SlideShare a Scribd company logo

Defending Industrial Control Systems From Cyberattack

Mountain States Engineering and Controls
Mountain States Engineering and Controls

This document outlines seven strategies that can be implemented to defend industrial control systems (ICSs) against cyber intrusions: 1) application whitelisting, 2) proper configuration/patch management, 3) reducing attack surface area, 4) building a defendable environment through network segmentation, 5) managing authentication securely, 6) implementing secure remote access, and 7) monitoring networks and having an incident response plan. The document estimates that implementing these strategies could have prevented 98% of incidents responded to by ICS-CERT in 2014-2015. It concludes that a layered defense approach is needed to protect internal systems and components.

Technology
1 of 7
Download to read offline
1 INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems. Seven Strategies to Defend ICSs Figure 1: Percentage of ICS-CERT FY 2014 and FY 2015 Incidents Potentially Mitigated by Each Strategya a. Incidents mitigated by more than one strategy are listed under the strategy ICS-CERT judged as more effective.
2 If system owners had implemented the strategies outlined in this paper, 98 percent of incidents ICS-CERT responded to in FY 2014 and FY 2015 would have been prevented. The remaining 2 percent could have been identified with increased monitoring and a robust incident response. THE SEVEN STRATEGIES 1. IMPLEMENT APPLICATION WHITELISTING Application Whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by adversaries. The static nature of some systems, such as database servers and human-machine interface (HMI) computers, make these ideal candidates to run AWL. Operators are encouraged to work with their vendors to baseline and calibrate AWL deployments. Example: ICS-CERT recently responded to an incident where the victim had to rebuild the network from scratch at great expense. A particular malware compromised over 80 percent of its assets. Antivirus software was ineffective; the malware had a 0 percent detection rate on VirusTotal. AWL would have provided notification and blocked the malware execution. 2. ENSURE PROPER CONFIGURATION/PATCH MANAGEMENT Adversaries target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help keep control systems more secure. Such a program will start with an accurate baseline and asset inventory to track what patches are needed. It will prioritize patching and configuration management of “PC-architecture” machines used in HMI, database server, and engineering workstation roles, as current adversaries have significant cyber capabilities against these. Infected laptops are a significant malware vector. Such a program will limit connection of external laptops to the control network and preferably supply vendors with known-good company laptops. The program will also encourage initial installation of any updates onto a test system that includes malware detection features before the updates are installed on operational systems. Example: ICS-CERT responded to a Stuxnet infection at a power generation facility. The root cause of the infection was a vendor laptop. Use best practices when downloading software and patches destined for your control network. Take measures to avoid “watering hole” attacks. Use a web Domain Name System (DNS) reputation system. Get updates from authenticated vendor sites. Validate the authenticity of
3 downloads. Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path, and use these to authenticate. Don’t load updates from unverified sources. Example: HAVEX spread by infecting patches. With an out-of-band communication path for patch hashes, such as a blast email, users could have validated that the patches were not authentic. 3. REDUCE YOUR ATTACK SURFACE AREA Isolate ICS networks from any untrusted networks, especially the Internet.b Lock down all unused ports. Turn off all unused services. Only allow real-time connectivity to external networks if there is a defined business requirement or control function. If one-way communication can accomplish a task, use optical separation (“data diode”). If bidirectional communication is necessary, then use a single open port over a restricted network path. Example: As of 2014, ICS-CERT was aware of 82,000 cases of industrial control systems hardware or software directly accessible from the public Internet. ICS-CERT has encountered numerous cases where direct or nearly direct Internet access enabled a breach. Examples include a US Crime Lab, a Dam, The Sochi Olympic stadium, and numerous water utilities. 4. BUILD A DEFENDABLE ENVIRONMENT Limit damage from network perimeter breaches. Segment networks into logical enclaves and restrict host-to-host communications paths. This can stop adversaries from expanding their access, while letting the normal system communications continue to operate. Enclaving limits possible damage, as compromised systems cannot be used to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.c b. ICS-ALERT-14-063-01AP, Multiple Reports of Internet Facing Control Systems, ICS-CERT 2015. c. Improving Industrial Control Systems Cybersecurity with Defense in Depth, ICS-CERT 2009.
