The cyber security checklist
Security measures aim to protect the confidentiality, integrity and availability of an industrial automation and control system (IACS) from being compromised through deliberate or accidental attacks. Paul Gogarty, Cyber Security for Oil & Gas at ABB UK, explains how control system security improvement needs to be a continuous activity.
With a plethora of cyber activity comes the need for a variety of checklists and plenty of advice on how best to tackle the threats to IACS. The common theme that emerges from any such checklist is to pay attention to people, processes and technology. The basic premise is that people, processes, and technology all have a role to play in the cyber security of an IACS.
A key consideration for organisations will include policy. It is important to understand the business risk and analyse and assess the functional needs and security objectives of the organization. The following questions should be considered:
•What security measures are in operation?
•What are the current and planned network structures?
•What are the information and control flows?
•What is the probability of different types of attack?
•What are the consequences of the attack?
•What plans are in place for regular audits of security?
•What training of personnel and partners is available?
•What incident response procedures are in place?
Organisational structures should take cyber security into consideration and it is important to develop an effective security culture by raising levels of awareness of cyber risks and embedding ‘security-aware’ values and behaviours right across an organisation. Demonstrating the link between technical measures, organisational measures and employee behaviours can improve development of a secure working environment.
Developing awareness and commitment to cyber risks is important right up to executive level and for suppliers and customers as well as among control and SCADA engineers. Bridges also need to be built between IT, engineering and operations communities.
With systems and support arrangements increasingly being outsourced, organisations must be confident that vendors and suppliers are aware of security risks, that they operate good practices and have mechanisms in place for alerting customers when new vulnerabilities are discovered.
Practices which should be implemented include the need to define and maintain plans for incident response, including disaster recovery plans. This should include details of the response team personnel, their deputies, roles and responsibilities and full 24/7 contact details.
Procedures should be predefined to possible scenarios with a clear definition of how to identify each scenario with a clear action plan for each. A clear escalation path should be defined along with authorisation requirements for escalation.
A regular review of the organisation, technical systems and installations should be undertaken, against compliance with security policies, procedures and practices. Plans can be enhanced to address the particular characteristics of IACS security incidents and ensuring a rapid response to cyber-attacks.
Security administration must also be tightly managed, with enforcement of strong passwords and good user practices. It is also important to regularly implement all vendor recommended updates for operating systems, application and security related software. Further, every application, user or subsystem should be be restricted to the minimum number of rights for the minimum number of resources necessary to fulfill its purpose. Access to functions or areas that are not implicitly required should be disabled.
Instead of viewing a system as a whole, it should be split down into its discrete logical sections, called zones. Then look at the data connections between the zones. These are called conduits. It is best practice to survey the physically installed system to discover undocumented conduits. It is then possible to assess the function of the devices within each zone for criticality and to identify where to concentrate cyber security resources. The conduits between zones can be assessed and minimised to only those which are necessary.
To select and implement quick wins and longer-term solutions it is important to:
• Remove unauthorised connections.
• Consider more detailed planning for long-term improvements, such as network segregation and implementation of security zones.
• Security mechanisms should not only include defensive and preventive means, but also means for detection and reaction.
• Continuously monitor a system for intrusion attempts to alert to potential threats and take suitable actions, such as isolating an inner network zone from outer networks.
• Keep the trusted network zone relatively small and independent from other network zones. It should form its own domain, and be administered from the inside.
Where possible it is always best to build in security early in a project lifecycle as bolting on security into projects late in the lifecycle of a project is often more difficult and costly. So. security measures need to be incorporated into the specification, design and development of new systems at the earliest possible stage.
Software and hardware implemented security functions should also consider:
• Physically protecting all equipment by ensuring that physical access to computers, network equipment and cables, controllers, I/O systems, power supplies is limited to authorised users.
• Hardening the system by removing or disabling all unnecessary network connections, services, file shares and by ensuring that all remaining functions have appropriate security settings.
• When connecting a trusted network zone to outer networks, make sure that all connections are through properly configured secure interconnections only, such as a firewall or a system of firewalls, which is configured for “deny by default,” i.e. blocks everything except traffic that is explicitly needed to fulfill operational requirements.
• Continuously maintain the definitions of authorised users, user groups, and access rights, to properly reflect the current authorities and responsibilities of all individuals at all times.
• Do not use the system for e-mail, instant messaging, or Internet browsing. Use separate computers and networks for these functions if they are needed.
• Do not allow installation of any unauthorised software in the system.
• Use a virus scanner configured according to the automation system vendor’s recommendations on all system nodes.
• Restrict temporary connection of portable computers, USB memory sticks and other removable data carriers. Computers that can be physically accessed by regular users should have ports for removable data carriers disabled.
• If portable computers need to be connected, e.g. for service or maintenance purposes, they should be carefully scanned for viruses immediately before connection.
• All CDs, DVDs, USB memory sticks and other removable data carriers and files with software or software updates, should also be checked for viruses before being introduced to the trusted zone.
• Continuously monitor the system for intrusion attempts.
Source: Control Engineering Europe - All Articles