Seven steps to ICS and SCADA security

>The past two years have been a wakeup call for the industrial automation industry. It has been the target of sophisticated cyber-attacks like Stuxnet, Night Dragon and Duqu, and an unprecedented number of security vulnerabilities have been exposed in industrial control products; regulatory agencies are demanding compliance to complex and confusing regulations. So how can we secure our systems?

>Step 1 - Assess existing systems: Planning the journey to secure your control systems starts with a risk assessment to understand and quantify the risks that control system insecurity can have on your business. You can then rank these risks so you know how to prioritize your security dollars and efforts. After that, you can start planning how to apply countermeasures to reduce the risk to tolerable levels.

>We recommend starting by performing a high-level risk assessment on each of your major control systems. You need to identify the risk of a cyber-incident, and produce a list of control systems ranked by their relative risk. We highly recommend using an experienced third-party with expertise in control system security, to provide an unbiased review, a recommendation based on their experience, and feedback on how your organisation compares with other companies in your industry. The results of these earlier steps will help identify high-risk systems or sub-systems that require detailed analysis and testing.

>Penetration testing of your online control system can be extremely risky. We recommend reserving this type of testing for Factory Acceptance Testing (FAT), Site Acceptance Testing (SAT) or during a scheduled shutdown.

>Step 2 - Document policies and procedures: Now you can begin to document policies and procedures so that employees, suppliers and contractors understand your company's position on Industrial Control System (ICS) security. We highly recommend that organisations develop ICS-specific documents describing company policy, standards and procedures around control system security. Separate ICS security documents are very beneficial in helping those responsible for ICS security to clearly understand their responsibilities.

>You should also become familiar with applicable security regulations and standards for your industry, as well as with industry-specific guidance, and relevant regulatory requirements.

>Step 3 - Train personnel and contractors: Once your organisation has developed and documented its ICS security policies, standards and procedures, it is critical to make sure that personnel are aware of the existence and importance of these materials. Conduct an awareness program on company policies, standards and best practices, and follow it up with regular 'reminder' communications.

>In addition to this, a role-based training program can provide personnel with job-relevant information on how to apply security and what to do if they suspect there is a security breach.

>Step 4 - Segment the control system network: This is arguably the most important tactical step that can be taken to improve the security of your industrial automation system. The concept of network segmentation is to partition the system into distinct security zones and implement layers of protection to isolate the most critical parts of the system.

>A network can be segmented into various network security zones. A user wishing to access a critical asset may have to pass through several gates or screening points. A zone is a grouping of logical or physical assets that share common security requirements based on factors such as criticality and consequence. Any communications between zones must be conducted via a defined 'conduit'. Conduits control access to zones, resist Denial of Service (DoS) attacks or the transfer of malware, shield other network systems, and protect the integrity and confidentiality of network traffic.

>Once the conduits and their security requirements are defined, the final phase is to implement the appropriate security technologies. Firewalls and Virtual Private Networks (VPNs) are two popular options for this stage. The firewalls should implement an alarm-reporting mechanism to alert operations or security personnel any time that abnormal behaviour (ie blocked traffic) is observed in the network.

>Step 5 - Control access to the system: It is important to provide both physical and logical controls for access to the assets in the zones. Typical physical access controls are fences, locked doors, and locked equipment cabinets. The concept is to limit physical access to critical ICS assets to only those who require access to perform their job. Ideally, the same concepts should apply to logical access to critical control system resources.

>Step 6 - Harden the components of the system: Hardening the components of your system means locking down the functionality of the various components in your system to prevent unauthorised access or changes, remove unnecessary functions or features, and patch any known vulnerabilities. This is especially important in modern control systems which utilise extensive commercial off-the-shelf technology.

>Once the computers and controllers are deployed, additional steps are necessary to maintain the security. This includes maintaining anti-virus signatures and applying security patches for applications as well as the operating system. Vulnerability scanning tools such as Nessus, along with special audit files such as Bandolier, can be very helpful in identifying the presence of known vulnerabilities. They can also verify that servers and workstations have been properly configured for security.

>Network equipment and embedded control products also require secure configurations, blocking of unused communication interfaces, and software maintenance.

>Step 7 - Monitor and maintain system security: As an owner or operator of an industrial control system, you must remain vigilant by monitoring and maintaining security throughout the lifecycle of your system. This involves numerous activities, such as updating antivirus signatures and installing security patches on Windows servers. It also involves monitoring your system for suspicious activity.

>Finally, it is important to periodically test and assess your system. Assessments involve periodic audits to verify the system is still configured for optimal security as well as updating security controls to the latest standards and best practices. More aggressive or invasive practices such as penetration testing can be performed on systems during shutdowns or turnarounds.