Critical infrastructure

Security controls for ICS/SCADA environments

Tyra Appleby
July 29, 2020 by
Tyra Appleby

Introduction 

An Industrial Control System (ICS) is any technology used to control and monitor industrial activities. Supervisory control and data acquisition systems (SCADA) are a subset of ICS. 

These systems are unique in comparison to traditional IT systems. This makes using standard security controls written with traditional systems in mind somewhat tricky. However, ICS owners do not have to make assumptions or try to secure them blindly: there are resources available to assist in securing these systems.

Learn ICS/SCADA Security Fundamentals

Learn ICS/SCADA Security Fundamentals

Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

Both the National Institute of Standards and Technology (NIST) and the Center for Internet Security have written guides and controls specific to ICSes.

National Institute of Standards and Technology 

The Risk Management Framework (RMF) for federal systems is based on the NIST 800-53. 800-53 has controls specific to enterprise technology systems. NIST has written Special Publication 800-82 (currently on Revision 2), Guide to Industrial Control Systems (ICS) Security. 

Because ICSes have unique challenges and are often composed of older legacy systems, 800-82 was explicitly written for these system types. 800-82 identifies some of the security objectives for ICS implementation: 

  • Restricting logical access to the ICS network and network activity
  • Restricting physical access to the ICS network and devices
  • Protecting individual ICS components from exploitation
  • Restricting unauthorized modification of data
  • Detecting security events and incidents
  • Maintaining functionality during adverse conditions
  • Restoring the system after an incident

Those familiar with the RMF will recognize the security control families outlined in 800-82:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Security Assessment and Authorization
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Planning
  • Personnel Security
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity
  • Program Management
  • Privacy Controls

Each family has a list of controls that apply to the category. These controls can be technical or administrative. As the ICS is categorized and evaluated, that will determine which controls are applicable to the specific environment. Once this determination is made, implement the controls, verify and test the implementation, and then monitor the control's success.

Center for Internet Security

The Center for Internet Security (CIS) has written CIS Controls Version 7 to help secure IDS systems. They used seven key principles for writing the controls:

  1. Address current attacks, emerging technology, and changing mission/business requirements for IT
  2. Bring more focus to key topics like authentication, encryptions and application whitelisting
  3. Better align with other frameworks
  4. Improve the consistency and simplify the wording of each sub-control — one “ask” per sub-control
  5. Set the foundation for a rapidly growing “ecosystem” of related products and services from both CIS and the marketplace
  6. Make some structural changes layout and format
  7. Reflect the feedback of a world-side community of volunteers, adopters and supporters

The controls are broken up into three main areas, with 20 subsections.

CIS has released a companion document to the controls, the V7 implementation guide. This companion document is specific to ICSes and can be used to tailor controls to the specific SCADA environment. Below, we will go into details about each of the 20 control sets.

Basic controls

  1. Inventory and Control of Hardware Assets

This could be the most crucial control. You cannot assess or secure your system if you do not know all of your system's components. 

  1. Inventory and Control of Software Assets
  2. The same is true for the software components of the system. Software comes with unique sets of vulnerabilities and you cannot track those vulnerabilities unless you know they are a part of your architecture.

    1. Continuous Vulnerability Management
    2. SCADA environments contain many embedded systems that are used to control essential infrastructure items. Patching and updating these systems can prove challenging. Industrial systems often have required uptimes that limit service times. It is important to remember these requirements as you create a vulnerability management plan specific to the ICS environment.

      1. Controlled Use of Administrative Privileges
      2. The purpose of all access controls is to ensure that unintended users do not gain more access than authorized. Administrative accounts need to have strong password requirements and separation of duty requirements in place.

        1. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
        2. CIS provides benchmarks that can be used to harden IT systems. ICSes can have non-traditional operating systems that the benchmarks may not address. Be sure to follow industry standards and read the manual or vendor websites to ensure implementation of best practices particular to the system.

          1. Maintenance, Monitoring and Analysis of Audit Logs
          2. Embedded systems do not always audit security events at the same default level as traditional IT systems. It also may not be easy to have those logs sent to a centralized monitoring system. Using a Security Information and Event Management (SIEM) designed for ICSes could prove beneficial.

