More answers on what you need to know about cybersecurity

A cybersecurity webcast Dec. 3 raised more questions than two expert responders had time for at the end, and their answers to those additional questions on industrial control system cybersecurity are available below. The webcast, with one PDH available, is archived for one year. Register for the webcast with the following link: “Cybersecurity: What you need to know.” The webcast is designed to help attendees:

• Identify architectures for cybersecurity designs for controls, automation, and instrumentation.
• Learn what should be covered in cybersecurity training.
• Receive tips about cybersecurity best practices.
• Review elements of a cybersecurity risk assessment.
• Review related Control Engineering cybersecurity research results and advice.

Two presenters answered the additional questions below.

• Brad Bonnette, technical director, Wood Automation and Control, Wood
• Anil Gosine, global projects, MG Strategy+

More ICS cybersecurity answers

Question: What are often overlooked cybersecurity best practices that represent weak links? Do they differ widely by organization and industry or are there commonalities for all?    

Bonnette: Seemingly simple things like, turning off or actively managing USB, Bluetooth and removable/portable media connections. Lack of management of unused accounts, personnel departures, (temporary) personnel, contractor or vendor access credentials. Not monitoring firewall or security monitoring software reports or alerts.

Gosine: Proper configuration of the systems procured and under estimating the time/effort needed to continuously maintain and address issues. You want to avoid similar situation like operators ignoring alarms and then requiring another effort for alarm management years after initial ICS deployment. An article published in Control Engineering, “Key security components and strategies for ICS,” is a good reference.

Question: Are there special cybersecurity recommendations for supervisory control and data acquisition (SCADA) and programmable logic controller (PLC)-based systems?

Bonnette: Edge protection and defense-in-depth are still principal base models. However, if the context of SCADA includes utilization of cloud or wide-area network (WAN) that is not exclusively controlled by the owner/operator, additional measures must be considered to authenticate traffic, endpoint devices, users, and protect (encrypt) data being carried over cloud or contracted carrier networks. The external network should be treated as an untrusted edge. However, just because your company owns a specific LAN or WAN does not mean it may not need to be considered untrusted just as well, depending on technical and physical access control to the networks. External networks should always be considered untrusted and considered a potential threat vector. Reference: ISA-TR100.15.01-2012 Technical Report “Backhaul Architecture Model”

Question: Is there a need for firewalls on Apple products?       

Bonnette: Yes, both to protect the device, but primarily to protect the rest of the system from the device. Apple OS are just as exploitable as Microsoft Windows (Linux as well). At a minimum, any type of networked device may be used for distributed denial of service attacks (DDoS) attacks and robot data storm attacks, or as a pivot point for data, traffic or access to gain access to an OT system or network. Mobile phone malware has caused OT incidents, transmitting malware to the OT system by plugging in a mobile phone (smart phone) to a USB to charge it on an OT workstation, resulting in crypto locking or virus infection of facility control system.

Gosine: Apple Wireless Direct Link protocol to create mesh networks can be exploited as noted recent security notifications.

Question: Are there particular advantages to hard wiring? Or to keeping all data in house?      

Bonnette: “Hard-wiring” may be easier to protect physically with barriers and physical access controls. However, as soon as the network leaves a physically controlled boundary, any points of connection or distribution are accessible, but typically not as accessible as wireless systems. There is a lot of debate of keeping data “in-house,” if you are overwhelmed with maintain the security and integrity of your data systems and data, outsourcing may actually be means of improving the security or integrity of the system, but risks in the supply chain (the service supplier’s) integrity, security practices and capability need to be assessed as if it were your own estate.

Gosine: You need to weigh the risks/benefit on losing the cloud-based data analytics capabilities that increases productivity, efficiency and increase margins when keeping data internal.

Question: We’re trying to figure out what cybersecurity staff training should include for whom and how often?

Gosine: Know where your organization’s understanding is at through a baseline Q&A that follows the NIST Framework Categories. There will be a need for distinct training course materials for operators, security administrators, general users. Annual workshops for operation and security administrators. Operators – training on detecting anomalies; Administrators – tools, management techniques and prioritization in risk assessment; General users – social engineering and situational awareness. Incorporating relatable security information into available corporate news feeds/webcast updates also may be beneficial.