4 Example: In one ICS-CERT case, a nuclear asset owner failed to scan media entering a Level 3 facility. On exit, the media was scanned, and a virus was detected. Because the asset owner had implemented logical enclaving, only six systems were put at risk and had to be remediated. Had enclaving not been implemented, hundreds of hosts would have needed to be remediated. If one-way data transfer from a secure zone to a less secure zone is required, consider using approved removable media instead of a network connection. If real-time data transfer is required, consider using optical separation technologies. This allows replication of data without putting the control system at risk. Example: In one ICS-CERT case, a pipeline operator had directly connected the corporate network to the control network, because the billing unit had asserted it needed metering data. After being informed of a breach by ICS-CERT, the asset owner removed the connection. It took the billing department 4 days to notice the connection had been lost, clearly demonstrating that real-time data were not needed. 5. MANAGE AUTHENTICATION Adversaries are increasingly focusing on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Compromising these credentials allows adversaries to masquerade as legitimate users, leaving less evidence than exploiting vulnerabilities or executing malware. Implement multi-factor authentication where possible. Reduce privileges to only those needed for a user’s duties. If passwords are necessary, implement secure password policies stressing length over complexity. For all accounts, including system and non-interactive accounts, ensure credentials are unique, and change all passwords at least every 90 days. Require separate credentials for corporate and control network zones and store these in separate trust stores. Never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks. Example: One US Government agency used the same password across the environment for local administrator accounts. This allowed an adversary to easily move laterally across all systems.
5 6. IMPLEMENT SECURE REMOTE ACCESS Some adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even “hidden back doors” intentionally created by system operators. Remove such accesses wherever possible, especially modems as these are fundamentally insecure. Limit any accesses that remain. Where possible, implement “monitoring only” access enforced by data diodes, and do not rely on “read only” access enforced by software configurations or permissions. Do not allow remote persistent vendor connections into the control network. Require any remote access be operator controlled, time limited, and procedurally similar to “lock out, tag out.” Use the same remote access paths for vendor and employee connections; don’t allow double standards. Use two-factor authentication if possible, avoiding schemes where both tokens are similar types and can be easily stolen (e.g., password and soft certificate). Example: Following these guidelines would have prevented the BlackEnergy intrusions. BlackEnergy required communications paths for initial compromise, installation and “plug in” installation. 7. MONITOR AND RESPOND Defending a network against modern threats requires actively monitoring for adversarial penetration and quickly executing a prepared response. Consider establishing monitoring programs in the following five key places: 1) Watch IP traffic on ICS boundaries for abnormal or suspicious communications. 2) Monitor IP traffic within the control network for malicious connections or content. 3) Use host-based products to detect malicious software and attack attempts. 4) Use login analysis (time and place for example) to detect stolen credential usage or improper access, verifying all anomalies with quick phone calls. 5) Watch account/user administration actions to detect access control manipulation. Have a response plan for when adversarial activity is detected. Such a plan may include disconnecting all Internet connections, running a properly scoped search for malware, disabling affected user accounts, isolating suspect systems, and an immediate 100 percent password reset. Such a plan may also define escalation triggers and actions, including incident response, investigation, and public affairs activities. Have a restoration plan, including having “gold disks” ready to restore systems to known good states.
6 Example: Attackers render Windows®d based devices in a control network inoperative by wiping hard drive contents. Recent attacks against Saudi Aramco™e and Sony Pictures demonstrate that quick restoration of such computers is key to restoring an attacked network to an operational state. CONCLUSION Defense against the modern threat requires applying measures to protect not only the perimeter but also the interior. While no system is 100 percent secure, implementing the seven key strategies discussed in this paper can greatly improve the security posture of ICSs. DISCLAIMER The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. ACKNOWLEDGMENT This document “Seven Steps to Effectively Defend Industrial Control Systems” was written in collaboration, with contributions from subject matter experts working at the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). d. Windows® is a registered trademark of Microsoft Corp. e. Saudi Aramco™ is an unregistered trademark of Saudi Arabian Oil Company.
7 CONTACT INFORMATION POC Phone e-Mail Department of Homeland Security ICS-CERT 877-776-7585 ICS-CERT@HQ.DHS.GOV Federal Bureau of Investigation Cyber Division - CyWatch 855-292-3937 CyWatch@ic.fbi.gov National Security Agency (Industry) Industry Inquiries 410-854-6091 bao@nsa.gov National Security Agency (Government) IAD Client Contact Center 410-854-4200 IAD CCC@nsa.gov

