Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Defense in Depth: 4 Essential Layers of ICS Security
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Defense in Depth: 4 Essential Layers of ICS Security

3 years ago Bob Covello
Defense in Depth: 4 Essential Layers of ICS Security

It is always said that security is never a one-size-fits-all solution.  This is true not only because of the apparent infinite varieties of equipment in each individual organization, but also, and perhaps more importantly, the different ways that every organization views security. Some spend lots of time focusing on physical security, especially those with industrial control systems (ICS). Others are small organizations, where the primary concern is personal data theft. There is also everything in between those two ideologies.

Fortunately, the end goal is usually the same for each entity, with the disparities amounting to a misunderstanding of language or some industry-specific phrasing.

An example of that would be someone from the ICS world referring to their log management solution as “the historian,” whereas someone in the commercial vertical knows it as a SIEM. Fundamentally, they do the same thing; gathering up all the activity or event data from devices to be forensically stored/analyzed at a later date.

How can one bridge the gap of industry jargon to try and explain that even though one thing might be known as something else, it does not mean that it provides a different function? The time-honored analogy may be the best method.

Although there are broad expanses where security is important, there are four key areas of security concerns that all ICS organizations should maintain.

1. Asset Management

This refers to the consistent management or awareness of devices within an organization, whether that means software, PCs or even hardware devices, such as a PLC on an ICS plant floor. Any entity found within an organization could be vulnerable to compromise, and not knowing what you have is no different than intentionally leaving it unsecured. Ignorance is not bliss.

There was a time when the idea that any device could be a target was looked upon with severe skepticism, however, we have since seen network breaches through seemingly innocuous devices, such as a vending machine, and an aquarium thermometer.

Common analogy: Imagine a stranger on the street walks up to you and states that he is planning to break into your house to take an item. You don’t know who he is or even what the item he is referring to. The first thing you think about is will he get in?

The first thing you do when you get home is to perform an asset assessment. Where are the physical weak points? Perhaps the windows, doors, or maybe the thief has a Santa Claus obsession, planning to use the chimney for access?  You apply security measures, but has your haste caused you to overlook anything? Inconsistent monitoring can lead to potential vulnerabilities.

You can apply the same methodology to the items within the house, as well. When was the last time you took inventory of all your household items, or even just the high-value items? Would you be able to work out what was taken a few months later only when you go to get your Rolex watch to find it missing?

The security takeaway: While it is unfeasible to constantly inventory every object in your house, keeping an accurate network inventory is not that difficult.  Make sure every device that could potentially be compromised and used as a means of accessing sensitive information is inventoried and maintained. Not knowing what devices are on your network is probably the biggest mistake a lot of organizations make. Remember that this does not always mean physical items. Unpatched and outdated software could create a security gap as well.

The difference between attempting to continually monitor your personal household belongings, and an enterprise’s assets, is that there are automated tools to assist an organization.

2. Network Segmentation

Network Segmentation is critical to good security hygiene, as it segregates internal networks from each other. If someone were to access your network illegally, network segmentation could help keep them limited to the zone or area that they have accessed, thereby limiting the damage they could cause.

The benefits of this control may seem obvious, but many organizations, both commercial and industrial, still have “flat” network topologies. Usually, this is just a result of organizational growth. This is particularly true in ICS organizations. The primary concern at industrial facilities has always been physical security. However, as more and more IoT devices are introduced into these networks, this has now become an attack vector that needs to be addressed.

Common analogy: Imagine your family comes over to visit during the winter holidays, and during their visit, they ask you for your local Wi-Fi password.

Obviously, you will disclose the password, since you (hopefully) trust your family members. However, if you have not enabled the guest network, you are then allowing any device into the same network where you conduct your personal business. The problem here is that these guest devices may store the Wi-Fi password, and if one of those devices is already compromised, it has the same access as any other device on the network. This could extend to compromising the computer on which you perform your banking transactions.

Assuming that your security measures are strong enough is not good enough these days, as the weakest link could be someone else connected to the network. The best solution would be to either say no to your family member, to change your password on your Wi-Fi network when they leave, or to enable segmentation (a guest network) that only has access to limited resources. This would prevent any compromised devices from accessing the internal, sensitive network.

The security takeaway: Segment as many devices as possible. Understandably, segmenting networks and installing firewalls and other protective technologies could be an expensive effort, however, not doing so could cost more in the long run if a breach occurs.

3. Vulnerability Assessment

A vulnerability assessment looks for known weaknesses within an entity. Having visibility on where your potential weak points are within your organization is critical to not only preventing potential attacks, but also to maintaining operational effectiveness.

Most people only think of vulnerability assessment as a way to alert about security holes, however, having a device that is potentially open to receiving unexpected information could result in the device going offline due to being overloaded with information. This is more commonly seen within the ICS industry, and obviously, having a device such as a PLC go offline during a manufacturing plant run could be devastating in some cases.

