Efficient risk management solutions in industrial control systems
For both home and corporate users, the definition of IT security equals the protection of desktop computers, smart devices and corporate networks against hackers taking our personal data, ransomware encoding our important documents, and cybercriminals specialized in illegal cryptomining exploiting our browsers to get rich. However, there are plenty of more severe attacks in the world that can affect our daily lives even if they don’t target our devices directly.
Back in 2010, a malicious program – a worm – called Stuxnet, which supposedly came from an American or Israeli source, infected the nuclear plant of Bushehr in Iran and the uranium enrichment facility in Natanz, having ruined 20% of the centrifuges that were in use in the latter by making them go into overdrive. The operation is considered a milestone in cybersecurity, as after the Stuxnet attack, there was a significant increase in the number of incidents threatening industrial control systems (ICS), which mostly oversee the operations of critical state and population supply systems and services such as water and electricity supply, goods and public transportation, and major food production plants. Now that may sound scarier than worrying about data stored on one’s computer.
The background of an official guidance
We’ve based our article on the guidance prepared by the United States Department of Homeland Security (DHS) entitled Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.The study was published in 2016 as a joint effort of the DHS-led National Cybersecurity and Communications Integration Center (NCCIC) and Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), as well as other state-owned and private players in the industry. The document does not meet length standards and consequently does not provide meticulously detailed information, but it does comply with NIST (National Institute of Standards of Technology) SP 800-82 and 800-53, as well as the NIST Cybersecurity Framework standards.
Having found the recommended approaches highly useful in our – challenging industrial cybersecurity-related – work, we aim to give a brief introduction of these industrial cybersecurity risk management guidelines.
Changing challenges and solutions in the area of ICS
In addition to the increasing number of incidents against ICSs after the aforementioned 2010 Stuxnet attack, another trend has emerged in recent years.
Formerly, ICSs traditionally operated on a completely separated network with their own special closed industrial protocols. Since only a narrow inner circle of people was skilled at using them, there was no need for the logical protection of data traffic in addition to the physical protection of industrial environments. However, interests linked to increasing production efficiency caused these systems to leave the safety of isolation and put the focus on connection with the business network, as well as transparency. For this reason, open protocols (IPs), which were classic features of IT environments, have appeared in the portfolio of industrial devices. Thus, industrial systems have become exposed to threats coming from the Internet despite being extremely business critical. This challenge is further complicated by the fact that high availability requirements make it more difficult to implement a logical protection for them.
But what could be the solution? Well, since we can no longer rely on isolation, and the technical background of ICSs have not yet caught up with the new type of open model from a security perspective, the aforementioned document recommends the application of Defense-in-Depth, which has been based on what the IT world commonly refers to as the ‘Onion model’, and customized to industrial networks.
The guidance illustrates this Defense-in-Depth in the form of a straight-forward framework. Applicable to all information systems, Defense-in-Depth is a flexible concept which holistically considers all possible defense solutions and attack vectors from the aspects of People, Process and Technology in order to make the protected system truly resilient.
The document breaks the concept of Defense-in-Depth up into nine strategic elements. As depicted in the first figure, these would be the same in an IT system as well.
|Risk management||Cybersecurity architecture||Physical security|
|Network architecture (ICS)||Network border protection||Host protection|
|Security monitoring||Supplier management||Human factor|
Figure 1 – Defense-in-Depth – Strategic elements
Subsequently, the guidance elaborates on the listed strategic elements, and maps them to the challenges and special needs of the industrial environment. The introduction of the recommended solutions is complemented with supporting points letting the users decide how to apply them in their own environments.
OT-oriented risk management
Discussing the strategic elements starts with risk management. It’s important to note that it’s not just one of the nine elements, but the foundation of the security activities covered by the rest. For this reason, I will hereby address it in more detail. The ICS-CERT publication recommends introducing a 3-level risk management model:
- The company’s risk management frameworks and minimum standards, as well as the risk appetite and tolerance which must be followed on all levels are defined on an organizational level. In the age of the new type of open ICSs, we must take into account how the vulnerabilities and risks of the industrial domain effect the whole of the organization, business continuity – and even the outside world – as realistically as possible. To do this, it’ important to keep in mind the experience and observations coming from the lower levels.
- The targeted risk management process of OT (operational technology) environments happens on a business process level – which in this case means the industrial production processes. Here – and in a few other places – the guidance highlights the inventory and the criticality and risk assessment of devices and technologies, as well as identifying focus points and fragile elements as the foundation of efficient defense.
- Finally, all that was defined above is implemented physically on an operational/system level. All experience and feedback related to the security of the system cascades upwards to support the improvement of the strategy at a later stage. The document specifies the risk management tasks that happen on the two lower levels as a process, discussing its steps in detail, which – as can be seen in figure 2 – comprise vulnerability and risk profiling on the second level, then introducing, monitoring and developing the controls implemented on the technical level.
Figure 2 – Risk management cycle
The presented risk management process starts with the inventory of tools, as we cannot implement efficient security if we don’t know what we’re protecting. To be able to prepare for possible attacks at a later stage, we must take into account all used hardware, software and backend tools, know their dependency relationships and the information flow channels, then categorize our tools based on their criticality. However, in case of systems that are multiple decades old, inventory is by no means an easy task. If we know what we’re protecting, we must know what risks are threatening us. In connection with the attack’s potential directions and our vulnerabilities, we can rely on sources such as the technical managers and operators of production units, external advisors, or frameworks such as ‘MITRE ATT&CK for ICS’. Ever since I’ve worked, I’ve met a number of products that are able to map devices that use industrial protocols (even including type, manufacturer and configuration) and extract the known weaknesses of a specific version from data bases. In our opinion, assessing the impact and determining the probability of attacks is one of the most substantial steps, as in case of industrial IT devices, an attack might not only cause financial damage, but pose physical harm or even life-threatening danger to people. The impact is affected by the system’s criticality, the transparency of the network and the malicious activity that’s taking place on it, as well as its recovery capabilities. Probability depends on the security level the system is assigned, how sophisticated the access control is, and whether the software is updated to the latest version. Device inventory and categorization laid the foundation of this step as well, having made the attack’s possible vectors, probability and severity visible. It’s only when we possess the information acquired in the previous steps that we can define and implement proper security controls. Controls tailored to industrial needs cover people-related measures (e.g. awareness), process design and technical solutions. During implementation, it’s recommended to start with the most endangered – that is most critical and vulnerable – system. Due to the special needs and technical difficulties of ICSs, compatibility issues frequently force us to accept certain risks and even look for alternatives – which may be weaker than required – in place of a control that seems to be the most promising.
In conclusion, we can say that for now there is a contradiction between the direction of today’s OT evolution and the increasing security requirements, moreover, there’s no one cyber defense ‘miracle cure’ that could simultaneously meet the security and availability requirements of industrial systems. As a consequence – in addition to a smaller number of industrial logical defense products – we must tailor existing, known defense solutions to OT environments, whether they’re logical, physical or process-based methods, which the ICS-CERT guidance provides valuable help with, accessible for free here.
Source of Figure 2: ICS-CERT, 2016. Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies, p. 8.