A reader (Paul) wrote in with the following question:
Do you have any recommendations on how to iteratively and pragmatically raise the bar (i.e. security/maturity).
The models I’ve seen push asset inventory/visibility and cyber hygiene to the front, which makes little sense from a risk reduction, risk management standpoint. This and next week’s article will lay out my iterative approach prioritized by efficient risk reduction.
Maturity Level 1: Establish A Security Perimeter
A focus on security perimeters has gone out of fashion, but there is nothing more important to drastically reducing the likelihood of an attack on your ICS. Given that the Level 1 devices and ICS protocols are insecure by design, access to your ICS = compromise. With the compromise only limited by the systems i/o and the engineering and automation skills of the attacker.
There are three parts to this Maturity Level 1 security perimeter.
- Deploy a firewall or one-way device to restrict communication between the enterprise and the ICS (or IT and OT).
Of course this can be done poorly (simply learn the existing communication and write rules to allow all of it) or well (least privilege, ICS DMZ to mediate all enterprise / ICS comms, initiate comms from the ICS zone, avoid plaintext and control protocols through the perimeter, …).
2. Reduce remote access as much as possible and where necessary require two-factor authentication.
Get rid of remote access for convenience. Multiple times I’ve seen engineers with an OT connected computer and a separate IT connected computer at their desk, and they still choose to remote access into OT from their IT computer rather than swivel their chair or get up and walk to an OT connected computer. Also, push data and even HMI displays out to the enterprise if they need to be viewed there, rather than using remote access connections to get the data.
Most recent public compromises of ICS have involved simple username / password authenticated remote access to the ICS. Get the username/password of an engineer or ICS admin and they’re in whenever they want, for as long as they want. Even US Senators are now saying that two-factor authentication for remote access is required after the Colonial Pipeline incident.
3. Security procedures for use of removable media and transient computers.
These need to be in place to address the walk around the cyber security perimeter problem. For a long time, and perhaps even today, removable media and contractor laptops where the most frequent cause of a malicious ICS cyber incident. Most often this was mass market malware walked into and onto the ICS. Close ports, assign ICS dedicated removable media, laptops and tablets, and have a solution and procedure to test anything brought in prior to connecting.
Maturity Level 2: Harden The Attack Path(s)
The security perimeter established to achieve Maturity Level 1 should severely limit what an attacker outside the security perimeter can access. This would include the security perimeter itself, the firewalls and remote access devices. It would also include any cyber assets directly accessible through the security perimeter. This is where your focus on a hardened configuration and near immediate security patching should occur.
If this is more than 5% of your total cyber assets you have done something wrong in establishing your security perimeter.
If you believe you can’t do this because a patch incompatibility could cause an outage you have done something wrong in establishing your security perimeter. Nothing required for operations should be directly accessible from outside the security perimeter.
Note: At this point you have minimized and hardened the attack paths to the ICS from outside the perimeter. Huge. Massive. Risk Reduction.
Maturity Level 3: Setting And Meeting A Recovery Time Objective (RTO), Phase I
An RTO is a business decision, not what the team believes is achievable today or with additional expenditures.
Recovery, the R in RTO, does not always mean recovering any or all of the cyber assets affected by a cyber incident. Recovery is the ability to produce the product or service that the ICS is monitoring and controlling.
Scenarios on what is affected and needs to be recovered can be complex. For Maturity Level 3 assume that everything with an IP address is compromised and needs to be rebuilt.
The appropriate level of management sets the RTO, hopefully based on the consequence criteria in their risk management program. The ICS / OT team determines how to meet the RTO and periodically demonstrate with a high degree of confidence it can meet the RTO.
Next week: Maturity Levels 4 – 6
Note: While the tools that provide assistance with visibility and asset inventory are not yet necessary or recommended to achieve these first three security levels (foreshadowing: not for the next two either), they may be helpful to your cyber asset management program. I have written and predicted that as the market matures you will see asset inventory and other asset management capabilities be split out from the detection products.