Recommended

CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
Muhammad FAHAD
 
Cheatsheet for your cloud project
Cheatsheet for your cloud projectCheatsheet for your cloud project
Cheatsheet for your cloud project
Petteri Heino
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
NetStandard
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN Environment
Saikat Chaudhuri
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscape
bayshorenet
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhere
Cisco Canada
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile Services
Miguel Ponce de Leon @ TSSG / Waterford Institute of Technology
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
Lancope, Inc.
 

Recommended

CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
Muhammad FAHAD
 
Cheatsheet for your cloud project
Cheatsheet for your cloud projectCheatsheet for your cloud project
Cheatsheet for your cloud project
Petteri Heino
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
NetStandard
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN Environment
Saikat Chaudhuri
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscape
bayshorenet
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhere
Cisco Canada
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile Services
Miguel Ponce de Leon @ TSSG / Waterford Institute of Technology
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
Lancope, Inc.
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
Muhammad FAHAD
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
 
Network Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure SelectionNetwork Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure Selection
Pramod M Mithyantha
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
Dan Gunter
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpoints
Cisco Canada
 
Cisco amp for networks
Cisco amp for networksCisco amp for networks
Cisco amp for networks
Cisco Canada
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagram
Syed Ubaid Ali Jafri
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Splunk
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešení
MarketingArrowECS_CZ
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
John M. Willis
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment Experience
Valery Yelanin
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychik
qqlan
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
azfayel
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
FireEye, Inc.
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility Solutions
Tom Kopko
 
Piping and Pipeline Accessories - Titan Flow Control, Inc.
Piping and Pipeline Accessories - Titan Flow Control, Inc.Piping and Pipeline Accessories - Titan Flow Control, Inc.
Piping and Pipeline Accessories - Titan Flow Control, Inc.
Mountain States Engineering and Controls
 
Compact Clean Steam Generator
Compact Clean Steam GeneratorCompact Clean Steam Generator
Compact Clean Steam Generator
Mountain States Engineering and Controls
 
Titan Flow Controls Series CV-50 Check Valve
Titan Flow Controls Series CV-50 Check ValveTitan Flow Controls Series CV-50 Check Valve
Titan Flow Controls Series CV-50 Check Valve
Patrick Bryant
 
Rotor Insertion Flow Meter Technical Information
Rotor Insertion Flow Meter Technical InformationRotor Insertion Flow Meter Technical Information
Rotor Insertion Flow Meter Technical Information
Mountain States Engineering and Controls
 
Back pressure valves for industrial process control
Back pressure valves for industrial process controlBack pressure valves for industrial process control
Back pressure valves for industrial process control
Mountain States Engineering and Controls
 

More Related Content

What's hot

The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
Muhammad FAHAD
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
azfayel
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility Solutions
Tom Kopko
 

What's hot (17)

A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
 
Network Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure SelectionNetwork Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure Selection
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpoints
 
Cisco amp for networks
Cisco amp for networksCisco amp for networks
Cisco amp for networks
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagram
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešení
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment Experience
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychik
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility Solutions
 

Viewers also liked

Heat Exchange Fundamentals for Shell and Tube Units
Heat Exchange Fundamentals for Shell and Tube UnitsHeat Exchange Fundamentals for Shell and Tube Units
Heat Exchange Fundamentals for Shell and Tube Units
Mountain States Engineering and Controls
 
3 A Papermachine Steam Systems Part1
3 A Papermachine Steam Systems Part13 A Papermachine Steam Systems Part1
3 A Papermachine Steam Systems Part1
Nhan Vo Trong
 

Viewers also liked (18)

Piping and Pipeline Accessories - Titan Flow Control, Inc.
Piping and Pipeline Accessories - Titan Flow Control, Inc.Piping and Pipeline Accessories - Titan Flow Control, Inc.
Piping and Pipeline Accessories - Titan Flow Control, Inc.
 
