Saga (3/3) – Feedback from the field and good practices for the protection and the security maintenance of industrial ISs
We have seen through the previous articles the solutions allowing to initiate the security of Industrial IS. Once this securing has been achieved, the maintenance in security conditions must be ensured as well as the implementation of detection means.
Managing risks in the long term
In addition to secure architecture and administration tools, security levels for each item of equipment should be increased according to the strict necessity principle. A generic hardening guide can be created and then adapted to each of the technologies identified by the industrial IS mapping. This allows some of the vulnerabilities to be remedied at configuration and system levels.
Additional security can be provided by adding complementary solutions, such as:
- Antivirus software, which will cover industrial workstations against the most common viruses, whether connected to the network or not (although the latter will require manual updates);
- Implementing strict rules on local machine firewalls, which can be used to prevent communications, and therefore intrusions, on unused ports, and to filter the origin of flows according to the protocols used – which means attempted attacks can be more easily detected;
- Local administrator account-management solutions (for example, LAPS for Windows) finally make it possible to manage native administrator accounts on workstations in a central and individualized way.
However, sometimes it may no longer be possible to harden equipment due to obsolescence. In such cases, there is a need to work with the relevant business functions on obsolescence management of the equipment – its potential replacement and, as a last resort, options to isolate it from the rest of the IS. On obsolete workstations, configuration blockers can be used to ensure the installation and use of components is limited only to those that are strictly necessary.
It’s important to remember that, while industrial ISs have vulnerabilities, they are, above all, part of the company’s means of production. Dialog with the relevant teams is therefore essential in understanding how equipment is used – in order to resolve the vulnerabilities while limiting effects on the business as far as possible.
Once equipment has been brought up to the right level of security, a plan will be needed to maintain this over time. A choice of options for managing security patches can be developed to meet the needs of the business (in terms of availability, integrity, etc.) and synchronized with the maintenance of the industrial equipment through:
- Integration into standard operating processes; for example, an installation’s qualification/quality processes may require that equipment be up to date. The updating and administering of equipment can therefore take advantage of plant shutdowns, especially where recertification is needed.
- Planning a “hot swap” update process in the event of a critical security breach and a procedure for the preventive isolation of production lines – until it’s possible to interrupt the production process;
- The identification of redundant or peripheral equipment where interventions can be carried out on the basis of straightforward interaction with production managers.
To put in place these patching processes, the mapping carried out previously must have generated a precise equipment inventory, including:
- The identification of the equipment: type, location, and number of units;
- The industrial processes that each item of equipment is used for, and the associated criticality;
- The version of the operating system and/or firmware, and the tools and configurations deployed;
- The cybersecurity needs of supported processes;
- The availability of redundancy, data buffering, and cold spares;
- The required patching frequency and patching history.
But maintaining security levels isn’t simply about applying patches to equipment, it should also:
- Define the process for updating the security solutions installed on equipment isolated from the network;
- Install removable media cleaning solutions, given that these types of tool remain in widespread use on industrial sites. Here, the use of portable solutions allows such media to be analyzed while moving around the site;
- Ensure the safeguarding of equipment configurations and their integration into the DRP in order to guarantee that equipment can be restarted following an incident while still meeting availability needs;
- Set up monitoring of the industrial IAM to ensure robust physical and logical access control. This can also be used to automate a number of time-consuming activities that are still sometimes done manually.
Detecting cybersecurity incidents
The measures set out above help reduce the likelihood of risks occurring and increase the availability of equipment, which benefits the business. Nevertheless, there will still be a need to prepare for the worst and to have in place the tools needed to detect an incident – to be able to remedy such events as quickly as possible and minimize interruption times.
Putting in place detection
The first step is to activate the IDPS functions on networked equipment to ensure that a first stage of detection, and potentially automatic blocking, is in place.
The next step is to collect information by deploying a concentrator on site. The network equipment and server logs can then be sent to existing or dedicated SIEMs where correlation and detection can take place. SOC and CERT teams can then carry out analysis and detection, and respond, if needed, to an incident, by working through standard scenarios.
Anticipating specific risks
However, detection based on standard scenarios may offer only limited value to the business functions. Considering the entirety of sources (PC, Linux, UNIX, etc.) and setting up dedicated industrial IS probes, capable of interfacing with the SCADA systems, can enhance the detection system. Such solutions, however, can be costly.
The key factor is to ensure a progressive and rapid increase in the maturity and value added by the SOC. Agile methods are a good fit here and involve the iterative application of the cycle described in the text box below.
Planning for remedial activities
Lastly, detecting an incident will only result in effective remediation if the business-function teams are involved. As with equipment updates, emergency stop procedures should be reviewed jointly with industrial IS users. A formal Incident Response Plan enables the actions for an industrial cyber-incident to be planned.
Dedicated industrial IS crisis-management exercises should also be carried out to ensure that teams are optimally prepared and to highlight any shortcomings.
Taking a progressive and participative approach guarantees an initiative’s success
The security maintenance of an industrial IS is a complicated undertaking that can only be successful if it is carried out in partnership with the business functions. A progressive and participative approach should be taken to work with them in each of the following areas:
- Understanding the industrial IS, by mapping and prioritizing the most critical elements;
- Mitigating the risks on the industrial IS, by implementing state-of-the-art secure network architecture and defining the administration processes – due to their criticality, safety ISs must be given particular attention;
- Ensuring an adequate level of safety, by hardening and ongoing security maintenance – in particular, this will involve discussions with equipment suppliers and manufacturers;
- Putting in place the tools needed to detect security incidents – these can have a bearing on production and define the response processes.
The actions above can’t always be carried out in parallel. Defining a clear roadmap will enable such actions to be prioritized. This will aid cost control and maximize the value added for the business functions.
Given that such significant undertakings are often driven centrally, the challenge is to engage the individual industrial sites (which may be spread across the world) to ensure security levels can be maintained in the long term. In general, we observe that companies take a two-stage approach:
- A multiyear cybersecurity program (typically carried out over three years), with a budget of €10m-15m, aimed at:
- Creating the industrial IS inventory
- Raising the security levels of existing assets by putting in place protective measures, often involving separation and filtering, and remedying the most critical vulnerabilities – here, defining procedures is essential;
- Putting in place an initial network of local cybersecurity coordinators;
- Create an industrial cybersecurity team and its associated management structures that bring together:
- A framework of key activities that local players will need to manage;
- The participative construction of the tools that will help this network of local managers carry out their cybersecurity activities;
- The development of approaches to manage the increase in security maturity levels and change (such as maturity matrices, site-level budget-modeling tools, the definition of steering indicators, central services that the sites can draw on, etc.).
Implementing the management processes can start immediately after the program and therefore benefit from the initial network of site-level cybersecurity coordinators put in place.
Once constructed, it becomes a question of energizing the initiative and steering progress on the sites and industrial ISs, in terms of both security and maturity levels.
Doing this typically involves:
- A network of local cybersecurity coordinators, of size 0.5 to 2 FTEs per site, who are responsible for carrying out projects, implementing ongoing cybersecurity activities, continuous security improvements, and reporting;
- A central team of 3 to 10 FTEs, to provide overall steering and support local managers – especially in terms of expertise.
 IAM i.e. Identity and Access Management.
 IDPS i.e. Introduction Detection and Prevention Systems.
 SIEM i.e. Security Incident and Event Management.
 SOC i.e. Security Operation Center.
 CERT i.e. Computer Emergency Response Team.
 These figures can vary significantly depending on the size and number of local sites; they are the typical arrangements we observe in the large international organizations that Wavestone supports