In my articles last year, I pointed out how companies are not doing enough around cybersecurity and how they have a false sense of security about their industrial control system (ICS) networks, thinking that they are not at risk. If you have read these articles, I hope that you have taken away what I evangelised – understanding that ICS networks are at risk, and acknowledging that ICS network security must form part of the overall cybersecurity plan, and lastly, engaging with your colleagues and convincing them to take steps and to do something about these risks.
During the course of 2018, we will be running a series of articles that will explore in depth some of the key components to ICS cybersecurity within your environments. The first part of this series will focus on risk assessment (RA). In a nutshell, RA will help you understand what your cybersecurity posture currently looks like, and more importantly, help to formulate a gap analysis to identify where your critical areas of exposure lie.
Start with a policy
RA’s can be daunting in ICS environments as most teams do not know where to start – do we start by circulating questionnaires to relevant personnel, and do we understand who those relevant personnel are? Do we start by running a scan to understand our systems, in the hope that we are able to make intelligent decisions based on the raw data that we gain from the scan? These are all valid questions and in our extensive experience, we suggest starting with an ICS cybersecurity policy (ICS CSP).
The ICS CSP is good and fairly inexpensive way of involving the correct personnel and combining all the input into an actionable document. An important component to be defined in the policy is that of a cybersecurity standard for the ICS infrastructure. It could be decided and then defined that one of the well known international cybersecurity standards is adopted, be it NIST 800-82, IEC/ISA 62443-3, NECR CIP, etc., or in some cases, draft and create your own cybersecurity standard based on industry best practices. An important thing to remember here is that the ICS CSP will define the what (not the how) as in what do we require, not how we will achieve it. The how will come further down the line once a risk assessment has been completed in order that we completely understand the environment(s), in order to compile a gap analysis, which identifies where the weak points lie.
Scan the network using passive techniques
The next step would be to perform a scan to help to identify all the assets on the ICS network. Now I’m hearing many readers starting to say: “Hang on, a ‘live scan on my ICS network? That is madness and has the potential to cause havoc with production.”
You would be 100% correct. There is only one way to achieve this and that is by conducting what we call a passive scan, utilising a non-intrusive network tap. One can also achieve this via a span port on the network switch, but in certain instances we have found this to add load to the switch with unexpected consequences. On another note: if anyone, and I don’t care what expert level they are, says that they will achieve this using native IT tools, escort them off the premises as they have no fundamental understanding of how ICS systems function. ICS systems are different to IT systems.
Grass Marlin
There are many great tools out there that can assist in the analysis of the captured data from the network tap. One of the most commonly utilised open source tools, is Grass Marlin. This is a fantastic tool (and it is free) that will help you understand what assets are currently on your network. It does have its limitations though, and some of the commercial tools have more intelligence around the data, such as continuous asset monitoring and vulnerability detection, but we will explore this later in the year.
Once the data has been analysed and put into a readable structure, the next step is to perform a gap analysis against the defined ICS CSP. A gap analysis in an ICS environment can get a bit tricky, as typically, it might be a case of: “We need a firewall, but, since we don’t have one, it will need to be procured and implemented. So what kind of firewall is required? Do we need a unidirectional firewall, or a next-generation type?”
The same would apply to a remote access solution. “We have a remote access solution defined in our ICS CSP, but is it secure and are we using 2 factor authentication (2FA) for strong control of accesses to our network?”
The process described above will help you to define your cybersecurity requirements. It will all be in vain though if the board does not readily accept cyber risk as a fundamental risk to the business. A risk assessment will help assist you to relay this message in a way that they can understand.
Tommy Thompson is a passionate cybersecurity professional with some 15 years’ experience. Starting as a firewall engineer in 2001, Thompson has assisted a variety of companies in numerous roles with their cybersecurity problems. He holds a BComm degree in Information Management from Oxford Brookes University (UK) and he is certified by PECB (Canada), as a Scada Security Professional (CSSP).
For further information contact Tommy Thompson, +27 (0)11 463 0096, [email protected]
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version