1. BOUNDARY PROTECTION
Why is this important?
The boundary under consideration is the electronic division between the industrial control system (ICS) and the enterprise network; think of servers and switches. This boundary must be protected from undetected, unauthorized activity in critical systems.
If boundary protection is weak, various threat vectors (pathways) may have access to interface with devices that directly support the control process. Any number of these types of vulnerabilities can cripple your system.
Not only does inadequate boundary protection make it more difficult to detect unauthorized activity, the range of threats increases significantly when there is no logical separation of the ICS network from the enterprise or other trusted systems (i.e. the Internet).
How to fix the problem:
Establish a Demilitarized Zone (DMZ) between the ICS and the enterprise network. The DMZ should have a dedicated “jump server” that permits limited access for enterprise network devices or nodes to access certain data on the ICS network. The jump server should be hardened (only running essential services) with unique login credentials.
A second layer of logging and monitoring with verification should be incorporated for jump server access.
2. LEAST FUNCTIONALITY
Why is this important?
If the boundary layer has been breached and internal access has been established by a rogue actor, this increases the number of vectors that could potentially be under attack in critical systems.
The objective of least functionality is to minimize the computing resources associated with services, functions, ports, and protocols to the bare number of those required to support central system operations.
In other words, if the system has been compromised, limit what the bad actor can access or control once inside.
How to fix the problem:
Each ICS network component hardware vendor will have available hardening guidelines and operational requirements. Determine the settings that will provide your necessary system functionality while documenting any exceptions.
Your specific operational requirements will delineate services, ports, protocols, and applications that the system needs to function properly. Restrict all other component and system access to the most basic and necessary requirements.
3. IDENTIFICATION AND AUTHENTICATION
Why is this important?
Authorized organizational users, including processes acting on behalf of organizational users, must be identified and authenticated.
This is especially difficult when securing accounts of personnel who may have administrator access and who leave the organization or travel to another site within the organization.
The goal is to achieve accountability and traceability for every user account in the event an account becomes compromised.
How to fix the problem:
All accounts with administrator privileges should have unique access credentials and where applicable, System Administrator accounts should integrate with Active Directory (AD).
Where possible, each user should have an individual account and any shared accounts should be documented explicitly.
When group user accounts are used, such as in a control room setting, a second layer of accountability, such as an access log or key card, should be employed.
4. PHYSICAL ACCESS CONTROL
Why is this important?
Physical access devices include things like card readers, USB drives, keys, locks, and combinations.
Even though the organization may be able to apply a certain degree of control over employees and visitors, additional physical security may be required to prevent or monitor ICS component access. In some cases, keys that allow physical access may not be under the facility’s control. This could allow unauthorized personnel to access sensitive areas.
How to fix the problem:
Physical safeguards may come in the form of human guards, physical barriers, cameras, and the physical isolation of specific equipment.
Develop a key management policy with the goal of limiting the number of physical keys that must be tracked.
Ensure that a policy is in place to identify all parties who access remote facilities at all times and treat every alarm as a serious breach until verified to be otherwise.
5. AUDIT REVIEW, ANALYSIS AND REPORTING
Why is this important?
When controls are put in place to produce logs of user access, connectivity, and configuration of systems and components, a lot of data is generated.
Without a formalized review and validation of the data that has been collected, unauthorized users or programs may infiltrate the system without detection.
Collected data must be dutifully audited, reviewed and analyzed to report security-related events such as account usage, external connectivity, configuration modifications, and ICS component inventory.
How to fix the problem:
Retain or create a centralized service to collect logs and events at a system-wide level. This will include both security information and events that occur on the network.
Define a list of the appropriate events that need to be assessed and formalize the appropriate degree of review, analysis, and responses.