Two years ago, when I took over my current position as Security Architect in a manufacturing company, one of the biggest challenges my new boss laid out for me was to begin an analysis of our current SCADA/ICS landscape.
Four months after that first day at the office, I was standing at the IoT village at DEFCON 23, seeing a hacked ICS system implode a 200-liter steel drum right in front of me. This event triggered interest in my newly-accepted challenge with lots of enthusiasm but double the amount of questions.
When your IT/InfoSec background has been entirely in non-manufacturing backgrounds, things like uptime, complex systems and interaction with the engineering department might be a little obscure, or even unknown. The SCADA/ICS landscape introduces a security practitioner to a new dimension of risks, where the way IT is linked to the physical world can have massive catastrophic ramifications that span from loss of productive resources, through major loss of brand reputation, and ultimately, the loss of human life.
While a SCADA/ICS system might look very familiar, IT-wise, the risk landscape needs to be assessed with new ways of thinking and by engaging new allies to be successful in securing these systems.
What I want to accomplish with this piece is to share, with those new to the ICS/SCADA, a collection of tips to help understand the new SCADA/ICS landscape you might have been assigned to.
While the challenge is an extremely attractive opportunity to enhance your Security IQ, it should also be treated with extreme caution:
1. Learn the ropes of Network Scanners and Industrial Systems - Quick
If you’ve never had contact with protocols like Netbus and DNP, have never seen a PLC, the multi-zone network model for SCADA/ICS or do not know the most common behavioral pitfalls of network scanners and industrial systems, you need to understand these concepts quick.
The good news is that, since this sector has become extremely critical nowadays, there are very detailed guides, books, videos and all sorts of resources to help you navigate the seas of industrial control networks.
Engaging your own production engineers is a great way to learn, since they have detailed knowledge of these systems all the way from the inside. Let them know you’re there work with them and you’ll learn valuable lessons on how productive and business processes work.
2. Get Acquainted with ICS/SCADA Topologies
ICS/SCADA topologies follow well-known design principles that segment the network in 3 parts: The Business Layer, Control Layer an PLC layer.
These topologies allow for effective segmentation of different functions while allowing granular communication between the components of an Industrial Control network.
Once you understand these layered models, it will be easier for you to start analyzing your current environment, the existing design flaws that need to be addressed and the attack surface that your organization possesses.
This analysis will allow you to spot components that are out of place and that represent direct threats to your environment that need to be neutralized through patching, redesign or elimination.
NIST’s Guide to Industrial Control Systems (ICS) Security is a very basic document that provides useful information to understand the Security basics of the Industrial Control arena.
3. Determine Your High-Value Industrial Targets and Set Up Monitoring
This will depend on the importance of your operations and the monitoring capabilities that you can set up with your current resources.
SIEM systems are always great at this because they give you visibility into threats based on a wide range of alerts that you can tweak per the nature of the ICS/SCADA systems. These alerts can also be reviewed with engineering personnel to confirm degradation of services and optimization.
4. Endpoint Protection for Industrial Networks is Crucial
Endpoint communication tells you many stories about what might be happening in your network. If you’re able to monitor performance, traffic and resource utilization in your endpoints and hook this up to a product that analyzes this data in real time, you have a winning combination.
Remember that specialized attacks that make used of covert channels are widely used to steal sensitive information like trade secrets and product specifications.
This data lives in the endpoints of your network and can be actively targeted by a determined adversary with enough resources to deploy such malicious tools.
5. Keep a Detailed Asset Inventory to Determine High-Value ICS Targets
An asset inventory should be detailed enough to give you vital information such as OS versions, asset owner, business criticality and physical/logical location.
This asset inventory helps you understand the composition of your infrastructure and can be used to complement other important tools, such as your:
- Business Impact Analysis
- Disaster Recovery/Business Continuity Plans
- Change Control Board
The criticality piece of the inventory helps determine your high-value targets, thus guiding security projects aimed at improving overall protection levels.
6. Determine Critical Productive Services and Appliances Prone to Crashes
There might be certain services and applications that are susceptible to crashes due to scanning, patching or blacklisting that control critical productive processes.
The sensitivity of these services and processes must be assessed with productive engineers and vendors in order to avoid disrupting services, damaging equipment and even causing an accident. This can avoid monetary losses due to unexpected productive downtime.
There are numerous factors to take into consideration when Security is added to an ICS/SCADA network, especially for a novice InfoSec practitioner.
But with time, effort and lots of interfacing with productive personnel, this can be an experience that yields tons of valuable experience to the career of any Security Analyst, Engineer or Architect.
Carlos F. Lerma, Senior Information Security Architect, Beam Suntory Inc., holds a bachelor’s degree in Accounting from Universidad Autónoma de Tamaulipas (Ciudad Victoria, Mexico) and a Master of Science in Telecommunications and Network Management from Syracuse University. His research interests are cyber intelligence systems, threat management, SIEM systems and the use of strategic intelligence in information security management.