            Foundational controls

            1. Email and Web Browser Protections
            2. Internet browsers and email clients are very susceptible to security threats. CIS has benchmarks that are used to harden them, based on current security threats.

              1. Malware Defenses
              2. As noted earlier, maintenance on ICSes can be difficult due to the uptime requirements. Implement malware protection while updating malware and antivirus signatures.

                1. Limitations and Control of Network Ports, Protocols and Services
                2. While identifying assets, also identify all of the ports, protocols, and services that the ICS will need to operate as intended. Limit the use of open ports only to the ones needed for the system to function properly.

                  1. Data Recovery Capabilities
                  2. Data backup is vital in ICS environments, just as in traditional enterprise environments. Automated backups may prove difficult in some SCADA environments, so keep that in mind when documenting backup and recovery procedures.

                    1. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
                    2. Secure network devices are just as important, if not more so, in SCADA environments. Only allow firewall traffic through on approved ports. “Deny” should be the default setting. Remove default accounts and credentials from network devices. Implement multi-factor authentication.

                      1. Boundary Defense
                      2. Information should be restricted to only flow through trusted channels. Strategically place control devices to control the flow of information. This includes firewalls, gateways, IDS/IPS, proxies and DMZ perimeters.

                        1. Data Protection
                        2. ICSes do not contain traditionally sensitive information, such as HIPAA, PII and financial data; however, there is still sensitive information collected, such as valve readings, flow, temperature, pressure measurements and even logic control device commands that are deemed sensitive and should be protected. Implementation of encryption for data at rest, sniffers and anomaly detection tools is a great defense.

                          1. Controlled Access Based on the Need to Know
                          2. Even ICSes can be compartmentalized to separate data into controlled segments. Creating ACLs to ensure only authorized personnel access data they are supposed to.

                            1. Wireless Access Control
                            2. Ensure wireless traffic uses controlled, preferably private networks. Wireless traffic should use, at a minimum, AES or ECC encryption to protect network traffic.

                              1. Account Monitoring and Control
                                1. Use shared accounts and passwords only when necessary
                                2. Create a process for changing shared account passwords and deleting accounts immediately upon termination of any workforce member 
                                3. Remove applications leveraging cleartext authentication or basic security authentication. When this is not possible, use unique credential sets and monitor their usage
                                4. Enforce complex passwords
                                5. Automatically lock accounts after periods of inactivity

                                Organizational controls

                                1. Implement a Security Awareness and Training Program
                                2. Users are the weakest link in the security chain. An effective training program can help to minimize the threat they pose to the internal network.

                                  1. Application Software Security
                                  2. Applications can have vulnerabilities that need to be identified so they can be mitigated. It is suggested to perform static code analysis and perform debugging.

                                    1. Incident Response and Management
                                    2. Even with the best-implemented security controls in place, it is still possible to fall victim to a security threat. If that happens, an incident response team needs to be in place to respond.

                                      1. Penetration Tests and Red Team Exercises
                                      2. Testing security controls after implementation is a great way to ensure they are correctly implemented and working as expected.

                                        Conclusion

                                        ICSes have unique properties that can make implementing security more difficult than in traditional IT settings. These NIST and CIS benchmarks and controls both help create a healthy security posture.

                                        Learn ICS/SCADA Security Fundamentals

                                        Learn ICS/SCADA Security Fundamentals

                                        Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

                                         

                                        Sources

                                        1. Guide to Industrial Control Systems (ICS) Security, NIST
                                        2. CIS Controls Version 7 – What’s Old, What’s New, CIS
                                        3. Implementation Guide for Industrial Control Systems, CIS
                                        4. CIS Adapts Critical Security Controls to Industrial Control Systems, Tenable
                                        5. CIS Controls ICS Companion Guide, CIS
                                        Tyra Appleby
                                        Tyra Appleby

                                        Tyra Appleby is a CISSP certified lover of all things cybersecurity. After serving 4 years in the Navy as a Cryptologic Technician, she continued supporting various DoD and government agencies as a Systems Security Engineer. She has a passion for writing and research, particularly in the areas of Reverse Engineering and Digital Forensics. When she’s not working, you can find her at the beach with her Rottweiler Ava.