Industrial Network Security, Second Edition: Se...
If you have not yet read the first edition of Industrial Cybersecurity, now would be the time to do so. It covers in detail how to get from zero to hero on implementing an industrial cybersecurity program, to define a secure ICS environment and network architecture that fits your organization's needs and requirements.
Industrial Network Security, Second Edition: Se...
The following screenshot shows a typical ICS architecture, following the Purdue model and stretched out across the industrial and enterprise networks of an organization. It will be used as an illustration for the following sections:
Now, I can hear you all say, that is all fine and dandy manipulating values, but surely that cannot be done with modern switched networks and encrypted network protocols. That would be true if those technologies were implemented and used. But the fact is that on most, if not all, ICS networks, confidentiality and integrity of industrial network traffic is of less importance than availability of the ICS. Even worse, for most ICSs, availability ends up being the only design consideration when architecting the system. Combine that with the fact that the ICS communication protocols running on these networks were never designed with security in mind, and you can start to see the feasibility of the scenarios mentioned. Most automation protocols were introduced when computer networks were not yet touching automation devices, for media that was never meant to share data across more than a point-to-point link, so security around authentication, confidentiality of data, or integrity of send commands was never implemented. Later, those point-to-point protocols were adapted to work on communication equipment such as Ethernet, which exposed the insecure protocols to the entire production floor, the plant, or even out to the internet.
Safety systems were initially designed to be standalone and disconnected monitoring systems (think bolt-on, local device/system inspection), but the trend over the past years has been to start attaching them to the industrial network, adding an easy way of (re)configuring them but also exposing them to potential attacks with all the accompanying risks. An ESD could be misused by potential attackers. They could reconfigure the SIS to shut down the system to cause financial loss for the company, or instruct the SIS to not shut down when required as an aim to perform physical damage to the operation, with the disastrous side effect that people's lives are at stake.
Systems typically found in level 3 include database servers, application servers (web, report), file servers, Microsoft domain controllers, HMI servers, engineering workstations, and so on. These types of systems can be found on the Enterprise network as well, but here they interact with the production process and data. The Microsoft domain controller at Level 3, Site Operations, should be used to implement a standalone industrial domain and Active Directory that is in no way tied to the Enterprise domain. Any link from an Enterprise domain to the Industrial Zone can allow the propagation of attacks or malware from the Enterprise Zone down into the industrial environment.
Using this method, they found and compromised other interesting computers, and ultimately made their way onto a system that due to being "dual homed" (connected to two networks: the enterprise network and the industrial network) allowed them access to the industrial environment.
We have started the continued journey into ICS cybersecurity, with a review of what was covered in the first edition of the book. Whereas the first edition was mainly concerned with establishing a secure ICS environment, this second edition will expand upon this with various topics that deal with maintaining a secure environment by observing and monitoring the security posture. I will be using a "from-the-ground-up" approach to explain all this, meaning we will look at security monitoring and the implementation aspects of it in all phases of the ICS environment life cycle. We start with a revised look at the ICS network architecture and the IDMZ in the next couple of chapters.
Pascal Ackerman is a seasoned industrial security professional with a degree in electrical engineering and over 20 years of experience in industrial network design and support, information and network security, risk assessments, pentesting, threat hunting, and forensics. After almost two decades of hands-on, in-the-field, and consulting experience, he joined ThreatGEN in 2019 and is currently employed as managing director of threat services and research. His passion lies in analyzing new and existing threats to ICS environments and he fights cyber adversaries both from his home base and while traveling the world with his family as a digital nomad.Pascal wrote the previous edition of this book and has been a reviewer and technical consultant of many security books.
