The Current Perception of Cybersecurity in OT

In industrial environments, cybersecurity does not always have a positive image and is seen as a potential obstacle to business development. Cybersecurity teams are often criticised for defining rules but delegating their implementation without providing a solution or any help for the implementation of requested changes. For example, it is difficult to regularly change the passwords of dozens of generic industrial accounts, even though this rule is standard on a traditional IT perimeter. As a result, OT teams are often left alone to meet the criteria for security policy requirements.

Left alone, industrial operational teams develop “homemade” solutions designed with their very local point of view, at the scale of their site. These solutions are beyond the group’s control and are very specific (dependence on a local supplier, in-house solution designed for the site’s specific network architecture, etc.), and scalability capabilities are not evaluated. All these solutions are developed by expert and passionate teams who can question security practices and standards, but who rarely have in mind any strategic vision, even at the local scale, making the integration of their solutions at the scale of a group of industrial sites nearly impossible.

Short-term solutions… or even dangerous

In the long run, these local solutions have many disadvantages:

• They are not up to production standards and remain in the POC phase.
• They are poorly documented, which makes maintenance difficult.
• Scaling up to a group of industrial sites is nearly impossible in the long term.

As shown below, some of the “homemade” solutions encountered have even proven to be dangerous:

Real-life examples taken from the 2020-2023 industrial sites audits

Standardise cybersecurity integration in operations

Industrial companies stand out by their strong needs of availability and the substantial real-world implications of the operations. Consequently, investments in this sector must align with the magnitude of these challenges which require cybersecurity solutions of very large scale and complexity. IT, cybersecurity, and OT departments must cooperate throughout the development process to ensure that solutions are suitable for operations while meeting the group’s security standards. The goal is to industrialise the development of cybersecurity solutions for the OT perimeter, providing ready-to-use solutions ready to be deployed at scale.

The solution is the development of a catalogue of cybersecurity services in which services are selected and developed at the group level, in collaboration with all the players (Cyber, operations, IT) and integrating the management of the entire life cycle of the solution (maintenance, documentation, decommissioning, etc.). Thus, the cybersecurity department and the IT department can create, with the industrial department, a product management roadmap, with an industrialized process for the creation of solutions.

Designing an OT Cybersecurity Solution

The process of creating a solution must address several issues:

• Collect the needs of all stakeholders.
• Transcribing needs
• Ensuring Large-Scale Adoption by all industrial sites.

To ensure the efficiency of the process and the solutions, the development of the different solutions is necessarily long and can extend over a period of 2 to 3 years. Wanting to go faster means exposing oneself to poor coverage of operational needs, which could lead to the development of uncontrolled local solutions or poorly controlled and incomplete deployment.

Providing security solutions: a 6-step process

 Solution Factory Process

1.     Research & Development

The goal of the R&D phase is to find the best solution to meet all cybersecurity needs. Thus, in the event of an audit of the central office, compliance with security policies is guaranteed if the tool is used. During R&D, a few points are crucial:

• Assemble a project team with representatives from IT, cybersecurity as well as the operations, to guarantee the usefulness and usability of the solution.
• Define operational constraints at the right level (availability, resistance in a harsh environment, support, etc.) in order to control costs without compromising the usability of the product.
• Plan maintenance, update and release processes as early as R&D to avoid getting stuck with an imperfect or obsolete product.
• Plan the budget and business model of the product. In particular, who has to pay and what are the operating and investment costs. This helps prevent the project from getting stuck at the deployment step due to budget issues.

During the R&D phase, it is also interesting to start from what already exists. This makes it possible to identify talents or solutions that could be adapted at scale and across an OT perimeter. There are two possible approaches to finding solutions:

• Find solutions that OT teams use locally and scale them up.
• Search for cybersecurity solutions from the IT for IT catalogue and adapt them to the industrial world.

Two methods to take into account the existing situation

2.     Prototype

It is essential to think about the user experience and to take care of the image of the product from the prototype. The prototype is first and foremost a showcase that should facilitate the adoption of the product, but which can also damage its image if it is not practical and functional. When presenting the prototype, it is important to frame the use cases covered, and to have a functional and simple product. The first image of the prototype is the one that the operational staff will remember.

