I’ve talked to a few people recently who have control system security responsibility but are on a very tight or non-existent budget. Some things, like the network taps that we discussed recently, do have significant cost but there are many basic security steps that can be taken with little or no capital expense. We’ll identify some of these low or no-cost actions in this blog series starting with the network perimeter in this post.
First one up is simple: review and document your firewall rules. Do you really know what traffic is allowed between your critical control devices/servers/workstations and other networks? This will cost a little time but no cash outlay. The results are almost always surprising. There will likely be something that can can be improved on or holes that can be eliminated — that port that was opened for testing last Fall or other holes that are no longer needed.
An extension of this first recommendation is to use the information you learned by reviewing firewall rules to update your network diagrams. When I had network security responsibility, I always maintained a firewall-centric diagram in addition to traditional network representations. It would illustrate all the inbound and outbound communication from various security zones. This is extremely useful for communicating in meetings and you get bonus points if you can reproduce relevant parts of it on the whiteboard when needed.
And, for the more advanced crowd, how about an automated process that reports on firewall and router configuration changes? There are commercial products, but this is a no-budget post so you might want to check out RANCID — not the punk rock band — the free “config differ” software from Shrubbery Networks that logs into your network devices and maintains a history of changes. It will send e-mail alerts if something has changed which can be incredibly valuable for keeping network admins honest and enforcing change control policies. Just be sure you know what you’re doing when you set up RANCID because your configs and SSH passwords/keys will be stored on the server.