IT in Manufacturing


Industrial control system cybersecurity

May 2018 IT in Manufacturing

In the last two articles we covered risk assessments and asset discovery and vulnerability management, which are the first two steps in understanding and securing ICS systems. ICS environment hardening is the next part in our series on Cyber Security in ICS Environments. If you read the second article (http://www.instrumentation.co.za/59392n), we have already started the hardening process by patching and identifying vulnerabilities across our systems. In a nutshell, ICS environment hardening is the process to improve system and asset security by removing unnecessary components/services from the environment. This can be performed for an ICS network, an ICS device, an ICS operating system, or a single ICS application.

Reducing the risks

ICS environment hardening means changing the standard configuration of a networked ICS device to reduce or eliminate a potential risk. The most effective way of doing this is to securely configure the operating systems, restrict user accounts, secure applications and implement application whitelisting, and hardening networked devices like switches, firewalls, etc.

To reduce these potential risks, only services that are deemed essential or critical for use in a control system environment, for operations or maintenance, should be enabled. All other unused services in operating systems are possible entry points for cyber criminals to exploit. As an example, if you are not using services like FTP, SSH, SNMP, etc., disable them. If we delve a little deeper, most ICS environments will have some flavour of Linux OS and some version of Microsoft running in their environment, with certain applications running on these systems. By default, these systems come out the box insecure (default user accounts, limited/no patches, etc.), and they need to be hardened. Some PLCs also come prebuilt with web servers running, and unless it is a business/processing requirement to have web access to that PLC, the web server should be disabled. There are many tools and resources that can assist in the hardening process. The Centre for Internet Security (CIS) is strongly recommended as a starting point as it is a great resource for hardening guides, tools and more importantly benchmarking tools. CIS is generally free to use and these tools are developed and maintained by leading international cybersecurity experts. The Nessus tool from Tenable (mentioned in article 2) is another great tool that can assist in identifying configuration problems and baselining. There are also some freeware tools such as Linux Bastille and SELinux that are available. It is also recommended to engage with your ICS vendor(s) as many of them have released cybersecurity guides for their specific systems.

In addition to disabling services and features, it is also vitally important to make sure that the necessary user accounts only have the applicable permissions (and that unnecessary permissions are removed) in order for operators and engineers to perform their daily tasks. Default usernames should also be disabled (if possible) and on networking devices such as routers, switches, etc., default usernames and passwords should be disabled and/or changed. A strong identity and access management (IAM) solution combined with an effective privilege access management (PAM) solution will help to achieve this. Whilst both solutions are capable of running as standalone systems, it is strongly recommended to have these integrated. Most of the commercially available tools cater for UNIX/Linux, MAC and Microsoft systems along with support for most of the major ICS vendors.

Whitelisting

Application whitelisting (AW) is another step that aids the overall cyber security posture of an ICS environment. AW defines which applications and which files are known to be ‘good’, unlike an AV solution that defines what applications and files are known ‘bad’. The crux of an AW tool works by uniquely identifying an application by either a file name, the file size, the file path, and/or the SHA1 hash value. The better tools will use a combination of the above as it is more secure. Cyber criminals can replace a whitelisted application filename with a malicious one of the same name, but if the application has a hash value, it is more difficult to achieve this. Based on fingers getting burnt, it is also recommended to roll-out an AW tool in stages.

As a cautionary note, an AW tool can add latency to the system, so comprehensive testing is strongly recommended. Besides implementing an AW solution, it is also critically important to make sure that applications like databases are also secure, and that file systems have the correct permissions. Database security is an article on its own, but it is very well documented for both ICS and IT systems.

Conclusion

In ending, it is highly recommended to start with an established cybersecurity template from CIS/ISA/etc, instead of creating your own one. The main reason for this is that the more functions you change or configure, the more likely you are to break something. Many templates that are available from the likes of CIS/ISA/etc, have already been thoroughly tested and the bugs and kinks have been worked out. In theory, a system with a reduced amount of functions will have less risk and be more secure than a system with more functions.

Tommy Thompson is a passionate cybersecurity professional with some 15 years’ experience. Starting as a firewall engineer in 2001, Thompson has assisted a variety of companies in numerous roles with their cybersecurity problems. He holds a BComm degree in Information Management from Oxford Brookes University (UK) and he is certified by PECB (Canada), as a Scada Security Professional (CSSP).

For further information contact Tommy Thompson, +27 (0)11 463 0096, [email protected]





Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Optimising the product design process
Siemens South Africa IT in Manufacturing
OPmobility is partnering with Siemens to adopt its Teamcenter X Product Lifecycle Management software. OPmobility’s increasingly complex products now include electronics and software, to create energy storage systems, which include battery and hydrogen electrification solutions and fuel tanks.

Read more...
Smart milling for resilient, sustainable food production
IT in Manufacturing
As the global demand for food continues to rise due to increasing urbanisation, the milling industry faces the challenge of balancing efficiency with sustainability. Bühler is committed to making milling more energy-efficient while maintaining high operational performance. Its solutions allow mills to reduce energy costs and ensure long-term sustainability.

Read more...
The evolving landscape of data centres in the age of AI
Schneider Electric South Africa IT in Manufacturing
The data centre industry is undergoing a period of rapid transformation, driven primarily by the explosive growth of AI. It’s clear that the demands of AI are reshaping the very foundations of data infrastructure. This isn’t merely about incremental upgrades; it’s a fundamental shift in how we design, power and operate these critical facilities.

Read more...
SA Food Review
IT in Manufacturing
Food Review is a monthly trade journal for South Africa’s food and beverage manufacturing industry, for industry professionals seeking detailed information on trends, technologies, best practices and innovations.

Read more...
Keeping an eye on oil consumption with moneo
ifm - South Africa IT in Manufacturing
Manufacturing companies in the metal industry need oils and other fluids that are consumed by their machines. To make this consumption transparent and to establish a link to the ERP system, Arnold Umformtechnik relies on the IIoT platform, moneo, in combination with the SAP-based software solution Shop Floor Integration (SFI) – both from ifm.

Read more...
AI accelerates energy transformation
RJ Connect IT in Manufacturing
With the rapid expansion of generative AI applications, data centre power demand is reaching unprecedented levels.

Read more...
Revolutionising mining operations with MineOptimize
IT in Manufacturing
Now more than ever, mining and mineral processing companies need to boost productivity, ensure safety, and protect the environment. ABB’s comprehensive electrification, automation and digital solutions portfolio is ideally positioned to meet these challenges across all mining processes, from mine to port, transforming performance in a digital world.

Read more...
Buildings in Africa’s urban evolution
Schneider Electric South Africa IT in Manufacturing
Africa is now an urban continent. How does the continent mobilise to accommodate urban dwellers and maintain and implement critical infrastructure that allows for this expansion? Building management systems provide a tangible solution to optimise resource use, lower operations costs and ultimately contribute to a growing continent that also employs green practices.

Read more...
TwinCAT Vision functionality extended
Beckhoff Automation IT in Manufacturing
The image processing and camera integration capabilities of Beckhoff’s TwinCAT 3 Vision software have been expanded.

Read more...
Automation software to future-proof your operations
Adroit Technologies IT in Manufacturing
As the official partner of Mitsubishi Electric Factory Automation, Adroit Technologies empowers businesses with cutting-edge solutions that reduce costs, improve quality and increase productivity.

Read more...