3.     Minimum Viable Product

The MVP phase has two main challenges: to test the product, and to bring together promoters. Communication around the MVP must be neat, and everything must be done to avoid failures. When testing, you should not only test the solution itself, but also all the support functions and the integration with the rest of the production environment.

Because the MVP can be a Single Point of Failure for production, it is also necessary to take into account the needs of high availability and set up bypass mechanisms in case of problems to reassure operational team and facilitate the integration. A MVP can severely damage a product’s reputation in the long run if it fails.

4.     Packaging

The packaging stage allows you to define all the prerequisites for the deployment of the product. It is necessary to define:

• Processes throughout the life cycle such as the management of deployment requests, defining the obligation or not to deploy, maintenance processes, update processes considering operational needs, etc.
• Define responsibilities, but considering that industrial sites must maintain a stronger independence than what is usually done on IT perimeters. There needs to be a clear definition of what is delegated to on-site managers in nominal mode and in the event of an emergency.
• The cost model, including long-term cost, must be clearly defined and compared to external solutions.
• Support should be considered as Support as a Service and all processes and tools should be set up and communicated.

5.     Preparing for maintenance

The last step before the actual deployment is the preparation for operational maintenance. For each product, a Solution Owner must be identified to manage the relationships between users, suppliers and – during the integration – the integrator. This person should be identified internally prior to deployment to ensure that maintenance is operational throughout the lifecycle without having to rely on an external.

Prior to deployment, there are three things that need to be taken care of to prepare for the product lifecycle and promote its widespread adoption:

6.     Deployment

During the deployment of the product, early adopters must be supported as much as possible to maximize the chances of adoption of the project by other sites. Financial incentives, such as discounts for early adopters, can also be put in place. Different scenarios of speed of adoption must be anticipated in order to be able to deploy quickly enough in case of great success, but without cost issues in case of adoption difficulties.

Conclusion

In an industrial environment, cybersecurity is still seen as too restrictive, an obstacle to productivity, and too prescriptive. IT departments set up security policies but do not provide solutions to comply with them, which leads to the development of poorly controlled local solutions. To control these risks, one solution is the development of an IT solution catalogue for OT. The development of these solutions is a lengthy process that can take several years, especially when several projects are launched in parallel. To maximize the chances of success, the operational needs must be considered from the R&D phase up until deployment. Integration with operational processes, support processes, and all budget issues must be considered. Finally, the final key to the success of the solution development process is communication. The image of the product must be carefully maintained and controlled to maximize adoption by industrial sites after the start of deployment.

Cet article IT for OT: What process to develop cybersecurity solutions adapted to industrial businesses? est apparu en premier sur RiskInsight.

In this article, we expose our vision of the market and the maturity of cybersecurity for industrial information systems (IS), as well as our convictions and analysis on the subject.

What is the state of the threat to industrial information systems?

In 2011, the cybersecurity of industrial information systems, suddenly came to the forefront with the Stuxnet attack and the discovery of a state level threat against Operational Technologies (OT). For a decade, Advanced Persistent Threats (APTs) were considered the biggest threat to industrial system security, through impressive and complex attacks, such as the series of “Black Energy” attacks against the Ukrainian power grid between 2007 and 2014, or the “Triton” attack against the safety systems of a chemical plant in Saudi Arabia in 2017.

However, the Snake/EKANS case in 2020 allows us to point out a trend that has been continuously increasing for the past few years: the appearance of ransomware in ICS. These ransomwares are the result of opportunistic attacks on vulnerable systems or are side effects of attacks targeting the corporate IS, as in the case of Colonial Pipeline in May 2021.

With the ransomware business model becoming sustainable on one hand, and the emergence of increasingly connected industrial IS on the other hand, it is realistic to expect a large increase in opportunistic attacks and ransomware side effects on industrial information systems.

Faced with an increasing threat, companies must implement cybersecurity measures on industrial systems and define coherent strategic goals, but this requires a real investment. Therefore, we have worked on listing ICS cybersecurity domains and the solutions to secure them. This radar is not exhaustive, but it aims to clarify the topic by giving a high-level vision.

Methodology

For five months, this radar was built with five experts in cybersecurity of Industrial IS, in addition to the hundred consultants of Wavestone’s industrial cybersecurity offer.

This radar has two parts (we will call them dials): one is presenting cybersecurity products specialized in industrial IS and the other is presenting the different domains of industrial IS cybersecurity, sorted by maturity level.