Compact Clean Steam Generator
Compact Clean Steam GeneratorCompact Clean Steam Generator
Compact Clean Steam Generator
 
Titan Flow Controls Series CV-50 Check Valve
Titan Flow Controls Series CV-50 Check ValveTitan Flow Controls Series CV-50 Check Valve
Titan Flow Controls Series CV-50 Check Valve
 
Rotor Insertion Flow Meter Technical Information
Rotor Insertion Flow Meter Technical InformationRotor Insertion Flow Meter Technical Information
Rotor Insertion Flow Meter Technical Information
 
Back pressure valves for industrial process control
Back pressure valves for industrial process controlBack pressure valves for industrial process control
Back pressure valves for industrial process control
 
Sliding Gate Valve With Variable Orifice
Sliding Gate Valve With Variable OrificeSliding Gate Valve With Variable Orifice
Sliding Gate Valve With Variable Orifice
 
Methods of Detecting Water Level in Steam Boilers
Methods of Detecting Water Level in Steam BoilersMethods of Detecting Water Level in Steam Boilers
Methods of Detecting Water Level in Steam Boilers
 
Heat Exchange Fundamentals for Shell and Tube Units
Heat Exchange Fundamentals for Shell and Tube UnitsHeat Exchange Fundamentals for Shell and Tube Units
Heat Exchange Fundamentals for Shell and Tube Units
 
Super high efficiency coalescing filters for compressed air and gas
Super high efficiency coalescing filters for compressed air and gasSuper high efficiency coalescing filters for compressed air and gas
Super high efficiency coalescing filters for compressed air and gas
 
Fluoroseal Sleeved Plug Valves
Fluoroseal Sleeved Plug ValvesFluoroseal Sleeved Plug Valves
Fluoroseal Sleeved Plug Valves
 
Kunkle Safety and Relief Valves Technical Reference
Kunkle Safety and Relief Valves Technical ReferenceKunkle Safety and Relief Valves Technical Reference
Kunkle Safety and Relief Valves Technical Reference
 
BTU Metering Device For Process or Commercial Tenant
BTU Metering Device For Process or Commercial TenantBTU Metering Device For Process or Commercial Tenant
BTU Metering Device For Process or Commercial Tenant
 
Crane FKX 9000 Triple Offset Butterfly Valves
Crane FKX 9000 Triple Offset Butterfly ValvesCrane FKX 9000 Triple Offset Butterfly Valves
Crane FKX 9000 Triple Offset Butterfly Valves
 
OMB Valves USA Product Line Overview
OMB Valves USA Product Line OverviewOMB Valves USA Product Line Overview
OMB Valves USA Product Line Overview
 
Condensate Pumps for industrial steam systems
Condensate Pumps for industrial steam systemsCondensate Pumps for industrial steam systems
Condensate Pumps for industrial steam systems
 
Pressure regulator valves for industrial process control
Pressure regulator valves for industrial process controlPressure regulator valves for industrial process control
Pressure regulator valves for industrial process control
 
Wellhead Valves Technical Data
Wellhead Valves Technical DataWellhead Valves Technical Data
Wellhead Valves Technical Data
 
3 A Papermachine Steam Systems Part1
3 A Papermachine Steam Systems Part13 A Papermachine Steam Systems Part1
3 A Papermachine Steam Systems Part1
 

Similar to Defending Industrial Control Systems From Cyberattack

AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
IJNSA Journal
 
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solutionDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution
Schneider Electric India
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Editor IJCATR
 
Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...
eSAT Publishing House
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
maribethy2y
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
Ken Flott
 

Similar to Defending Industrial Control Systems From Cyberattack (20)

Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
 
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solutionDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for Utilities
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat management
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
 
Ijnsa050214
Ijnsa050214Ijnsa050214
Ijnsa050214
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...
 
