Most Important Consideration for Industrial Control System(ICS) Cyber Defense

It is Extremely challenging task to identify and successfully deploy an absolutely innovative and never-seen-before defense solution for Industrial Control System (ICS).

When searching for an ICS expert you will meet engineers knowing programmable logic controller, Remote terminal unit (RTU) and Human Machine Interface(HMI) programming, but if you count the experienced ICS-Cyber experts you will find just a few in each country.

Also Read:   Important Consideration of Industrial Network Security and Protect SCADA & ICS System 

ICS Cyber Defense Experts:

• Cyber defense experts are coming from elite army units, top-level universities, colleges providing certifications, large financial institutions or government departments, where they are responsible for data confidentiality.
• So who can professionally guide in cyber security the pharma or food producers, water supply, power plant refinery and operators of critical infrastructure related to deploying strong ICS cyber defense?

ICS-Cyber experts Vs IT Security Experts:

• When I ask IT people how they define cyber defense, they reply with the famous C-I-A, and this is fine.
• When I ask the same question ICS engineers, the same word but in a different order like I-A-C, etc.
• You know that when ICS-Cyber experts hear these answers, they get concerned, because using these words related to ICS indicates on incorrect thinking.
• Although some experts may have a different view, I personally vote for “S-R-P” meaning: Safety, Reliability, and Productivity.

Also Read :  Now Industrial Control Systems  Become Prime Target for Cyber Attackers

ICS-Cyber Challenges:

• After defining the S-R-P, important to clarify specific challenges related to the ICS-Cyber defense topic.
• Customers usually consider “cyber attack risk” as the key challenge, but I rather expand this term to three areas, which must be properly addressed in order to select an ICS-oriented, high-quality, long-lasting and cost-effective solution.

a) Control component failure:

• A proper cyber defense architecture must deal with detecting and defending the ICS in case of sensor failure, PLC hardware problem, unusual software bug, etc.
• When any of these happens, the operator will see the unstable behavior, which can be easily interpreted as a cyber attack.

b) Incorrect action by an authorized serviceman: 

• We have seen situations where a control engineer dispatched on site is deploying a configuration change or a wiring change not exactly according to the instruction he got.

c) Cyber attack:

• An internally generated cyber attack which may occur following to physically perimeter breach and externally generated attack which may start with social engineering and compromising the behavior of a loyal employee. This is sad, but can happen!
• Upon presenting the key challenges and visible risks of cyber attacks, every customer and system operator will be curious to learn about effective defense solutions.
• Consequently, the CISO of that organization will suddenly become concerned, and you will see him rushing to get a budget for upgrading as fast as possible their system and the physical perimeter defense.

Solutions to be considered:

• Important repeating the well-known slogan “there is no silver bullet”, so versatile cyber defenses (Defense in Depth) are required.
• I cannot list here all solutions which were introduced by talented cyber engineers, startups and respected vendors.
• I’ll mention just few, and provide you with a brief picture of what can be considered as a strong enough and affordable risk mitigation and cyber defense for your specific ICS.

Physical and electronic security:

• Cyber Defense experts correctly claim that if you cannot assure physical security by supervising and monitoring the people on the production floor, at the control room and the area where your communication cables are installed, do not even consider investing in cybersecurity.
• Physical security is a mandatory precondition (!).

Zoning and segmentation:

• We often see an ICS which looks like “Italian spaghetti”. I refer to a situation caused by control engineers who added signaling and new cables between ICS sections/zones.
• This action represents a severe vulnerability and must be resolved by retrofitting the architecture to a cyber-secured and hierarchical structure.

Data filtering and supervision:

• I specifically refer to ICS-aware firewalls and DMZs. When selecting any of these, you must consider the cost of maintaining firewalls and tuning their configuration according to frequently changing ICS architecture.
• In addition, add the cost of all solutions needed for specific defense against compromise by a focused cyber attack (!)

secure data exporting:

• To allow secure access to operation data (information on production-material, maintenance, productivity results, etc.) by the personnel at the corporate network, use of unidirectional data diode is considered among effective choices.
• These are costly solutions, but work reliable and it does not require frequent tuning.

Operation data analysis:

• Industrial IDS performs process or communication analysis on the data traffic between zones and is also effective for detecting Zero-day attacks at an early stage.
• However, these systems require some level of customization and must include embedded self-learning mechanism for continuous tuning base-line level of the detection mechanism.

Broad surface visibility:

• We see innovative solutions, which are automatically collecting information on the inventory on installed devices, software version, cross-zone communication, etc.
• These systems also require customization for each ICS architecture and are capable to detect system faults and cyber attacks.

On-site authentication of people:

• I refer to Identity and Access Management (IAM) processes which define the authorization and access control to devices at remote sites.
• The installed Authenticated Proxy Access (APA) gateway on site will effectively supervise, Who can access the site, which devices can be modified, which operations can be performed and defining the time slot for execution of each work-order.

Company-wide data analysis:

• I refer to a broad range of SIEM and SOC installations which constantly collects and analyze data from firewalls, IDS, SIEM, security alarm systems, anomaly behavior detection, etc.
• These solutions are especially effective for organizations which supervise the operation at distant sites through locally installed security measures.

I could continue this list with many more cost-effective solutions. Each approach is usually excellent for protection against a specific risk and a specific ICS section, however, might turn ineffective for challenges out of the defined scope.

Important to emphasize that ICS -oriented cyber defense solutions must not interfere with the control process, and you must refrain from selecting IPS solutions which may instantly stop the control process. Furthermore, as already mentioned, the operation of software-based cyber defense (firewall, DMZ, IIDS, etc.) must be properly secured from compromising through a cyber attack on these cyber defense devices.

Taking the above into consideration you learn, that selecting the ICS cyber defense cannot be done by your IT team, which has excellent C-I-A related expertise for protecting the corporate network. For defining your cyber defense, you shall employ industrial control experts who spent years with deployment and maintenance and enhanced their expertise on ICS-aware cyber risks and defense solutions.

Summary and Conclusions

• We are learning every day on new APT and ZeroDay attacks and new variants of malware which are capable bypassing traditional cyber defenses.
• The number and severity of these attacks are growing especially on critical infrastructure.
• Today’s these highly professional and creative cyber hackers are financed by hostile countries, crime organization or commercial entities, which are interested causing outage damaging machinery and interrupt the peaceful life of people.
• Operators of critical infrastructure must be aware of the potential harm caused by cyber attacks targeted to generate serious threat to business operation.
• Therefore, managers and CISOs must act fast, with greater determination, allocated budgets and wisdom to be at least one step ahead of the attackers.

Source & Credit: This article provided to www.gbhackers.com by Daniel Ehrenreich, Consultant, SCCE, Israel. He Would like to share his knowledge, for the readers who are interested in exploring tacts and trends.All the Content of this Article Belongs to Original Author Daniel Ehrenreich, Consultant, SCCE, Israel. www.gbhackers.com won’t take any credits.