Eight ICS cybersecurity tips for a hyper-connected world
Cover story: Implementing a cybersecurity strategy against internal and external threats are key steps toward securing an industrial control system (ICS).
Industrial control systems (ICS) can achieve lower cybersecurity risk by building a defense-in-depth cybersecurity plan and following the eight tips highlighted below. A decade ago, many ICS were protected from internet threats by being air-gapped to ensure the ICS network was physically isolated to prevent malicious unauthorized remote access through the internet. In today’s hyper-connected world, air-gapping alone is not a realistic option, and it never did provide enough security in the first place.
In the modern age of smart manufacturing, the Internet of Things (IoT) and Industrie 4.0 bring important competitive advantages—connectivity is the way of the future. Some companies are on the leading edge to embrace cybersecurity, but others don’t take it seriously until they have a threat or breach. Building a robust cybersecurity strategy to help prevent cyber attacks requires a holistic and layered approach. Following the key tips below is key for developing a robust ICS cybersecurity plan.
"Have a plan," said Sean Creager, electrical engineer at Huffman Engineering. "Do a little research, take some small steps, and they will really help. The steps can be inexpensive, such as educating employees. Having a plan in place is invaluable. Remember, it’s a journey not a destination so you need to continually think about and update your plan and monitor the situation as technology evolves."
Defense-in-depth cybersecurity plan
"Defense-in-depth" is the term used to describe a planning strategy to secure an ICS; it refers to the ideal state of having many layers of security systems and access controls. Begin by identifying the internal, external, physical, and virtual threats to the control system. Assess how large of a risk each threat poses, and this should be a guide for how to best allocate the budget for a successful cybersecurity plan.
Make a comprehensive plan to mitigate those risks to an "acceptable" level (which will differ for each entity). Follow up with a process of how to address each threat or breach if it does occur. Plan for system monitoring and alerts to notify users a breach is in progress or has happened.
Segmentation is a defense-in-depth strategy using the principle of dividing up a network to limit the amount of damage that could be done if there was a breach. Segmentation creates isolated, self-contained networks (segments) within the larger network to prevent unwanted access to and limit the vulnerability of the entire system. Segmentation can be created physically by using additional hardware such as cabling and switches, but this is a time-consuming and more costly approach than to do so virtually.
Isolated networks are normally created within the larger system by using virtual local area networks (VLAN). Segmentation can be very basic, such as separating the manufacturing network from the business network, or more complex by creating a different segment for each manufacturing cell. For example, in the pharmaceutical industry, each manufacturing cell or packaging line can be segmented individually from each other. If network segments need to communicate, a firewall can offer additional protection. The firewall is a separate device that decides whether the network traffic is allowed to pass or is blocked.
Utility industries such as electric, gas, water, and wastewater are potential targets from state or non-state actors because they are part of the country’s infrastructure. All of these entities need to look at the security policies in place and plan a defense-in-depth strategy. A utility plant is often segmented as one manufacturing cell. When plants are regional, having each as a segment protects the whole system from a potentially catastrophic failure. If further separation is desired, segments can be created in each plant for systems such as the instrumentation, control, and visualization networks.
2. Demilitarized zone
A special case of segmentation is a demilitarized zone (DMZ) between a company’s industrial and manufacturing systems, its business and IT networks, or the internet. Although not universally implemented in ICSs, a DMZ is important for certain situations. A properly designed DMZ does not allow traffic to traverse directly across the DMZ from the business network or internet, to the ICS network. Inside the DMZ, servers or devices act as intermediaries to communicate across the DMZ. For example, a remote-access management device in the DMZ can be set up so a user from the business network or internet can connect to the control system network.
3. Regular backups and updates
Ensure systems are backed up regularly. Create images for all hard drives, backup virtual machines, and store configurations and programs on a storage device such as a network attached storage (NAS) device. The backups should be duplicated to another off-site device for additional protection. No matter how secure a defense may be, it’s never 100%. Backups are key to a quick and painless recovery.
