Three steps for performing an ICS security audit

Companies looking to protect an industrial control system (ICS) should audit their assets, network, and data flows to better determine how safe a system is, and what more needs to be done.

08/04/2018


The threat landscape for industrial automation and Industrial Internet of Things (IIoT) systems is evolving as connectivity between disparate devices and networks grows. It is crucial that organizations plan and execute effective defense-in-depth (DID) strategies and invest in the continued evaluation and adjustment of their security measures.

According to Symantec's 2018 Internet Security Threat Report, there's been a 29% increase in industrial control system (ICS) related vulnerabilities over the past year. Given the valuable and safety-critical processes these systems connect and control, security breaches can have expensive, wide-reaching and dangerous implications.Malicious actors have several options for attack once they gain access to an ICS. These include loss of view, manipulated view, denial of control, manipulation of control- and finally-loss of control. These attacks can result in varying consequences that range from minimal interruption to dangerous failures and extended outages. Regardless of initial impact or severity, an unauthorized entry provides opportunity for damage to a company's bottom line-through downtime, loss of intellectual property, and/or loss of market share-and to the safety of its employees and the general public.

With so much at stake, it can be overwhelming to know where to begin. By analyzing ICS assets and processes, companies will better understand threats to safety, reliability, and security. A security audit is a good place to start and should include these three simple steps:

1. Inventory the assets

While it seems simple, most operators do not have a complete view of the assets they need to protect, such as programmable logic controllers (PLCs), human machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems, and others. Categorize assets into classes with common properties and understand the data attributes of each asset. This exercise is a critical starting point because if companies don't know what they need to protect, they won't be able to protect it.

2. Inventory the network

Asset inventory will enable companies to understand the physical assets that are connected to the network. The next step involves understanding how those assets are connected through networking architecture and configuration. Understanding the paths data can take shows how an attacker could get access to this data. A physical and logical map of the enterprise's network will set companies up for success in the third step of the security audit.

3. Inventory the data flows

Understanding data flows is critical. Because many protocols used in industrial automation do not have options for securing traffic, many attacks can be executed without any exploit-simply by having access to the network and understanding the protocol. Understanding the port, protocol, end-points, and timing requirements (deterministic or not) can enable understanding of where data needs to flow over the network assets identified in step 2.

Team members who design and maintain the ICS and the networking infrastructure can do these steps. With these steps complete, there is knowledge of assets, how they are connected, and how data flows across the network to and from each end-point. To get in, attackers would have to violate one of these three known domains. They would need to:

  • Add a new asset to the network
  • Modify the network configuration to gain access to various layers of the network
  • Manipulate an existing device to talk with a new end-point and create a new data flow.

With security, there is no "set it and forget it." Within this constantly evolving threat landscape, the best practices of yesterday are no longer adequate. By starting with a security audit, companies gain essential insights into the assets and data flows within an ICS, readying them to implement a defense-in-depth, ICS cyber security program. With revenue, intellectual property (IP), and human safety on the line, it's more critical than ever that necessary measures be taken to improve ICS security.

Emmett Moore III, CEO, Red Trident Inc.; Jeff Bates, product manager, PTC. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com

MORE INNOVATIONS

KEYWORDS: cybersecurity, industrial control systems, ICS

Cybersecurity attacks against industrial control systems (ICSs) are increasing.

Performing an ICS security audit can help with asset assessment and show where improvements are needed.

An ICS security audit can be performed by any team member involved in maintaining the system or the network infrastructure.

Consider this

What is the most important step when performing an ICS security audit?

References

Symantec, "Internet Security Threat Report, Volume 23." April 2018.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me