No Enterprise Network / Control System Firewall
Hopefully, you have implemented a firewall capability at the enterprise network / control system perimeter. Consultants use words like best practice, good practice, and recommended practice. There is another term consultants use: “standard of due care”. ISACA defines it as:
The standard of “due care” is that level of diligence which a prudent and competent person would exercise under a given set of circumstances.
Not practicing standard of due care can be considered negligence. You do not want to be in the position of explaining why you are not applying standard of due care administrative or technical controls.
Digital Bond believes an enterprise /control system firewall perimeter with a least privilege ruleset is a standard of due care item. So if you don’t have this firewall in place, and there are still many control systems who don’t, your action is to get this firewall capability in place asap.
Existing Enterprise Network / Control System Firewall
For those of you with a firewall in place, use this month to review your firewall ruleset. Firewall rulesets tend to start out tight and loosen over time.
Evaluate each rule.
- Is it still required?
- Are the source and destination IP addresses limited to only the required addresses (least privilege)?
- Are the source and destination ports limited to only the required ports?
- Do any of the rules allow direct communications between the untrusted enterprise network and trusted control system network? (All such communication should pass through a system on a DMZ)
- Can any of the rules that require large number of IP addresses or ports be tightened by changing the systems or applications?
Eric Byres S4 Paper on Mean Time-to-Compromise (MTTC) offers an interesting aside to this review. One of the examples Eric uses in his paper is the firewall ruleset review. Specifically, how does a periodic firewall ruleset review increase the MTTC? What is the difference in the MTTC between a six month and annual firewall ruleset review.
Leading / Bleeding edge organizations and early adopters can begin considering additional firewalled security perimeters. Consider
- A firewall at the perimeter between the control center and IP-based field communications. This would offer significant protection from cyber attacks initiated at a remote field site.
- A firewall at a server perimeter inside the control center perimeter. HMI, engineering workstations and other user PC’s would be separated from critical control servers.