Top 5 ICS Security Best Practices
by Erin Anderson
Industrial control systems (ICS) are the heart of our world’s critical infrastructure, powering everything we enjoy in our connected society. As organizations continue to update their operational technology (OT) with the latest advancements, they should also be aware of the threats that these cyber-physical systems are exposed to. And it’s not just the risk of an external attack that should have organizations concerned. They also need to be vigilant about the growing insider threat.
When you consider what could happen if something as important as the supply of electricity, drinking water, food or medicine was disrupted, even just regionally, you can see why it’s never been more important to implement strict cybersecurity practices. Here are 5 ICS security best practices you should consider:
1. Establish a Deep Understanding of Each Device in Your Industrial Control Systems
A complete ICS asset inventory provides the necessary foundation to apply any security controls or best practices. And we’re not talking just hardware and software (although that’s important, obviously). You also need access to data like where a device is physically located, how important it is to an industrial process, and who to call if issues ever come up. Without knowing these details, you won’t be able to do much with security-related information. We all know by now that traditional IT inventory methods were not designed for ICS and could lead to unintended consequences, including impacting a critical process, Denial of Service, and in a worst-case scenario, bricking a device. Additionally, other non-scanning IT tools may require an agent to be installed that won’t have support for old versions of Windows/Linux and boutique operating systems, which are common in ICS environments.
So, what are your options? One inventory method that has recently gained a lot of traction in the ICS security community is passive network monitoring. There’s nothing wrong with using this method, and it should be used as one piece of the asset management puzzle. The challenge is that this method returns limited information about an asset (especially if it has a legacy operating system) and doesn’t include important things like software, patches, executables, registry entries, or open ports and services. Plus, if a device is not actively communicating over the network, it’s usually missed altogether. Using a mixture of agent, agentless, native ICS protocol polling and passive monitoring methods ensures you don’t miss any critical device information and creates the most complete picture of what’s actually in your systems.
2. Centralize the Management of User Accounts
Many ICS servers and workstations use a set of standard usernames and passwords, and by default, grant administrator privileges. These systems could include things like domain controllers which if compromised could affect ICS integrity. To prevent this from happening, security teams should centralize the monitoring, management and reporting of access, authentication and account management to protect and validate user accounts.
Having a system that monitors account changes and access events that can share that information with IAMs and SIEMs is critical. If security teams catch unusual account activity early, it will spare everybody a lot of headaches later. You should also create and enforce policies that help prevent the abuse of user accounts in the first place, including complex passwords requirements and limited access based on the need to know.
3. Automate Vulnerability Management for ICS
As we’ve talked about previously, critical vulnerabilities are being discovered with increasing frequency. To minimize the window of opportunity for attackers to exploit new weak points, you need a vulnerability-first approach. Not all vulnerabilities have a patch, especially in ICS environments, and it can often be impractical to patch these systems immediately.
Passively identifying new vulnerabilities on demand is a huge advantage for asset owners. You can accomplish this with a tool that takes your ICS device data and compares it to NIST’s CVE database and ICS-CERT advisories to tell you which assets are affected and if there is an available patch. You can then take this information and use it to prioritize your patching efforts (for those assets that can actually be patched). An important caveat to remember here is that your vulnerability management tool is only as good as your asset inventory, so make sure you follow the advice from #1 first.
4. Implement Anomaly Detection Techniques
A misconfigured device can provide an easy entry point into your ICS for an attacker, so make sure you have a baseline of known good configurations for each endpoint that you’re continuously monitoring for changes. Removable media is another attack vector that has been gaining traction recently, so keep a close eye on that, as well. If any kind of change, including from removable media, is detected in an endpoint, ensure you are getting enough contextual data about the suspicious event to act quickly.
Using a network intrusion detection system, which is also sometimes referred as passive network monitoring, offers an additional layer of threat detection because it identifies communication anomalies using protocols in the network. If you have both endpoint and network monitoring in place, you’ll be able to detect suspicious activity in multiple ways. This can act as a type of fail-safe mechanism so that if you somehow miss an anomaly with one technique, the other will catch it.
5. Empower Security Responders with The Right Data
First, make sure you have security staff who are not only actively looking at ICS event data, but also have some level of knowledge about and training on how these environments work. Providing cross-training to your SOC teams will help them understand the differences between the IT networks they’ve traditionally monitored and the OT networks that have recently come into the picture, which are far more heterogenous and complex.
Getting the right data to the right people is so critical for ICS security teams. Having a solution that is specialized enough for the complexity of OT systems, yet also scalable enough to fit into the broader corporate security ecosystem, is certainly a challenge. When considering an ICS cybersecurity solution, make sure it provides the actionable data that SOC teams need, like how important an industrial device is, where it’s located, and who to call at the plant if critical anomalies are detected in that asset. Additionally, you should ensure that this data can be shared in an intuitive way for them via API integrations with corporate SIEMs, CMDBs, and ticketing systems. Finally, in case the worst happens, you should always have a stored backup of known secure configurations for all your ICS devices in a place that can be accessed by both IT security and OT operations teams in an emergency situation.
If you’d like more information about how to apply these ICS security best practices in your environment, we recommend exploring the 20 CIS Controls. This framework prioritizes cybersecurity best practices into digestible implementation groups to help you get security done. Check our 20 CIS Controls Implementation Guide for ICS, which adapts this framework for the unique needs of industrial environments and offers helpful tips from security experts.
Download The 20 CIS Controls for ICS Cybersecurity