version control issues. A more reliable approach is to use a dynamic, active system.
- Don’t leave your data system unsecured. Your catalog includes your organization’s most important systems; it would be catastrophic if it fell into the wrong hands. Make sure you have the proper identity and access management controls in place.
3. Assessing & Testing Your ICS Environment
- Use a common framework as a measuring stick. There are several common frameworks available, such as NIST 800 series and 20 Common Controls for ICS, as a smart starting point for your journey.
- Interview and build response plans. When you interview personnel, build response plans based off the equipment they have and the various attack vectors that can be used to reach them.
- Utilize labs, vendors and 3rd parties for testing. Typically, operational systems cannot be tested directly because they need 99% uptime or testing them directly could cause damage. Therefore, use an outside party to create testing scenarios and ranges to properly vet your systems.
- Use common methodologies and teams across assets/locations. Often global organizations use a local provider for vulnerability assessments and testing. While this approach is effective and typically low cost, different vendors tend to use different methodologies which prevents an organization from seeing their entire network through a common lens. Ideally, you should use a common methodology, and if available, a common team to test and assess your systems across all locations.
- Don’t test unannounced. Most of your systems cannot be tested directly, but where they can, certainly alert personnel ahead of time.
- Don’t assume frameworks cover everything. While there are many great frameworks available, you want to use a blended approach across different information systems to provide a comprehensive framework in your ICS environment.
- Don’t use deduction as a shortcut. Many organizations have similar facilities across the globe, and it is tempting to test one and assume all other similar facilities would be protected. We have found while performing assessment tests for a global oil and gas company, that despite the commonalities across an environment there are significant differences at the micro level that could introduce risk to the overall organization.
4. Monitoring Assets
- Acquire technology. Use solutions that will help you continuously monitor your assets and enforce change management and best practices.
- Provide access to data to both IT and OT groups. Both organization are very important in the cyber security battle.
- Understand vendor rules on warranties. Quite often vendors have issues with having sensors installed on their equipment. Make certain you do not implement something that would void a warranty.
- Consider how to deploy and centralize. While complex ICS networks can often be joined to a certain degree, you should still determine how to move data across them and into the right hands.
- Don’t rely on tools only. It is very common to deploy a technology and then set it and forget it. While it may help, it is still a tool. Plan to periodically manually review and certify all your assets.
- Don’t leave out vendor and 3rd party notification. Try to incorporate these type of vulnerability notifications into your data set so that at any given moment you know as new threats come out which systems could be affected and how to mitigate the threat.
- Don’t ignore alerts. Use tools that give you real-time situation awareness so you can remedy any threat or change in real-time.
- Don’t hide behind exceptions. We see a lot of companies concerned about putting security controls around their highest revenue producing assets put these assets on an exception report and ignore them. We recommend you do not hide behind exceptions and instead develop a solution that works for everyone.
Solutions to Protect Your ICS Environment
Leidos offers comprehensive security services and technologies to ensure an adaptive defense strategy and mature security posture for ICS environments. Our Industrial Defender Automation Systems Manager® (ASM) is the only platform to offer applications specifically engineered to address the overlapping requirements of cybersecurity, compliance, and change management in one dashboard.
Contact us to talk to one of our ICS experts today.