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMINTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEM
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
A017130104
A017130104A017130104
A017130104
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud Computing
 
Firewall buyers-guide
Firewall buyers-guideFirewall buyers-guide
Firewall buyers-guide
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
Types of Vulnerability Scanning An in depth investigation.pdf
Types of Vulnerability Scanning An in depth investigation.pdfTypes of Vulnerability Scanning An in depth investigation.pdf
Types of Vulnerability Scanning An in depth investigation.pdf
 

More from Mountain States Engineering and Controls

Design of Fluid Systems - Steam Utilization
Design of Fluid Systems - Steam UtilizationDesign of Fluid Systems - Steam Utilization
Design of Fluid Systems - Steam Utilization
Mountain States Engineering and Controls
 

More from Mountain States Engineering and Controls (20)

Design of Fluid Systems - Steam Utilization
Design of Fluid Systems - Steam UtilizationDesign of Fluid Systems - Steam Utilization
Design of Fluid Systems - Steam Utilization
 
Valves Used in Mining Operations
Valves Used in Mining OperationsValves Used in Mining Operations
Valves Used in Mining Operations
 
Regenerative Turbine Chemical Process Pumps
Regenerative Turbine Chemical Process PumpsRegenerative Turbine Chemical Process Pumps
Regenerative Turbine Chemical Process Pumps
 
Dual Snap Pressure, Temperature and Flow Switches
Dual Snap Pressure, Temperature and Flow SwitchesDual Snap Pressure, Temperature and Flow Switches
Dual Snap Pressure, Temperature and Flow Switches
 
Piston Isolation Valves For Steam and Condensate
Piston Isolation Valves For Steam and CondensatePiston Isolation Valves For Steam and Condensate
Piston Isolation Valves For Steam and Condensate
 
Hydrostatic Pressure Liquid Level Transmitter
Hydrostatic Pressure Liquid Level TransmitterHydrostatic Pressure Liquid Level Transmitter
Hydrostatic Pressure Liquid Level Transmitter
 
Steam Condensate Return Stations
Steam Condensate Return StationsSteam Condensate Return Stations
Steam Condensate Return Stations
 
Breathing Air Purifiers for Commercial and Industrial Use
Breathing Air Purifiers for Commercial and Industrial UseBreathing Air Purifiers for Commercial and Industrial Use
Breathing Air Purifiers for Commercial and Industrial Use
 
Trunnion Mount Ball Valves For Industrial Pipelines
Trunnion Mount Ball Valves For Industrial PipelinesTrunnion Mount Ball Valves For Industrial Pipelines
Trunnion Mount Ball Valves For Industrial Pipelines
 
Thermodynamic Steam Traps for Condensate Removal
Thermodynamic Steam Traps for Condensate RemovalThermodynamic Steam Traps for Condensate Removal
Thermodynamic Steam Traps for Condensate Removal
 
Steam Thermocompressor Technical Information
Steam Thermocompressor Technical InformationSteam Thermocompressor Technical Information
Steam Thermocompressor Technical Information
 
Integrated control valve, sensors, actuator, and controller
Integrated control valve, sensors, actuator, and controllerIntegrated control valve, sensors, actuator, and controller
Integrated control valve, sensors, actuator, and controller
 
Pneumatic Actuators For Industrial Valves
Pneumatic Actuators For Industrial ValvesPneumatic Actuators For Industrial Valves
Pneumatic Actuators For Industrial Valves
 
Natural Gas Dryer for Fueling Station Operations
Natural Gas Dryer for Fueling Station OperationsNatural Gas Dryer for Fueling Station Operations
Natural Gas Dryer for Fueling Station Operations
 
Direct Operated Temperature Regulators
Direct Operated Temperature RegulatorsDirect Operated Temperature Regulators
Direct Operated Temperature Regulators
 
Pneumatic Rack and Pinion Valve Actuators
Pneumatic Rack and Pinion Valve ActuatorsPneumatic Rack and Pinion Valve Actuators
Pneumatic Rack and Pinion Valve Actuators
 
Improved closed loop cooling arrangement
Improved closed loop cooling arrangementImproved closed loop cooling arrangement
Improved closed loop cooling arrangement
 
Three Piece Ball Valves Available With Metal Seats
Three Piece Ball Valves Available With Metal SeatsThree Piece Ball Valves Available With Metal Seats
Three Piece Ball Valves Available With Metal Seats
 
Industrial Linear Electric Actuators for Valves
Industrial Linear Electric Actuators for ValvesIndustrial Linear Electric Actuators for Valves
Industrial Linear Electric Actuators for Valves
 
