Daniel Ehrenreich, Consultant and Lecturer, SCCE
Educating ICS cyber security shall be high on the priority list of top-floor executives. This article explains how to do this.
Introduction Educating ICS cyber security shall be high on the priority list of top-floor executives. That process shall involve a) ICS operators and engineers who must expand their cyber security knowledge, b) IT experts who must learn ICS basics and also learn key topics related to ICS architectures and finally c) managers who need to make correct decisions related to allocation of resources. Boosting the awareness and knowledge of your workforce is the “P-People” part of the PPT (People-Policies-Technologies) Triad and it has the highest return on investments. This paper will highlight the most important measures and actions towards selecting the most appropriate program for your organization. Differentiating among IT and ICS Employees interested becoming ICS cyber security experts, must learn the basic principles. Once understood these guidelines, they are a step ahead towards dealing with ICS.
Prior dealing with cyber security, they must study ICS basics, which are primarily focusing on layers 0-2 of the Purdue Model. Important visiting few fields sites to learn the details.
The main differences are, that IT experts are focusing on assurance of Confidentiality-Integrity and Availability, and ICS experts must focus on Safety-Reliability and Productivity.
Cyber defense measures for IT and IC are different. While pen-testing of IT may cause an unexpected shutdown, ICS pen-testing might lead to damage and risk of lives.
IT experts are constantly patching, updating and upgrading their systems. ICS experts cannot do that, as every change or update represent a risk to operating safety and reliability.
While there is no single cyber defense method to prevent an attack, the best you can do is deploying layered cyber defense combined the principles of the PPT Triad.
Analyzing Cyber risk factors Understanding the attack vectors and the attack surface is a key principle. You may correlate these paths with the 7-steps of the LM Industrial Cyber Kill Chain Refer to the following:
Non-attack factors: Consider 2 options which might affect the ICS process a) failure of a sensor, PLC or a software bug and b) incorrect action done by an authorized person.
Negligence of people: Consider actions such and inserting a foreign USB stick, failure to detect social engineering attack, supply chain processes, use of simple password, etc.
System oriented attacks: The adversary may attack the ICS through an internal or external utility system in buildings (HVAC, generators, data center cooling, UPS, etc.
Attacking the ICS: Access to the network through a “backdoor” connection, might lead to an MitM access, DDoS attack on the ICS network, leaking out information.
Attacking the process: Considering attacks on the HMI, Engineering station, PLCs, field sensors, which might manipulate the process.
ICS Cyber defense methods Deployment of cyber defense on ICS shall be selected based on the risk factor, calculated by the probability of occurrence and the impact of the attack.
Adhere to corporate policies related to secured maintenance of the ICS appliances
Deploy hierarchical zoning among segments which must communicate each with other
Use of ICS oriented firewalls, DMZ or Data Diode between the IT and ICS sections
Use strong authentication prior connecting any device to the ICS network
Prevent remote access to the ICS unless it becomes mandatory for a critical purpose
Use of IDS for detecting anomaly conditions at levels 0,1,2 of the Purdue Model
Conduct periodic ICS-related assessment and detect hidden vulnerabilities
Perform updates for the OS, antivirus and application program only after intensive testing
Strengthen the physical security for all field-sites which attackers might access
Methods for educating the staff Experts know well that very high % of “successful” cyber-attacks were possible and not detected due to lack of awareness and experience. Therefore, educating of all personnel shall be considered as a mandatory requirement for ICS Cyber security awareness.
Operators and ICS maintenance engineers must upgrade their ICS cyber security skills
IT cyber personnel who must learn how ICS architectures can be correctly protected
Decision makers who must understand this for properly approving the budget
Summary Organizations must have a methodology for educating employees related to cyber risk and response. These actions will help you preventing incidents that might risk lives, cause operating outages, damages to machinery and severely damage the reputation of your organization and complying with regulations. Therefore, management’s attention to ICS cyber security shall be high on the priority list, and investment budgets shall be approved ahead of time.
********************** Daniel Ehrenreich, BSc. is a consultant and lecturer at Secure Communications and Control Experts in Israel, teaches in colleges and present at industry conferences worldwide on integration of cyber defense with ICS; Daniel has over 27 years’ experience with ICS and OT systems for: electricity, water, gas and power plants as part of his activities at Motorola, Siemens and Waterfall Security. LinkedIn