An important aspect of cyber security for critical infrastructure protection focuses on a basic understanding and awareness of real-world threats and vulnerabilities that exist within the industrial automation and control system architectures used in most process industries and manufacturing facilities. These issues face the Distribution Control Systems (DCS) and Supervisory Control and Data Acquisition Systems (SCADA) that comprise most industrial environments, and impact not on the common IT infrastructure like Windows-based computers and network appliances (switches, routers and firewalls), but also embedded "proprietary" equipment such as programmable logic controllers (PLC), remote terminal units (RTU), intelligent electrical device (IED), basic process controllers (BPCS, safety instrumented systems (SIS), operator panels, and ancillary systems that are the basis of most integrated ICS architectures.
Some of the research performed during work on the second edition of "Industrial Network Security" by Eric Knapp and Joel Langill has confirmed some "eye opening" facts that industrial systems are gaining the attention of not only security researchers, but also potential attackers. Data obtained from the former Open-Source Vulnerability Database (OSVDB) shows that through the end of 2014, more than 85% of all ICS vulnerabilities have been disclosed since 2011 - the year following the discovery of Stuxnet. The OSVDB database tracked more ICS vulnerabilities than other sites, including the National Vulnerability Database (NVD) prior to its termination of service on April 5, 2016. The days of "security by obscurity" are gone, and it is now time to realize the importance of implementing security programs specifically tailored for industrial systems and the operational technologies they utilize.
ICS security mangers looking to improve the resilience of their ICS security program can begin by undertaking an official asset inventory with the methodologies described above, and then leveraging and maturing to an active defense position. The objective is to ensure that security controls are in place specifically for industrial control systems, with network and OT and engineering devices visible inside the ICS, in order to be ready for rapid ICS incident triage and the recovery to trusted restore points. The following takeaways can serve as a guide:
Even if your industrial control systems (ICS) or industrial networks are not connected to the Internet, they may still be vulnerable to unauthorized connections. For example, a third-party vendor or an automation engineer may update systems by connecting unauthorized laptops or USB drives to conduct regular maintenance or troubleshooting, which opens the ICS up to insecure access and ultimately makes ICS devices more vulnerable.
Since 2010, there have actually been several sophisticated cyberattacks that targeted ICS networks, such as Stuxnet (targeting PLCs) and Industroyer (targeting circuit breakers). There has also been malware designed to target industrial control devices. This trend indicates that hackers are changing their focus to target industrial sectors, such as oil and gas, energy, and manufacturing, which suggests that attacks on industrial sectors are likely to increase in the future.
Firewalls may provide the first level of protection but they are not 100 percent effective. Moreover, most firewalls are not designed for industrial protocols (for example, Modbus TCP, EtherNet/IP, and PROFINET), so without proper configuration, the firewall may block necessary industrial protocols and shut down industrial control systems. Simply put, implementing firewalls cannot guarantee complete protection for ICS networks. Instead, industrial firewalls should be utilized with layered defenses (the defense-in-depth approach) to protect critical control devices, production lines, and the entire factory. In addition, industrial devices should be frequently updated with security patches to protect against cyberattacks.
Industrial networks and IT networks actually have different business priorities, focus areas, protection targets, and even environmental conditions. Different priorities are also decided by different managers within the same organization. On the IT side, business analysts, CIOs, and IT Architects are the primary decision-makers that plan and manage the IT network and cybersecurity. From their point of view, confidentiality is the top priority. On the OT side, plant managers, COOs, and control engineers are the main decision-makers. From their point of view, production or system availability is the key concern. Therefore, in order for IT-OT integration to succeed, it is important to understand the different business priorities and needs of both IT and industrial control systems. The following figure describes these differences in greater detail.
If not properly addressed, the different priorities of IT and OT networks may even interfere with each other. For example, industrial control systems (i.e., OT networks) are primarily concerned with minimizing system downtime because any downtime can cause significant losses to production. However, common best practices for IT networks include constant security patches and system updates to mitigate the risk of security breaches and data loss. However, constantly updating security patches may be undesirable for industrial control systems because each update disrupts real-time system operations and requires some downtime. 041b061a72