A complete ICS asset inventory provides the necessary foundation to apply any security controls or best practices. And we’re not talking just hardware and software (although that’s important, obviously). You also need access to data like where a device is physically located, how important it is to an industrial process, and who to call if issues ever come up. Without knowing these details, you won’t be able to do much with security-related information. We all know by now that traditional IT inventory methods were not designed for ICS and could lead to unintended consequences, including impacting a critical process, Denial of Service, and in a worst-case scenario, bricking a device. Additionally, other non-scanning IT tools may require an agent to be installed that won’t have support for old versions of Windows/Linux and boutique operating systems, which are common in ICS environments.
So, what are your options? One inventory method that has recently gained a lot of traction in the ICS security community is passive network monitoring. There’s nothing wrong with using this method, and it should be used as one piece of the asset management puzzle. The challenge is that this method returns limited information about an asset (especially if it has a legacy operating system) and doesn’t include important things like software, patches, executables, registry entries, or open ports and services. Plus, if a device is not actively communicating over the network, it’s usually missed altogether. Using a mixture of agent, agentless, native ICS protocol polling and passive monitoring methods ensures you don’t miss any critical device information and creates the most complete picture of what’s actually in your systems.
Many ICS servers and workstations use a set of standard usernames and passwords, and by default, grant administrator privileges. These systems could include things like domain controllers which if compromised could affect ICS integrity. To prevent this from happening, security teams should centralize the monitoring, management and reporting of access, authentication and account management to protect and validate user accounts.
Having a system that monitors account changes and access events that can share that information with IAMs and SIEMs is critical. If security teams catch unusual account activity early, it will spare everybody a lot of headaches later. You should also create and enforce policies that help prevent the abuse of user accounts in the first place, including complex passwords requirements and limited access based on the need to know.
As we’ve talked about previously, critical vulnerabilities are being discovered with increasing frequency. To minimize the window of opportunity for attackers to exploit new weak points, you need a vulnerability-first approach. Not all vulnerabilities have a patch, especially in ICS environments, and it can often be impractical to patch these systems immediately.
Passively identifying new vulnerabilities on demand is a huge advantage for asset owners. You can accomplish this with a tool that takes your ICS device data and compares it to NIST’s CVE database and ICS-CERT advisories to tell you which assets are affected and if there is an available patch. You can then take this information and use it to prioritize your patching efforts (for those assets that can actually be patched). An important caveat to remember here is that your vulnerability management tool is only as good as your asset inventory, so make sure you follow the advice from #1 first.
A misconfigured device can provide an easy entry point into your ICS for an attacker, so make sure you have a baseline of known good configurations for each endpoint that you’re continuously monitoring for changes. Removable media is another attack vector that has been gaining traction recently, so keep a close eye on that, as well. If any kind of change, including from removable media, is detected in an endpoint, ensure you are getting enough contextual data about the suspicious event to act quickly.
Using a network intrusion detection system, which is also sometimes referred as passive network monitoring, offers an additional layer of threat detection because it identifies communication anomalies using protocols in the network. If you have both endpoint and network monitoring in place, you’ll be able to detect suspicious activity in multiple ways. This can act as a type of fail-safe mechanism so that if you somehow miss an anomaly with one technique, the other will catch it.
First, make sure you have security staff who are not only actively looking at ICS event data, but also have some level of knowledge about and training on how these environments work. Providing cross-training to your SOC teams will help them understand the differences between the IT networks they’ve traditionally monitored and the OT networks that have recently come into the picture, which are far more heterogenous and complex.
Getting the right data to the right people is so critical for ICS security teams. Having a solution that is specialized enough for the complexity of OT systems, yet also scalable enough to fit into the broader corporate security ecosystem, is certainly a challenge. When considering an ICS cybersecurity solution, make sure it provides the actionable data that SOC teams need, like how important an industrial device is, where it’s located, and who to call at the plant if critical anomalies are detected in that asset. Additionally, you should ensure that this data can be shared in an intuitive way for them via API integrations with corporate SIEMs, CMDBs, and ticketing systems. Finally, in case the worst happens, you should always have a stored backup of known secure configurations for all your ICS devices in a place that can be accessed by both IT security and OT operations teams in an emergency situation.
Companies looking to apply these best practices are often overwhelmed with the landscape of security solutions claiming to help. There are hundreds of vendors each providing various, and at times, overlapping functionality. If you’d like to better understand how to match your individual needs with specific technologies that help you achieve these best practices, you can request a custom DefenderSphere map for your organization here or in the box below.