Being able to see where all the potential security holes might be on the device, and also what applications or services are running, could be a major benefit for an organization to determine the potential risk it poses.

Common analogy: Imagine you own a convenience store, and you are locking up for the evening.  A simple scan of the area would indicate that all the access points to the store are closed and locked.  Part of that inspection would also include any basement or roof access points.  Of course, locking the safe would also be an important part of this evening assessment, as well as leaving the cash register empty with the cash drawer fully open to show any casual thieves that no money is present.  As a final step, the motion detectors and alarm system would be set and turned on, and then the store could be locked up.

If you had to contemplate that any one of your security systems was not working, what would your action be to correct the problem before you could consider the store safe to leave unattended?  This impromptu risk assessment is an important part of business operations.

The security takeaway: Every organization should have some form of vulnerability assessment in place. However, having a solution should not be considered a security panacea, as you need more than just a notification tool.  Imagine how much more effective your organization could be if each vulnerability was detected and then displayed with the recommended remediation advice, such as which patch would resolve the security flaw.

This would save your team hours of research time and effort. Another important point is to separate the vulnerability assessment tool from the patch management solution.  It should not be assumed that a security flaw has been remediated purely because a patch version has been found on the device. Sometimes, a patch will be run on a system and seem to be 100 percent successful, but when scanned for risks again, certain vulnerabilities are still present.

A great practice would be to use your vulnerability solution to detect the risk, inform the patch management solution to run the recommended patch, and in turn kick off a new scan from the vulnerability solution to verify that everything has been remediated, i.e. double check each other’s work.

4. Continuous Monitoring

Continuous monitoring should hold the highest priority when it comes to security hygiene. People often don’t know where to start with this, and are usually directed to frameworks that can assist.  Most frameworks across all industries emphasize that the first security step is asset discovery. Once that is achieved, continuous monitoring, and in particular, configuration management and integrity monitoring should be deployed for all devices.

Integrity monitoring is commonly referred to as File Integrity Monitoring (FIM), but the “file” aspect is not strictly true, as monitoring should be on all elements found within the organization, not just files. If you were able to see when a change occurs within a critical configuration and were able to react in real-time, any damage could be prevented.

Common analogy: Imagine you owned a small sweet shop in the middle of town and decided not to spend money on a security device such as a CCTV camera. One day, a school bus stops by and all the children enter the shop in one large group. Obviously, your attention is pulled in all directions, and there is a lot of activity. When everyone has left, you notice that a jar of your most expensive sweets has been halved, and you don’t recall selling a single item that day. You decide to go through your receipts to see if you have just forgotten or missed that transaction during the rush. This would be equivalent to looking through your log data for certain activities.

Sadly, you are correct, and there were no sales of that particular sweet that day. So, as you and most organizations used to do, you just sweep it under the rug and promise to yourself to be more vigilant next time. Now, imagine that you had installed a CCTV camera. You would easily be able to see who not only opened the jar (a configuration change), but that the content of the jar was being altered (an integrity change).

On a grander scale, this is what a large supermarket does by installing CCTV cameras and hiring people to monitor them in real-time in the back office. As a person attempts to pass the point of sale without paying for the stolen goods, the security team could react and stop them.

The security takeaway: The above analogy seems obvious, and we know people have been using this type of security for years, and it deepens the need for integrity and configuration management, even over vulnerability management.  It is reasonable to assume that not much damage could take place on a network with someone making an actual change.

In Conclusion

The idea of starting with change management could be seen as controversial, however, it is important to stress that all types of security measures should be in place, as they each offer their own values and benefits when working together. All four (FIM, configuration management, log management, and vulnerability assessment) should be adopted in parallel to for a full security picture to be achieved.  Network segmentation is also vital to limit the possible scope of damage.

Leaving any of those items out would leave a gap for some malicious actors to exploit.

The Tripwire ICS Security Suite extends to each of these critical layers I have discussed above. With Tripwire Log Center and Tripwire Enterprise with Tripwire Data Collector, you’ll have the assurance of interconnected, automated highly visible ICS security best practices. When your OT environments security system is running smoothly, you can put your focus where you want it: on safety, quality and productivity.

The post ” Defense in Depth: 4 Essential Layers of ICS Security” appeared first on TripWire

Source:TripWire – Bob Covello

Tags: Critical Severity, Exploit, Finance, High Severity, TripWire, Vulnerability

Continue Reading

Previous Uber Blames LAPSUS$ Hacking Group for Recent Security Breach
Next Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware

More Stories

  • Cyber Attacks
  • Data Breach

Mozilla Adds One-Click Option to Disable Generative AI Features in Firefox

3 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

4 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

15 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

16 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

17 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

21 hours ago [email protected] (The Hacker News)

Recent Posts

  • Mozilla Adds One-Click Option to Disable Generative AI Features in Firefox
  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group
  • Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
  • OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
  • Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT