An ICS Security Checklist
In traditional cybersecurity, a breach can expose, corrupt or even hold enterprise data systems captive.
While a traditional data breach can cost money and debilitate enterprise IT systems, a cyberattack on industrial control systems can affect mission-critical data and operations. Given that industrial control systems control everything from nuclear power plants to refineries, power grids, factories and heavy equipment, ICS security is vital.
While IT systems are hardware in software in traditional enterprise settings, industrial control systems—sometimes known as operational technology (OT)—encompass devices, systems and networks to operate and/or automate industrial processes.
Here, we offer a set of ICS security principles to help industry professionals lower their cybersecurity risk.
1. Understand Your Assets
Most industrial organizations aren’t ready for advanced cybersecurity techniques. They should start with the basics. “Most organizations don’t know what technology they’ve got deployed,” said Bill Malik, vice president of infrastructure strategies at Trend Micro.
Part of the challenge is the fact that operational technology assets often differ from IT assets, said Jason Haward-Grau, chief information security officer at PAS. A server in a data center, for instance, is an IT asset. But a system in a server room at a plant is a “capability that gets you to an asset,” he added. “It will run a control system for PLCs [programmable logic controllers], SCADA [supervisory control and data acquisition] or DCS [distributed control system] systems.”
So counting servers, IP addresses or networking switches won’t capture the full picture. “There are a ton of [industrial] systems that aren’t on a formal network,” Haward-Grau said. Another challenge is aging equipment. “There is still technology from the 1960s and 1970s at the core of many plants,” he added.
In the enterprise, performing a vulnerability assessment or establishing asset inventory is generally straightforward, those same actions in the world of OT and ICS usually aren’t. Doing an inventory-check “in the OT environment could bring a device or a whole environment down,” said Sean Peasley, Deloitte risk and financial advisory partner IoT security leader. Specialist ICS security vendors can make an inventory of devices passively, he said.
2. Look to Frameworks for Help
Securing industrial infrastructure may be challenging, but there is a growing body of standards that can help. Having a common framework that includes cybersecurity can bridge the gap between IT and OT and foster “a holistic mindset” across an industrial organization, Peasley said.
There is considerable overlap between most ICS standards, Haward-Grau said. “Start with a framework. I don’t care which one,” he advised.
Relevant standards and frameworks include the following:
- The DHS Strategic Principles for Securing the Internet of Things
- ISA/IEC 62443
- ISO/IEC 27001
- MITRE ATT&CK Framework for Industrial Control Systems
- NERC CIP
- NIST Cybersecurity Framework, NIST Guide to Industrial Control Systems (ICS) Security and NIST Recommendations for IoT Device Manufacturers
- UL 2900 standards
3. Have a Cyber Disaster Recovery Plan
While cybersecurity standard documents are often dense, at the end of the day, a framework should enable staff to discuss cybersecurity in plain English and give them a plan for how to respond to cyber-nightmare scenarios. “[With] frameworks, we are talking about, ‘How do I identify and protect things? How will I detect, respond and, more importantly, recover from [cyberattacks]?’” Haward-Grau said.
4. Invest in Cyberinsurance
Because cyberattacks often cause cyberinsurance is invaluable. Purchasing insurance, however, is not straightforward. Legacy industrial equipment is commonplace, so it makes more sense to insure industrial processes rather than specific technology, according to Haward-Grau. “If I have stuff I can’t patch, the cyber-insurer is going to look for compensating controls,” he said. Even with a robust cybersecurity program in place, there may be other exclusions in the insurance policy to note.
5. Embrace ‘Least Privilege’
In cybersecurity, the “least privilege” concept counsels that an organization should limit access controls between IT systems and users without comprising core activities.
Firewalls are a traditional IT-based strategy to accomplish this goal, but they are vital in OT security as well. “Consider how malware might spread across a production facility, and set up firewalls,” Malik said. To avoid potential interference, white-list allowable processes.
There’s more to “least privilege” than firewalls, said David Goldstein, CEO of AssetLink Global. For instance, Goldstein recommended “limiting traffic in directions that are not needed for the application. If you are monitoring only, disable the ability to control, and so forth.”
Remote access is another worry. “Use unique IDs for maintenance tasks,” Malik said. “When accessing technology over IP networks in an industrial environment, require unique authentication by each user.”
The use of a generic PC in an ICS environment is also a risk. “Lock it down. Disable installs, remove compilers and disable any unknown or unnecessary processes,” Malik said.
6. Consider a Bug Bounty Program
Bug bounty programs—where a reward is given to developers who identify system vulnerabilities— have gained popularity in recent years, including in industrial contexts. “Bug bounty programs are a hallmark of forward-thinking IoT and industrial IoT vendors,” Malik said.
“The whole digitalization journey is going to change how plants operate,” Haward-Grau said. “If you start introducing IIoT devices and 5G, you will need bug bounties.”
But that doesn’t mean it makes sense to prioritize bug bounties in every case. An organization with decades-old equipment and workstations running unpatched or outdated operating systems would likely find the results of a bug-bounty program overwhelming.
7. Manage Third-Party Risk
Third-party risk management programs are of increasing importance in the OT realm, Peasley said. But managing risk across an extended supply chain is often challenging, he stressed. “For large companies, there might be thousands of different third-, fourth-, and fifth-parties that they have to consider,” he said. “Whether it’s a supplier that embeds something into a subcomponent or .. . a software product, all of those need to be considered,” Peasley added.
8. Take Inspiration from Safety Programs
Many industrial organizations have had safety programs in place for decades. Now that cybersecurity threats can cause safety-related threats, “we need to have a similar mentality around security,” Peasley said.
The idea has gained ground. The American Institute of Chemical Engineers, for instance, recommends integrating cybersecurity considerations into traditional process hazard analysis, which traditionally focuses on the risk of human error, equipment failure and the like in chemical engineering facilities.
One strategy to protect industrial facilities from potential disaster is the use of safety instrumented systems. But such systems themselves can be vulnerable to compromise, Malik said. And retrofitting security functionality into existing safety instrumented systems is not advisable, according to Malik. “You would be building infrastructure on top of a platform that was never designed to be cybersecure,” he said.
While Haward-Grau acknowledged that safety-instrumented systems are imperfect, he stressed that they are a vital defense. “As we start to expand operations, and we connect more things, the need for more effective safety-instrumented systems is not going to go away by any stretch. They are going to become more important.”