Trunnion mounted ball valves for industrial applications
Trunnion mounted ball valves for industrial applicationsTrunnion mounted ball valves for industrial applications
Trunnion mounted ball valves for industrial applications
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Defending Industrial Control Systems From Cyberattack

  • 1. 1 INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems. Seven Strategies to Defend ICSs Figure 1: Percentage of ICS-CERT FY 2014 and FY 2015 Incidents Potentially Mitigated by Each Strategya a. Incidents mitigated by more than one strategy are listed under the strategy ICS-CERT judged as more effective.
  • 2. 2 If system owners had implemented the strategies outlined in this paper, 98 percent of incidents ICS-CERT responded to in FY 2014 and FY 2015 would have been prevented. The remaining 2 percent could have been identified with increased monitoring and a robust incident response. THE SEVEN STRATEGIES 1. IMPLEMENT APPLICATION WHITELISTING Application Whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by adversaries. The static nature of some systems, such as database servers and human-machine interface (HMI) computers, make these ideal candidates to run AWL. Operators are encouraged to work with their vendors to baseline and calibrate AWL deployments. Example: ICS-CERT recently responded to an incident where the victim had to rebuild the network from scratch at great expense. A particular malware compromised over 80 percent of its assets. Antivirus software was ineffective; the malware had a 0 percent detection rate on VirusTotal. AWL would have provided notification and blocked the malware execution. 2. ENSURE PROPER CONFIGURATION/PATCH MANAGEMENT Adversaries target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help keep control systems more secure. Such a program will start with an accurate baseline and asset inventory to track what patches are needed. It will prioritize patching and configuration management of “PC-architecture” machines used in HMI, database server, and engineering workstation roles, as current adversaries have significant cyber capabilities against these. Infected laptops are a significant malware vector. Such a program will limit connection of external laptops to the control network and preferably supply vendors with known-good company laptops. The program will also encourage initial installation of any updates onto a test system that includes malware detection features before the updates are installed on operational systems. Example: ICS-CERT responded to a Stuxnet infection at a power generation facility. The root cause of the infection was a vendor laptop. Use best practices when downloading software and patches destined for your control network. Take measures to avoid “watering hole” attacks. Use a web Domain Name System (DNS) reputation system. Get updates from authenticated vendor sites. Validate the authenticity of
  • 3. 3 downloads. Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path, and use these to authenticate. Don’t load updates from unverified sources. Example: HAVEX spread by infecting patches. With an out-of-band communication path for patch hashes, such as a blast email, users could have validated that the patches were not authentic. 3. REDUCE YOUR ATTACK SURFACE AREA Isolate ICS networks from any untrusted networks, especially the Internet.b Lock down all unused ports. Turn off all unused services. Only allow real-time connectivity to external networks if there is a defined business requirement or control function. If one-way communication can accomplish a task, use optical separation (“data diode”). If bidirectional communication is necessary, then use a single open port over a restricted network path. Example: As of 2014, ICS-CERT was aware of 82,000 cases of industrial control systems hardware or software directly accessible from the public Internet. ICS-CERT has encountered numerous cases where direct or nearly direct Internet access enabled a breach. Examples include a US Crime Lab, a Dam, The Sochi Olympic stadium, and numerous water utilities. 4. BUILD A DEFENDABLE ENVIRONMENT Limit damage from network perimeter breaches. Segment networks into logical enclaves and restrict host-to-host communications paths. This can stop adversaries from expanding their access, while letting the normal system communications continue to operate. Enclaving limits possible damage, as compromised systems cannot be used to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.c b. ICS-ALERT-14-063-01AP, Multiple Reports of Internet Facing Control Systems, ICS-CERT 2015. c. Improving Industrial Control Systems Cybersecurity with Defense in Depth, ICS-CERT 2009.
