Suppose you’re walking through a dark alley at night. Would you rather be:A) A little old lady openly carrying a stack of hundred-dollar bills
B) Chuck Norris
Could someone take down Chuck Norris and steal his wallet? Definitely. But odds are, most people would leave him alone and wait for the little old lady. From a cyber security perspective, you want your control system to look like Chuck Norris to hackers, not a little old lady.
The Right Mindset
The task of securing a network can be intimidating. However, to reduce your anxiety, it’s important to remember that there is no such thing as a network that is secure from any possible threat. There are only degrees of security. If you set out to put your network on lockdown, you’ll never get there, and you’ll end up frustrated. Instead, your goal should be to make your network adequately secure to reduce your potential risks.
Let’s look at two examples on the opposite end of the security spectrum. One of the most famous, and most successful, critical infrastructure cyber attacks was Stuxnet. The victim plant was not connected to any external network and was also protected by a literal army. Instead, the attack was precipitated through a USB stick from an unsuspecting worker. However, the attack took the coordinated efforts of national intelligence agencies to pull this off.
On the other hand, there are systems that are wide open and inviting trouble. A couple years ago, our company responded to a call from a water district when their SCADA system started “acting up.” After some red herring chasing assuming more traditional problems, we finally realized that their SCADA system had been hacked. Their system had no firewall, and their SCADA computer was sitting directly on the Internet. The interesting thing about this incident was that the attacker probably had no idea this was a critical infrastructure system. Someone on another continent was just using their server to skirt some online commerce laws by appearing to be located in the US.
The conclusion to be drawn from these two examples is that there truly is no way to completely protect any system against a concerted attack by determined individuals. But, it is possible to adequately protect your system against probable threats. With some planning and relatively inexpensive preventive measures, it is completely possible to have a secure network without sacrificing the benefits of remote/mobile access to your systems.
Reduce Your Risks
Today, most organizations are experiencing conflicting interests. On one hand, we want access to all our information at all times from any location. On the other hand, we want our systems to be secure. Balance can be found.
To start, a long-established strategy for network protection called defense in depth (DiD) attempts to lay multiple barriers in the way of a potential network intruder and also set off alarms if someone does get in. Notice this strategy concedes up front that an intrusion is entirely possible, but it attempts to make it difficult, and it keeps you informed if it happens so you can do something about it.
To be clear, you should take the time to have a comprehensive security analysis of your system performed and implement the recommendations. However, while you’re getting that on the schedule, here are some simple things you can do as part of a DiD strategy to immediately make your network more intimidating to hackers:
Understand What You Have. It’s important to have a good understanding of what your industrial control system (ICS) network looks like before you make too many changes. Take an inventory of what devices are connected to your network including computers, switches, wireless access points (WAPs), firewalls, PLCs, instruments, etc. Make a simple diagram and understand how everything is connected on your networks and what access points the network has to the outside world. Any potential connection, including Internet access, dial-in/out access, wireless, and USB ports are potential holes in the fence.
Add a firewall to your system. It sounds like a no-brainer, but it’s surprising how many systems out there are directly exposed to the Internet. For you techies, get a copy of the Shodan search engine and search for Rockwell – scary. Even a basic firewall can vastly reduce your odds of being hacked simply because it’s more of a pain to crack a firewall than to go after a system that is not protected.
Set up your firewall. Again, sounds like a no-brainer, but many people install a firewall and leave its settings basically defaulted. You should have strong passwords and lock down as much as you can including ports, users, mac ids, and remote IP addresses. If you don’t need a certain functionality, turn it off.
Install intrusion detection and prevention (IDPS) software. If your defenses do get penetrated, having an IDPS in place can give you a fighting chance to do something about it before the damage is too great. These systems are a part of some firewalls but can also standalone inside the network. An IDPS monitors the network for suspicious activity and alerts IT personnel to potential attacks.
Lockdown Wi-Fi. This is similar to the firewall advice. Use strong passwords and lockdown as much as you can. Don’t broadcast the SSID. Many wireless manufacturers such as Cisco provide rogue network detection to shut down unauthorized Wi-Fi in the area. This can eliminate another possible entry point, but it can also make for angry neighbors, so be careful.
Segment networks. Many automation systems already separate their I/O layer networks from their SCADA layer networks, which is great. It’s actually a really good idea to create even more borders if you can. Use protocol-level firewalls at every PLC that can detect a problem locally and disconnect compromised zones to protect the rest of the network.
Use a domain controller. Most systems use Microsoft Active Directory to manage user security, although some smaller systems might not. However, many systems don’t use the domain for all its worth to protect the system. Security policies can be set up to keep unauthorized devices off the network as well.
Install virus and malware protection. Good virus and malware protection is a must, especially if you allow access to the general Internet. Be careful with these installations as they can sometimes interfere with industrial SCADA software, but this can, and should, be done.
Want some help?
If you would like your ICS to be the Chuck Norris of cyber security, Vertech is here to help. From a complete ICS network threat assessment to help implementing security measures on an existing network to assistance designing an ICS network for a new facility or system, we have the experience you need. We are CISA trained and experienced in implementing well-designed, secure ICS networks. Call, e-mail, or fill out the contact form below to talk to a network engineer.
Download our white paper, The Survival Guide for ICS Cyber Security, to learn more about five stages for protecting your ICS.