Industrial cybersecurity products are identified as such according to the following criteria:

•         They meet a need in the process of securing industrial information systems
•         They are adapted to an industrial environment in terms of hardware and software:

·       The hardware is rugged to withstand harsh conditions and/or has a long service life

·       Network security products consider industrial protocols

·       Terminal security products are compatible with obsolete systems.

The cybersecurity domains are also selected and evaluated based on the observations of our consultants in the field, with various customers in varied industrial domains, but in the French context.

The rest of this article highlights some of the important ICS domains, from the most mature to the most emerging. This analysis echoes and updates our 2019 publication presenting feedbacks on ICS protection and security. Indeed, if the main topics remains the same (e.g. IT/OT separation), the players and their maturity evolve quickly, bringing new issues and transforming the old ones.

Which basis should be used to secure an industrial network?

People, procedures, and resilience

The strengths and weaknesses of industrial IS and management IS are different. To implement effective cybersecurity measures in an industrial IS, one must first understand the levers already present in Industrial IS that can be useful for cyber security.

First, the operators in industrial production networks are very familiar with the processes and the usual functioning of the production system. In addition, procedures in the event of an incident are much more developed than in corporate IS. Together, these elements give a capacity to detect malfunction and to respond efficiently. A clever way to improve this resilience capacity is to add cyber incident detection procedures based on the teams’ current knowledge.

Network knowledge

Knowing your network makes it easier to secure the IS and maintain it in secure conditions by allowing risk analysis, network segmentation, vulnerability and patch management, regulatory compliance, etc.

It is possible to carry out this exhaustive inventory by hand on a regular basis, especially by using industrial maintenance tools. To go further, it is possible to automate the task with free mapping tools (Dragos CyberLens, GrassMarlin). Finally, probes (Nozomi, Claroty, Dragos, etc.) can go much further by automating the detection of anomalies on the network or even by helping with incident response.

Backup and recovery

The best resilience weapon against ransomware is the systematic and, if possible, offline backup of critical data for the production system. This practice is more and more implemented in OT systems.

However, additional conditions are necessary for backups to be truly useful. First, all the data needed for the system to function must be identified. This data can be either technical data (machine configuration for example) or business data. A risk analysis allows you to identify it efficiently. Finally, you must ensure that you are able to restore a functional system from the backups made, especially for certified systems.

What are the opportunities in 2021?

Our study has enabled us to highlight effective measures to greatly increase the security level of an industrial IS.

Segmenting your network

Network segmentation has been around for several years. However, it is still an important step in securing your industrial network. Having a segmented network allows to efficiently prevent the propagation of an attack and therefore its impact.

In addition to the use of appropriate firewalls, a network segmentation project requires competent architecture and integration teams with sufficient time and resources. Network segmentation is a balance between security and business needs. The use of new “Software Defined” network technologies allows to perform segmentation in a more agile way.

Separate the management network from the industrial network

The connection of industrial IS to corporate IS is necessary today, but it is also a vector of risk.

The solutions to be implemented depend on the criticality of the industrial network and the necessary flows between the two networks. However, a single interface between the two networks must always be favored to maintain control over this particularly critical interface.

A complete range of products exists, from firewalls to data diodes. A good practice is to assemble several of these solutions within a DMZ, to control the services that can communicate between the two networks.

Nevertheless, IT/OT separation goes far beyond the network issue discussed above. In terms of identity, the separation of the Active Directory (AD) between the management network and the industrial network must also be addressed. From a security perspective, it is best, if the resources are available, to separate these two ADs to avoid the spread of attacks. However, the ADs can also be linked by closely controlling authorized flows and/or providing remediation if one of the two ADs is compromised.

Identify network users

A particularity of identity management in ICS is the strong presence of shared workstations. In this situation, an adapted solution must allow several users to work on the same machine in an authenticated way, thus allowing to identify the actions of each one.

In this case, the model where each user has his own Windows session is not adapted. A possible solution is to set up a generic Windows session on which the user authenticates himself in a simple and fast way thanks to a badge and a Fast Switching software.

What are the next major cybersecurity projects for industrial IS?

