Page 69 - Cyber Defense eMagazine forJune 2021
P. 69
Plan
Planning for ICS Security needs to start with an understanding of the different objectives held by those
responsible for the safety and security of Operational Technology, and of those concerned with
Information Technology, as well as their differing priorities and the implications of these. Make operational
and cyber resilience a common task and goal for all.
The security priorities along which OT and IT are organized quite often are the root cause for
misconceptions, misunderstandings, and incomplete guidelines. As a kind of worst case, the attempt to
force IT rules on OT devices can be devastating (try to roll out a patch to an embedded device providing
a real-time control function for an industrial furnace in a Chemical Plant just because it is Patch Tuesday).
OT focusses on control and availability as the top priorities and confidentiality as the least, in contrast to
the known C-I-A triad of priorities, holding confidentiality as paramount.
Similarly, there needs to be regular information exchanges among all stakeholders about new threats,
new processes, new or changed assets and applications. The key aspect of these regular reviews is to
share an understanding of any changes to the business as a whole. A new production line improving the
efficiency of a plant can be rendered vulnerable if its connections to the maintenance provider is unknown
or undocumented.
In addition, establish guidance for the ‘emergency case’ that reflects tasks and responsibilities for
systems, assets, and processes. Communication chains and loops will have to be prepared as well.
Do
With the planning and preparation in mind, get some threat & vulnerability intelligence in place. Use
CISA’s ICS alerts and advisories (you can find them here as well) and other additional sources about
vulnerabilities discovered, whether in IT or in OT devices. This intelligence will help you with the daily
task of what to look out for. Share experience with industry peers and your supply-chain and learn from
them by participating in regular exchanges.
Depending on your infrastructure, you can use a good vulnerability scanner to detect any existence of
vulnerabilities listed in the a.m. threat intelligence sources. Caution is advised when doing so, as for some
OT equipment network scanning is not suitable. Use this combined knowledge (vulnerabilities and threat
intel) to establish a Secure Baseline configuration for devices, where the latest firmware / software is
installed with any recommended patches.
Generate shared internal knowledge about all assets, whether IT or OT, involved in the business
processes of your organization, how they interact and communicate. Find out which one depends on
others or provides vital output to other OT machinery so to identify about critical overlapping paths in data
flow and material flow. Again, this knowledge of essential communication paths should also become part
of the Secure Baseline, with only approved network-accessible ports permitted for each class of device.
Map out the communication network, with an overlay of the business process. If it is not possible for all,
do it for the critical ones, those that have to be kept running – even if degraded – for the company to
continue to generate its output of products and or services. Assign checkpoints to that map and what
should be verified at each of these points.
Cyber Defense eMagazine – June 2021 Edition 69
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.