  • 4. 4 Example: In one ICS-CERT case, a nuclear asset owner failed to scan media entering a Level 3 facility. On exit, the media was scanned, and a virus was detected. Because the asset owner had implemented logical enclaving, only six systems were put at risk and had to be remediated. Had enclaving not been implemented, hundreds of hosts would have needed to be remediated. If one-way data transfer from a secure zone to a less secure zone is required, consider using approved removable media instead of a network connection. If real-time data transfer is required, consider using optical separation technologies. This allows replication of data without putting the control system at risk. Example: In one ICS-CERT case, a pipeline operator had directly connected the corporate network to the control network, because the billing unit had asserted it needed metering data. After being informed of a breach by ICS-CERT, the asset owner removed the connection. It took the billing department 4 days to notice the connection had been lost, clearly demonstrating that real-time data were not needed. 5. MANAGE AUTHENTICATION Adversaries are increasingly focusing on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Compromising these credentials allows adversaries to masquerade as legitimate users, leaving less evidence than exploiting vulnerabilities or executing malware. Implement multi-factor authentication where possible. Reduce privileges to only those needed for a user’s duties. If passwords are necessary, implement secure password policies stressing length over complexity. For all accounts, including system and non-interactive accounts, ensure credentials are unique, and change all passwords at least every 90 days. Require separate credentials for corporate and control network zones and store these in separate trust stores. Never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks. Example: One US Government agency used the same password across the environment for local administrator accounts. This allowed an adversary to easily move laterally across all systems.
  • 5. 5 6. IMPLEMENT SECURE REMOTE ACCESS Some adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even “hidden back doors” intentionally created by system operators. Remove such accesses wherever possible, especially modems as these are fundamentally insecure. Limit any accesses that remain. Where possible, implement “monitoring only” access enforced by data diodes, and do not rely on “read only” access enforced by software configurations or permissions. Do not allow remote persistent vendor connections into the control network. Require any remote access be operator controlled, time limited, and procedurally similar to “lock out, tag out.” Use the same remote access paths for vendor and employee connections; don’t allow double standards. Use two-factor authentication if possible, avoiding schemes where both tokens are similar types and can be easily stolen (e.g., password and soft certificate). Example: Following these guidelines would have prevented the BlackEnergy intrusions. BlackEnergy required communications paths for initial compromise, installation and “plug in” installation. 7. MONITOR AND RESPOND Defending a network against modern threats requires actively monitoring for adversarial penetration and quickly executing a prepared response. Consider establishing monitoring programs in the following five key places: 1) Watch IP traffic on ICS boundaries for abnormal or suspicious communications. 2) Monitor IP traffic within the control network for malicious connections or content. 3) Use host-based products to detect malicious software and attack attempts. 4) Use login analysis (time and place for example) to detect stolen credential usage or improper access, verifying all anomalies with quick phone calls. 5) Watch account/user administration actions to detect access control manipulation. Have a response plan for when adversarial activity is detected. Such a plan may include disconnecting all Internet connections, running a properly scoped search for malware, disabling affected user accounts, isolating suspect systems, and an immediate 100 percent password reset. Such a plan may also define escalation triggers and actions, including incident response, investigation, and public affairs activities. Have a restoration plan, including having “gold disks” ready to restore systems to known good states.
  • 6. 6 Example: Attackers render Windows®d based devices in a control network inoperative by wiping hard drive contents. Recent attacks against Saudi Aramco™e and Sony Pictures demonstrate that quick restoration of such computers is key to restoring an attacked network to an operational state. CONCLUSION Defense against the modern threat requires applying measures to protect not only the perimeter but also the interior. While no system is 100 percent secure, implementing the seven key strategies discussed in this paper can greatly improve the security posture of ICSs. DISCLAIMER The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. ACKNOWLEDGMENT This document “Seven Steps to Effectively Defend Industrial Control Systems” was written in collaboration, with contributions from subject matter experts working at the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). d. Windows® is a registered trademark of Microsoft Corp. e. Saudi Aramco™ is an unregistered trademark of Saudi Arabian Oil Company.
  • 7. 7 CONTACT INFORMATION POC Phone e-Mail Department of Homeland Security ICS-CERT 877-776-7585 ICS-CERT@HQ.DHS.GOV Federal Bureau of Investigation Cyber Division - CyWatch 855-292-3937 CyWatch@ic.fbi.gov National Security Agency (Industry) Industry Inquiries 410-854-6091 bao@nsa.gov National Security Agency (Government) IAD Client Contact Center 410-854-4200 IAD CCC@nsa.gov