SOC

Several Managed Security Services Providers (MSSP) are starting to propose ICS specialized Security Operation Centers (SOC). However, these SOCs should not be considered as miracle solutions: it is above all by knowing your business and all its particularities that the SOC can be effective.

A key aspect when setting up an industrial SOC is to clearly define a scope that is correlated with the cyber maturity of the IS. In an industrial cyber SOC, only cyber incidents should be dealt with, without considering purely operational events, which are already handled by the supervision system.

Third party security

Supply chain management, both in IT and OT, is becoming one of the most important cyber topics. REvil’s attack on Kayesa and its customers in July 2021 gives an idea of the possibilities of a supply chain attack: the attacks reach a new scale and can affect hundreds or even thousands of organizations at once. Obviously, industrial IS also involves third parties and are therefore not immune. For example, the compromise of a PLC vendor could impact numerous customers.

Third party attacks can take different forms, including the following examples:

•          Access to the IS by using a software update with a trojan inside
•          Theft of data stored by a third party
•          Access to the IS via a remote access, for example used by the third party to perform maintenance

Protecting oneself from supply chain attacks is particularly complex. However, tools exist. First, it is essential to know your supply chain and the risk related to each third party. Third parties at risk can then be subject to measures to reduce the chances of compromise such as a Security Assurance Plan (SAP) or regular audits.

Remote access to the IS can be controlled by using Bastions or privileged access management (PAM) solutions, which monitor all actions made by the third party and finely manage their rights. However, this solution can become a constraint for the user, therefore it is advised to focus on the user’s needs to propose the most relevant solutio.

Cloud

Still mainly confined to secondary functions such as inventory and supply management, the cloud is gradually making its way into industrial IS with the development of Industry 4.0. By doing so, it allows, for example, global IoT terminals management in production sites or optimizing server sizing.

But this change also raises security issues. Some of these issues have already been addressed with the democratization of the cloud in management information systems, but others have yet to be resolved. How to manage the security of IoT devices? How can cloud systems be integrated into critical environments, which are highly regulated? Who stores the data and what regulations apply?

Cet article What are the trends and challenges in industrial cybersecurity in 2021? est apparu en premier sur RiskInsight.

Our product vision: a solution with multiple functionalities

Description

An OT probe is a piece of equipment, virtual or physical, connected to the information system (IS) in order to map and monitor it. It consists of sensors distributed in the network to collect data and central equipment to correlate this data.

A probe is characterised by:

• Its operating mode,
• The positioning of its components,
• Its attack detection methods,
• Its bundle of features.

The illustration below provides more details on each of these items:

Figure 1: Main characteristics of an OT probe

Main functionalities

The functionalities of these OT probes are essential for their users. The illustration below presents a summary of the main functionalities identified:

Figure 2: Main functionalities of an OT probe

More advanced functionalities also appear on some products, such as centralised management of several sites, provision of investigation guides, vulnerability research, etc. According to our observations, the solutions on the market tend towards the same objectives in structural and functional terms. The differences appear rather at the level of the global integration of the probe with the offers of the suppliers.

Our vision of the market: a market in the process of consolidation

Numerous and varied players

Our studies have enabled us to highlight a little over twenty players with diverse profiles on the OT probe market. Over the last five years, some players have appeared, others have disappeared, partnerships have been built and solutions have continued to evolve. All these elements indicate a market that is still in the process of consolidation.

Figure 3: Our market knowledge

Actors with different approaches

As might be expected in such a diverse market, different approaches to the sales model emerge. Some players put more emphasis on their product as such, while others emphasise its integration in their catalogues of services (threat intelligence, SOC, CSIRT…) or complementary products. These approaches naturally influence the contact between the players and their customers: the more the offer emphasises a service, the more the player will seek to have direct contact with his customer.

Our vision of the field: a need for maturity

Our feedback

At least initially, we recommend focusing on critical sites and processes for reasons of time, cost and skill savings. Moreover, in order to offer relevant behavioural detection, the probes require a significant learning time depending on the site on which they are deployed (identification of false positives, false negatives, accumulation of data for learning…). In addition to this time, significant human resources are required during this learning phase, but also later during the daily use of the product (mainly alert management). It will also be important to link the probe management teams and the incident response teams in order to deal with incidents detected by the probe and then confirmed.

