Getting Started on ICS and SCADA Security (Part 2 of 2)
Last week I discussed the first steps to take to get started to improve ICS and SCADA Security in your facility. Those steps included:
- Step 1 - Conducting a Security Risk Assessment,
- Step 2 - Learning Industrial Cyber Security Fundamentals, and
- Step 3 - Understanding the Unique Requirements of ICS and SCADA Cyber Security.
This week I discuss the remainder of the process.
Step 4 - Vulnerability Analysis
The next step is a Vulnerability Analysis. Now that we understand the risks, what are the key vulnerabilities in our processes, equipment and software?
For example:
- Does my company need to worry about the Siemens PLC security flaws that were exposed in early August?
- If my HMIs or programming stations use Adobe Reader software, are all the copies in the plant patched for all the new vulnerabilities that can turn a PDF into a piece of malware?
- If a consultant shows up with an infected laptop, is there a process that will detect it before it is connected to a process network?
- Are there unsecured modems connected to programming stations on the plant for remote support?
This sort of analysis is the most complex portion of a security program. It requires:
- An understanding of the actual plant network architecture,
- A detailed inventory of data, equipment and software (assets),
- A clear grasp of company policy/processes, and
- A solid knowledge of the current security threats.
Vulnerability analysis tools such as Nessus can help, but they must be used only once their potential risk to the plant floor is assessed and is determined to be negligible. Such an assessment requires a person or people with solid ICS / SCADA security experience.
Another challenge with scanning tools is that the amount of data collected can be large and difficult to sort in terms of priority. Modeling tools can help make sense of the information. Two older papers that can help inform you about modeling tools are provided at the end of this article. As well, look at the Microsoft threat Modeling Tool – while it is designed for software analysis we have used it successfully in the past for system assessment.
Again, a few companies have the internal skills and tools to do this sort of analysis, but most need the help of a specialist team like exida to do a really thorough job.
I need to stress that performing the Vulnerability Assessment before the Risk Assessment is complete is a bad idea. The Risk Assessment is needed for defining priorities and focusing efforts when you find vulnerabilities. If you do the Vulnerability Assessment first, or before the Risk Assessment is complete, you are in danger of misallocating your resources and not properly addressing high risk items.
Steps 5 and 6 – The Security Architecture / Mitigation Strategy
This is where you start getting into the details and technologies. You will now design your security architectures and select specific security technologies and practices to achieve your security goals. The ISA-99/IEC-62443 zone and conduit models for architectures are a great place to start for architectures. I have written lots on this before (see links at the end of this article), so I won’t go into more detail here.
As for security technologies, these might include:
- Patch management processes and products
- Anti-Virus policies and technologies
- Access control policies and technologies
- Industrial firewalls for SCADA / ICS traffic management
- VPN technologies to secure traffic over networks like the enterprise network or the Internet
- Security incident event monitoring (SIEM) tools
This list can get long, but the above covers the main technologies currently used in modern SCADA and ICS systems. Again, prioritize by risk, which is a function of probability and consequence.
For example, if your company uses Safety Integrated Systems (SIS), it is a system with very nasty consequences if things go wrong. The SIS is likely a good place to start your security mitigation strategy, rather than a data historian server. On the other hand, if your vulnerability analysis indicates your plants are filled with unpatched Windows NT computers, perhaps the probability of incident is a driving factor. Only a proper risk analysis can guide this priority setting.
While you are doing all this work, don’t forget to involve your vendors. First, demand secure products from your vendors. Also ask for guidance and best practise documents. Many of the vendors have created useful guidelines on what works from a security point of view and will not impact their systems.
Strategic Assessment and Planning is the Way to Go
While the steps described for “getting started” are not exactly “fast and easy” measures to take, they will lead to better cyber security and will avoid wasting resources on the wrong initiatives or technologies.
If it is not possible for you to drive this process for your organization, then apply these principles within your sphere of responsibility and influence, and be an advocate for a plant or organization level plan.
The bad guys are focusing on ICS and SCADA systems like never before. Make sure your facility does not lose production or create a safety incident by having a solid cyber security program in place.
Related Content to Download
(overview presentation on the fundamentals of the ANSI/ISA-99 Standards)
Related Links
Tofinosecurity.com resources re: Modeling Tools:
- Comparing Electronic Battlefields: Using Mean Time-to-Compromise as a Comparative Security Metric
- Industrial Cybersecurity For Power System And SCADA Networks
Other resources:
Practical SCADA Security Articles about using Security Zones:
- Controlling Stuxnet – No More Flat Networks PLEASE. Let's Embrace "Security Zones"
- Using Tofino Security to Control Stuxnet - New Application Note
(includes a section and a diagram on dividing control networks into security zones)
Add new comment