July 20, 2022
In our last blog, we wrote about the joint advisory issued in March by CISA, the FBI, and the Department of Energy regarding evidence of Russia targeting the U.S. energy sector from 2011 to 2018. In the advisory, CISA highlights the methods used and how organizations can best mitigate them.
In the post, we outlined their recommendations for enterprise environments. Today we’re going over their recommended strategies for Industrial Control System Environments (ICS/OT).
Cybersecurity Industrial Control System Environments
CISA, the FBI, and the Department of Energy recommend that energy sector and other critical infrastructure organizations implement the following mitigations to harden their ICS/OT environment.
- Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised.
- Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security. Further segmentation should be applied to portions of the network that are reliant on one another by functionality. Figure 5 on page 26 of the CISA ICS Defense in Depth Strategy document describes this architecture.
- Use one-way communication diodes to prevent external access, whenever possible.
- Set up DMZs to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.
- Employ reliable network security protocols and services where feasible.
- Consider using virtual local area networks (VLANs) for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users’ direct printer access. This same principle can be applied to segmentation of portions of the process for which devices are used. As an example, systems that are only involved in the creation of one component within an assembly line that is not directly related to another component can be on separate VLANs, which allows for identification of any unexpected communication, as well as segmentation against potential risk exposure on a larger scale.
- Implement perimeter security between network segments to limit the ability of cyber threat actors to move laterally.
- Control traffic between network segments by using firewalls, intrusion detection systems (IDSs), and rules for filtering traffic on routers and switches.
- Implement network monitoring at key chokepoints — including egress points to the internet, between network segments, core switch locations — and at key assets or services (e.g., remote access services).
- Configure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic).
- Configure security incident and event monitoring to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.
ICS Best Practices
- Update all software. Use a risk-based assessment strategy to determine which ICS networks, assets, and zones should participate in the patch management program.
- Test all patches in out-of-band testing environments before implementation into production environments.
- Implement application allow listing on human machine interfaces and engineering workstations.
- Harden software configuration on field devices, including tablets and smartphones.
- Replace all end-of-life software and hardware devices.
- Disable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation).
- Restrict and manage remote access software. Enforce MFA for remote access to ICS networks.
- Configure encryption and security for network protocols within the ICS environment.
- Do not allow vendors to connect their devices to the ICS network. Use of a compromised device could introduce malware.
- Disallow any devices that do not live solely on the ICS environment from communicating on the platform. ‘Transient devices’ provide risk exposure to the ICS environment from malicious activity in the IT or other environments to which they connect.
- Maintain an ICS asset inventory of all hardware, software, and supporting infrastructure technologies.
- Maintain robust host logging on critical devices within the ICS environment, such as jump boxes, domain controllers, repository servers, etc. These logs should be aggregated into a centralized log server for review.
- Ensure robust physical security is in place to prevent unauthorized personnel from accessing controlled spaces that house ICS equipment.
- Regularly test manual controls so that critical functions can be kept running if ICS/OT networks need to be taken offline.
As always, we will continue to monitor the situation and provide relevant information to our readers. If you feel any of this is out of your depth, please contact us for a free consultation. We would be happy to answer your questions and address any cybersecurity and/or federal compliance concerns you have.