Prior to deployment, the positioning of the probes should be studied. Indeed, it will be the key to both a complete mapping and an optimal detection surface. These initial considerations must address important points such as hardware compatibility (switches, for example) with the probes and the architecture of the site (on which the number of probes may depend). In addition to providing a real-time inventory, mapping can help implement or review network segmentation, an essential step in a security project. The qualification phase should also make it possible to check that the chosen probe will understand all the industrial protocols used and to discuss the processing of encrypted flows, if any.

Finally, of course, this type of project cannot be carried out without the integration, from the outset, of the OT teams.

A number of our clients stop at the test phase, but others have started to deploy probes on their critical sites or even on their entire industrial information system. The reasons given for not deploying probes are mainly related to costs, charges and required skills. The sovereignty of a detection probe can also be an important issue in certain environments.

Identified limits

In addition to the above points, technical limitations may also arise. Issues of bandwidth and network overload, induced by the collection of logs, can be anticipated. Moreover, an OT probe is by nature limited to network exchanges, its results (detected threats, security level evaluation…) are therefore to be put into perspective in relation to the resources at its disposal.

Finally, the probes ensure detection. On the other hand, the reaction must be carried out by other means, human or technological. More generally, with their many interesting functionalities, the probes are complementary to good security practices such as: the installation of antivirus and firewall, the implementation of a well of logs and adequate collection configurations, the construction of network documentation, the establishment of dedicated SOC and CSIRT teams… All these practices remain in force and will allow the full exploitation of the probes’ capacities.

Figure 4: Our main feedback on the deployment of an OT probe

Conclusion

The probes offer a range of functionalities that meet real needs. Our meetings indicate that the market players continue to take into consideration the needs that have been brought to their attention in order to improve their product. Despite a consolidating market, the players seem to be technically converging towards extremely similar end products. Differences will be played out on ergonomic details, on the approaches adopted by each and on costs.

Our initial feedback shows the importance of the load and the skills required to use a probe. While they may be useful in an immature context, in order to help with system knowledge and the implementation of good network hygiene, they only really reveal their potential once they are fully integrated into the arsenal of detection and incident response teams, which corresponds to a highly mature context. Thus, it would seem to be a higher priority to follow the good practices outlined above in order to gain in maturity and then to consider deploying a probe in a second phase.

1: See https://en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture

2: See https://en.wikipedia.org/wiki/Port_mirroring

3: See https://en.wikipedia.org/wiki/Network_tap

Cet article Detection probes in industrial environments, our vision of the market est apparu en premier sur RiskInsight.

Managing risks in the long term

Equipment hardening

In addition to secure architecture and administration tools, security levels for each item of equipment should be increased according to the strict necessity principle. A generic hardening guide can be created and then adapted to each of the technologies identified by the industrial IS mapping. This allows some of the vulnerabilities to be remedied at configuration and system levels.

Additional security can be provided by adding complementary solutions, such as:

• Antivirus software, which will cover industrial workstations against the most common viruses, whether connected to the network or not (although the latter will require manual updates);
• Implementing strict rules on local machine firewalls, which can be used to prevent communications, and therefore intrusions, on unused ports, and to filter the origin of flows according to the protocols used – which means attempted attacks can be more easily detected;
• Local administrator account-management solutions (for example, LAPS for Windows) finally make it possible to manage native administrator accounts on workstations in a central and individualized way.

However, sometimes it may no longer be possible to harden equipment due to obsolescence. In such cases, there is a need to work with the relevant business functions on obsolescence management of the equipment – its potential replacement and, as a last resort, options to isolate it from the rest of the IS. On obsolete workstations, configuration blockers can be used to ensure the installation and use of components is limited only to those that are strictly necessary.

It’s important to remember that, while industrial ISs have vulnerabilities, they are, above all, part of the company’s means of production. Dialog with the relevant teams is therefore essential in understanding how equipment is used – in order to resolve the vulnerabilities while limiting effects on the business as far as possible.

Security maintenance

Once equipment has been brought up to the right level of security, a plan will be needed to maintain this over time. A choice of options for managing security patches can be developed to meet the needs of the business (in terms of availability, integrity, etc.) and synchronized with the maintenance of the industrial equipment through:

1. Integration into standard operating processes; for example, an installation’s qualification/quality processes may require that equipment be up to date. The updating and administering of equipment can therefore take advantage of plant shutdowns, especially where recertification is needed.