Question: What determines how often a cybersecurity risk assessment should be done? Should mini-assessments be completed in certain areas more frequently than all of operations, all of the enterprise, or all of the connected supply chain?

Bonnette: The frequency of risk assessments should be commensurate with the previously assessed risk. Systems or zones with higher potential consequence of compromise should be assessed more frequently than lower potential consequence areas. Interim risk assessments for a single zone or subset should consider conduit connections to other zones.

Gosine: Critical operational processes are getting done more frequently to show risk avoidance/mitigation to C-level (potentially every 18 months). This will be based on how fast remediation efforts are getting completed. Regulatory requirements where applicable will have minimum frequency requirements that are required.

Question: How RTO/RPO are classified as regards cyber-security resilience?     

Bonnette: Often, higher-level advanced process control applications and systems are classified as unique zones in the security architecture, with conduits to the underlying basic process control system (BPCS) they are providing supervisory input to. In some cases, some types of advanced process control (APC) are vital to maintaining the routine operating stability of complex process units (e.g. refinery hydrocrackers or exothermic isomerization reactors). In those cases when the APC is offline, the demand on the operators to keep the unit in stable operating limits is substantially increased and likelihood of a hazardous process excursion is increased. Control hazard and operability (CHAZOP) can be a useful method of risk assessment, following the “what if” methodology, and asking the question, “What is the impact or effect of a given system being compromised?” to identify potential consequence and determine if a specific system has a higher consequence potential than others and merit a separate zone. In the event that the higher-level system or software can result in a significant upset or incident in the process then additional measures may be merited to protect the underlying process from a compromise of the higher-level system. Best practice is to design resilience in the lower-level BPCS configuration, such that the supervisory system can be easily turned off from the BPCS, or even physically disconnected if required with the BPCS configured to shed to a safe mode of (BPCS only) control and operation if the system is turned off or disconnected.

Question: You have any generic check list for cyber-security audit?      

Bonnette: A 45-element weighted checklist for existing facility cybersecurity assessments is available from Wood. Different from risk assessments, these assessment checklists gauge the degree of protection and mitigative practices that are in place in a facility for benchmarking or identification of initial “soft spots” in an existing facility. The 45 elements in the checklist are referenced to ANSI/ISA 62443 Standards and recommended practices. A good first question to ask is “Do you have a current inventory of your OT system assets (hardware and software)?” If you don’t know what you have, how can you protect it?

Gosine: I have attached a generic set of items that can be part of the initial checklist. Reference slide #10 in presentation.

Question: What are some of those tools Brad referred to that will help on the OT risk assessment?      

Bonnette: There are several security software vendors and service providers currently offering threat assessment tools for operational technology (OT) systems. We are not at the liberty to name specific vendors as part of this Webcast. I would recommend checking with your control system platform vendor, as many have partnered with security software vendors to provide threat and security monitoring for their platform.

Question: What typical kinds of people liabilities are suggested? Do they get them to provide passwords, access, etc.?

Bonnette: Users who are valuable targets for social engineering and phishing / spear phishing in an attempt to gain access, credentials or information on a system for malicious purposes. Engineers and administrators who have the ability to change configuration, programming, accounts are the highest at-risk, high-value targets. Operators are also at risk, as they have operational access to change setpoints, settings, initiate commands, etc. (Reference 2015 Ukraine power system attack where operator accounts were used to for an online “hijacking” of the human-machine interface (HMI) stations).

Question: Software revision updates occurs regularly. New exposed vulnerabilities may expose a revision. Is there a repository where control system software security status is available?   

Gosine: Two resources are https://us-cert.cisa.gov/ics and www.strategicefficiency.org (membership required).

Question: Can you talk about security implications with automatic updates on always on Microsoft Windows PCs that have security functions, especially process control systems running building automation or door security?

Gosine: I would classify this as part of the recommendations associated with building management systems and Internet of Things (IoT) deployments; planned and scheduled updates are better practice. Know how the updates affect the other parts of the system, do they also need updates or re-establish connections after PC update. You can have minor interruptions depending on the patch updates

Question: In terms of compliance IT policies standards con support OT as a general documentation?   

