ICS Security Maturity Model (What To Do In What Order)
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
A reader (Paul) wrote in with the following question:
Do you have any recommendations on how to iteratively and pragmatically raise the bar (i.e. security/maturity).?
The models I’ve seen push asset inventory/visibility and cyber hygiene to the front, which makes little sense from a risk reduction, risk management standpoint. This and next week’s article will lay out my iterative approach prioritized by efficient risk reduction.
Maturity Level 1: Establish A Security Perimeter
A focus on security perimeters has gone out of fashion, but there is nothing more important to drastically reducing the likelihood of an attack on your ICS. Given that the Level 1 devices and ICS protocols are insecure by design, access to your ICS = compromise. With the compromise only limited by the systems i/o and the engineering and automation skills of the attacker.
There are three parts to this Maturity Level 1 security perimeter.
Of course this can be done poorly (simply learn the existing communication and write rules to allow all of it) or well (least privilege, ICS DMZ to mediate all enterprise / ICS comms, initiate comms from the ICS zone, avoid plaintext and control protocols through the perimeter, …).
2. Reduce remote access as much as possible and where necessary require two-factor authentication.
Get rid of remote access for convenience. Multiple times I’ve seen engineers with an OT connected computer and a separate IT connected computer at their desk, and they still choose to remote access into OT from their IT computer rather than swivel their chair or get up and walk to an OT connected computer. Also, push data and even HMI displays out to the enterprise if they need to be viewed there, rather than using remote access connections to get the data.
Most recent public compromises of ICS have involved simple username / password authenticated remote access to the ICS. Get the username/password of an engineer or ICS admin and they’re in whenever they want, for as long as they want. Even US Senators are now saying that two-factor authentication for remote access is required after the Colonial Pipeline incident.
3. Security procedures for use of removable media and transient computers.
These need to be in place to address the walk around the cyber security perimeter problem. For a long time, and perhaps even today, removable media and contractor laptops where the most frequent cause of a malicious ICS cyber incident. Most often this was mass market malware walked into and onto the ICS. Close ports, assign ICS dedicated removable media, laptops and tablets, and have a solution and procedure to test anything brought in prior to connecting.
领英推荐
Maturity Level 2: Harden The Attack Path(s)
The security perimeter established to achieve Maturity Level 1 should severely limit what an attacker outside the security perimeter can access. This would include the security perimeter itself, the firewalls and remote access devices. It would also include any cyber assets directly accessible through the security perimeter. This is where your focus on a hardened configuration and near immediate security patching should occur.
If this is more than 5% of your total cyber assets you have done something wrong in establishing your security perimeter.
If you believe you can’t do this because a patch incompatibility could cause an outage you have done something wrong in establishing your security perimeter. Nothing required for operations should be directly accessible from outside the security perimeter.
Note: At this point you have minimized and hardened the attack paths to the ICS from outside the perimeter. Huge. Massive. Risk Reduction.
Maturity Level 3: Setting And Meeting A Recovery Time Objective (RTO), Phase I
An RTO is a business decision, not what the team believes is achievable today or with additional expenditures.
Recovery, the R in RTO, does not always mean recovering any or all of the cyber assets affected by a cyber incident. Recovery is the ability to produce the product or service that the ICS is monitoring and controlling.
Scenarios on what is affected and needs to be recovered can be complex. For Maturity Level 3 assume that everything with an IP address is compromised and needs to be rebuilt.
The appropriate level of management sets the RTO, hopefully based on the consequence criteria in their risk management program. The ICS / OT team determines how to meet the RTO and periodically demonstrate with a high degree of confidence it can meet the RTO.
————
Next week: Maturity Levels 4 - 6
Note: While the tools that provide assistance with visibility and asset inventory are not yet necessary or recommended to achieve these first three security levels (foreshadowing: not for the next two either), they may be helpful to your cyber asset management program. I have written and predicted that as the market matures you will see asset inventory and other asset management capabilities be split out from the detection products.
Industrial IT and CyberSecurity
3 年Would love to see this approach to be developed further, similar to Top 20 Secure PLC Coding Practices
Sr. Groupleader CDO and TISO
3 年Well, I get it from a cyber perspective, but aren't items 1 and 3 also very much impacted by physical limitations (or lack thereof)? Also, I think that item 3 can and should run in parallel with any action regarding (cyber) security; it is a business requirement. Imho for any organization that runs a facility or process that depends on OT it is most likely (a large part of) their core business. Thus it should already have gone trough some BIA of one or another format. From that, your RTO/RPO discussion should already have its foundations. If the OT parts are not taken into consideration, then your BIA or RTO/RPO was a pure waste to begin with...
Chief Operating Officer at Industrial Defender
3 年Dale Peterson, I do disagree with this one point "The models I’ve seen push asset inventory/visibility and cyber hygiene to the front, which makes little sense from a risk reduction, risk management standpoint". Please let me explain. I don't think we as a collective group of ICS security professionals are putting asset hygiene first. What we're saying is that you cannot deploy technical controls without having a program to document where these mitigating controls are, what assets they are protecting, how they are changing over time, and if they are in line with corporate policy and best practices. Environments are not static and that is what is at issue here. Colonial Pipeline was hacked due to a forgotten VPN.
I don’t understand how you can perceive risk at all without knowing what you’re made of, first.
CEO & Founder @ Gravwell | a Splunk alternative built from scratch for on-prem or cloud
3 年I like the article, Dale. Especially including an RTO in the process. That was one of the most fun things to see at the INL/DHS Red Blue training week after week; the blue team lost most often because they failed in this step, not because the red team was *actually* hacking anything. I think there's an important omission here though, and that's "start with monitoring" (to channel Schneier). In 1.3, the media controls are important, but step 0 should be giving your team the ability to answer important questions like "which systems had any removable media used in the past X days?" and "who was logged in when that happened?" to stretch into "was there any correlation with never-before-seen process activity?". Excellent essay for anyone who hasn't read it. Still as relevant as the day it was written: https://www.schneier.com/crypto-gram/archives/2001/0715.html#5