The US CISA put out a Shields Up advisory in conjunction with Russia’s invasion of Ukraine. It’s probably necessary, as they would have been disparaged if they didn’t, and not terribly useful. The recommendations were primarily the same as they have been recommending previously and on an on-going basis … two-factor authentication, apply security patches, close unused ports, … cyber hygiene. There was one recommendation that was different and applicable to ICS.
If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
I like the idea of creating an ICS focused set of new and different actions to take in a heightened threat environment. Perhaps this is something CISA or ISAGCA could do. I could also see the case where there could be sector specific actions that would be tied to the specific physical process. The keys to make it useful is to not make the list too long and don’t try to cover cyber hygiene / good practice.
Here are some possible entries for an ICS Shields Up List:
Increase Isolation By Disconnecting Systems
There are a number of possibilities in this category:
- Disconnect the connections to the corporate / IT network. If it is periodically required to bring in schedules and recipes, perhaps restrict it to one hour per day.
- Eliminate remote access for convenience. Perhaps increase on site staffing to eliminate the need for remote access.
- Convert your backup control center to a disconnected, warm standby system.
- Disconnect your safety system from your control system. Or otherwise insure that it is configured so an attacker with administrative access on your ICS can’t disable the safety system. (You could argue this is a good practice, but many vendors and guideline documents recommend integration.)
Moving All PLC’s / Controllers To Run Mode
Again, you could argue this is a good practice that should be part of cyber hygiene. In the real world there are many systems that accept the risk of Level 1 being in Program Mode due to the frequency of change or the distance that would need to be covered to turn the physical key.
Eliminating Automation / Moving To Manual
This is taking the CISA Shields Up guidance to the next level. Are there key, high consequence parts of your operation that could be moved to manual operations and still allow your process to function, albeit less efficiently? Do you want to add a secondary manual component to your process to validate an automation reading prior to critical action.
Store Your Latest Backup Offline
Periodically you should be storing your backup offline or in a write once, non-corruptible system so it is not compromised if your ICS is compromised. If you think the threat has risen and you may need the backup, it might be worthwhile to move the latest backup offline.
Increase Your Inventory / Capacity
When a hurricane is coming we stock up on water, make sure the gas tanks and batteries are full, with the expectation that we may need to go without for a while. Some sectors, such as manufacturing, could produce more of their product by running more shifts to increase the inventory in case of an outage. Tank farms could accelerate deliveries to fill up. Reservoirs can be lowered. What would you need to do to lower the impact to your customers if your ICS was out for a week?
Not all of these may be warranted in every Shields Up. This current advisory leads off with, “While, there are no specific or credible cyber threats to the U.S. homeland at this time”. You might want to wait until there is a specific or credible cyber threat.
I’m sure there are more and even better additions to this list. Please include yours in the comments, but remember it shouldn’t be something that is typical practice.