Keep systems updated with the latest patches and upgrade any computers that run unsupported operating systems such as Microsoft Windows XP or Windows 2000. On these obsolete platforms, vulnerabilities are often made public even though patches are no longer offered through the manufacturer.
Get on email distribution lists with the automation equipment manufacturers to receive relevant security bulletins. Additionally, sign up for ICS-CERT notifications through the Department of Homeland Security (DHS).
4. Special purpose security appliances
A few manufacturers make cybersecurity products specifically for ICSs. Firewall security tools have hardware and software are tailored for ICSs. These tools allow rules to be defined, governing which devices are allowed to communicate with the system, and what ports and protocols they may use. The firewall locks down communication to the existing devices to ensure proper traffic flow. The firewall recognizes if the communication doesn’t look the way it’s supposed to, and traffic is blocked. Notifications or alarms can be set up in addition to the traffic block.
Another example is a secure, remote-access device such as a virtual private network (VPN) router. These devices allow for secure remote access to an ICS over the internet through an encrypted VPN tunnel connection.
5. Develop a strong security culture
Cybersecurity combines common sense and education. Many threats and attacks originate internally and accidentally, which underscores the need to get personnel on board with the process and to be vigilant. Create a continuing education plan and include a training process for future employees. Train employees about common social engineering tactics. Social engineering is the art of manipulating people so they give up confidential information—phishing emails that appear to come from a legitimate source, or phone calls to trick people into revealing information. Teach them what to look for, what not to click on, and how to avoid other common traps.
6. Employ limited access and unique passwords
Use the strategy of "least-privileges," only gives employees access to what they need to do their jobs, and no more. Force users to have unique passwords, and never leave the system set to the default password. Additionally, users should not write passwords in public view, in the vicinity of the equipment, or elsewhere. Add in two-factor authentication whenever possible by using technology such as a rolling code, biometrics, etc. Two-factor authentication should be mandatory for all devices offering remote- access to the internal system.
7. Physical access defense
Proper physical security measures are often overlooked. For physical access defense, start by securing the entrance to the facility. Consider using security guards, access control systems, fenced perimeters, and locked doors to critical infrastructure systems such as servers and supervisory control and data acquisition (SCADA) control rooms. Remove the key on programmable logic controllers (PLCs) that allows the program to be altered, if available, and lock control cabinets to prevent unauthorized people from accessing them. Also disable or lock the control system’s USB ports. Viruses can be transmitted or data can be stolen through these USB ports, and employees can inadvertently compromise security by charging cell phones through them as well.
8. Maintain a good relationship with a system integrator
Having another set of eyes that knows a company’s automation systems inside and out is an invaluable asset. For example, last year, a series of ransomware attacks were mounted against companies globally. A trusted system integrator can assist in or after a cyber attack and help provide a quick recovery if the integrator has intimate knowledge of the customer’s ICS applications, processes, and thorough documentation of software programs including recent backups.
Implementing a defense-in-depth cybersecurity strategy doesn’t have to be a costly and time-consuming undertaking. Implementing a few defenses will greatly increase the level of security for an ICS. Control system integrators work directly with a customer’s IT department to design and install the desired type of manufacturing cybersecurity technologies and provide training. Integrators work hand-in-hand with customers or can act as an advisor if required.
Keith Mandachit is engineering manager, Sean Creager is senior electrical engineer, and Jay Steinman is mechanical engineer, Huffman Engineering Inc. Edited by Emily Guenther, associate content manager, Control Engineering, CFE Media, firstname.lastname@example.org.
Implementing a defense-in-depth cybersecurity strategy
How to secure and help protect an industrial control system (ICS).
Additional information can be found at the U.S. Department of Homeland Security’s website for the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Also link to more about Huffman Engineering in the Global System Integrator Database.
What steps can be added to your facility to help protect your ICS?