Gosine: Yes, there is a lot of similarities between the information technology (IT) and OT policies, but also differences. Harmonization within policies, procedures and responses can be achieved. Differences will continue to include security objectives, network segmentation, topology, functional partitioning, user accounts, untested software etc., but there is a way for industrial control system (ICS) and IT personnel to function together efficiently and provide their organization with the cybersecurity measures required.

Question: Has the move toward Industrial IoT project greatly increased risk from hard and soft assets?

Bonnette: Yes, the adoption of IIoT creates many more connections, and exposed (untrusted, potentially unprotected) edges outside the visibility of the control system. Some IIoT designs have the potential to create “dual-home” connections which provide potential vector paths for an intruder to gain access into OT networks and systems. This is a key challenge with the rapid adoption and deployment of IIoT and cloud-connected technologies. Endpoint protection and authentication is vital to ensure the integrity of the internal and external devices involved with IIoT deployment. Some IIoT may be isolated in a manner to prevent cyber-physical impact, but still may be a cyber (intellectual property or key business information) risk to the business, as the IP access by the IIoT technology may provide insight or key information about the manufacturing process or technology used in the production enterprise. IIoT may use data acquisition connections, which is amenable to unidirectional firewall (data-diode) technology, but connections which provide “write command,” data, instructions, setpoints or supervisory control must be carefully assessed and designed to ensure they can be appropriately secured.

Question: Is it assumed that all devices operate on a VPN? This was not addressed. In what cases (if any) could the VPN degrade security? Any recommendations on what to look for or avoid?          

Bonnette: VPNs were not assumed, and like data or file encryption, virtual private networks (VPNs) can be a “double-edged sword” if the endpoints are not properly protected and authenticated, a VPN or encryption can be used to obscure traffic or data from inspection by some firewalls, and “harden” malicious payloads or data being exfiltrated from a system. Use of VPN-capable or VPN “cognizant” firewalls where the firewall has exposure to the native, unencrypted data within the stream or containers is highly recommended. Best practice is to not extend VPNs through firewalls, but terminate them at the firewall for inspection and monitoring of the conduit traffic. A VPN is only as good as the security of the device (and its users) the data is encrypted on or VPN originated from.

Question: Are there differences in wired vs. wireless cybersecurity best practices?       

Bonnette: Edge protection and defense-in-depth are still principal base models. There are additional considerations in wireless since the edge is considered more exposed with lesser degrees of physical security layers of protection. Selection of technologies that employ inherent device authentication, locked ACLs, encryption are key tools in wireless systems. Also follow the principles of reducing the attack surface and/or windows of opportunity to compromise the system by not using open, commonly and easily exploited wireless technologies (e.g. Bluetooth – DO NOT use Bluetooth or wireless keyboards, mice, Bluetooth printers. These are easily exploited and pivoted for data, key capture and even keyboard hijacking, even printers.) Software configurable digital radio systems used for SCADA networks are also easily exploited, and must be secured as well. Reference: ISA-TR100.14.01-2011 Trustworthiness in Wireless Industrial Automation.

Question: What are your recommended best sources of cybersecurity information?     

Bonnette: NIST, US ICS-CERT, ISA, Automation Federation

Cybersecurity Framework | NIST

Industrial Control Systems | CISA (us-cert.gov)

ISA99, Industrial Automation&Control Sys Security- ISA

Find ISA Standards: In Numerical Order – ISA

• ISA 62443
• ISA 99
• ISA 100 (Wireless).

Cyber Security Implications of SIS Integration with Control Networks (automationfederation.org)

Question: How do you sell the cybersecurity investment to executive stakeholders to achieve buy-in? How should systems integrators build cybersecurity into their services offerings to help protect the end user (clients)?       

Bonnette: Conduct a risk assessment that puts the risk of a cyber compromise into context as a business and physical facility risk. Reference ANSI-ISA 62443-2-4-2018 Security program requirements for IACS service providers – framework for an owner and Control System provider / integrator to come to mutual agreement as to the scope of cybersecurity measures the provider will employ and ensure as part of a provided service (design/build/configure/test/deliver).

Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media, mhoske@cfemedia.com.

KEYWORDS: Industrial cybersecurity, cybersecurity risk assessment

Industrial cybersecurity webcast looks at what you need to know.

Extra questions about cybersecurity are answered.

CONSIDER THIS

What are you doing to reduce cybersecurity risk to an acceptable level?

Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.