2. Planning a “hot swap” update process in the event of a critical security breach and a procedure for the preventive isolation of production lines – until it’s possible to interrupt the production process;
3. The identification of redundant or peripheral equipment where interventions can be carried out on the basis of straightforward interaction with production managers.

To put in place these patching processes, the mapping carried out previously must have generated a precise equipment inventory, including:

• The identification of the equipment: type, location, and number of units;
• The industrial processes that each item of equipment is used for, and the associated criticality;
• The version of the operating system and/or firmware, and the tools and configurations deployed;
• The cybersecurity needs of supported processes;
• The availability of redundancy, data buffering, and cold spares;
• The required patching frequency and patching history.

But maintaining security levels isn’t simply about applying patches to equipment, it should also:

• Define the process for updating the security solutions installed on equipment isolated from the network;
• Install removable media cleaning solutions, given that these types of tool remain in widespread use on industrial sites. Here, the use of portable solutions allows such media to be analyzed while moving around the site;
• Ensure the safeguarding of equipment configurations and their integration into the DRP in order to guarantee that equipment can be restarted following an incident while still meeting availability needs;
• Set up monitoring of the industrial IAM[1] to ensure robust physical and logical access control. This can also be used to automate a number of time-consuming activities that are still sometimes done manually.

Detecting cybersecurity incidents

The measures set out above help reduce the likelihood of risks occurring and increase the availability of equipment, which benefits the business. Nevertheless, there will still be a need to prepare for the worst and to have in place the tools needed to detect an incident – to be able to remedy such events as quickly as possible and minimize interruption times.

Putting in place detection

The first step is to activate the IDPS[2] functions on networked equipment to ensure that a first stage of detection, and potentially automatic blocking, is in place.

The next step is to collect information by deploying a concentrator on site. The network equipment and server logs can then be sent to existing or dedicated SIEMs[3] where correlation and detection can take place. SOC[4] and CERT[5] teams can then carry out analysis and detection, and respond, if needed, to an incident, by working through standard scenarios.

Anticipating specific risks

However, detection based on standard scenarios may offer only limited value to the business functions. Considering the entirety of sources (PC, Linux, UNIX, etc.) and setting up dedicated industrial IS probes, capable of interfacing with the SCADA systems, can enhance the detection system. Such solutions, however, can be costly.

The key factor is to ensure a progressive and rapid increase in the maturity and value added by the SOC. Agile methods are a good fit here and involve the iterative application of the cycle described in the text box below.

Planning for remedial activities

Lastly, detecting an incident will only result in effective remediation if the business-function teams are involved. As with equipment updates, emergency stop procedures should be reviewed jointly with industrial IS users. A formal Incident Response Plan enables the actions for an industrial cyber-incident to be planned.

Dedicated industrial IS crisis-management exercises should also be carried out to ensure that teams are optimally prepared and to highlight any shortcomings.

Taking a progressive and participative approach guarantees an initiative’s success

The security maintenance of an industrial IS is a complicated undertaking that can only be successful if it is carried out in partnership with the business functions. A progressive and participative approach should be taken to work with them in each of the following areas:

• Understanding the industrial IS, by mapping and prioritizing the most critical elements;
• Mitigating the risks on the industrial IS, by implementing state-of-the-art secure network architecture and defining the administration processes – due to their criticality, safety ISs must be given particular attention;
• Ensuring an adequate level of safety, by hardening and ongoing security maintenance – in particular, this will involve discussions with equipment suppliers and manufacturers;
• Putting in place the tools needed to detect security incidents – these can have a bearing on production and define the response processes.

The actions above can’t always be carried out in parallel. Defining a clear roadmap will enable such actions to be prioritized. This will aid cost control and maximize the value added for the business functions.

Given that such significant undertakings are often driven centrally, the challenge is to engage the individual industrial sites (which may be spread across the world) to ensure security levels can be maintained in the long term. In general, we observe that companies take a two-stage approach:

1. A multiyear cybersecurity program (typically carried out over three years), with a budget of €10m-15m, aimed at:
   • Creating the industrial IS inventory
   • Raising the security levels of existing assets by putting in place protective measures, often involving separation and filtering, and remedying the most critical vulnerabilities – here, defining procedures is essential;
   • Putting in place an initial network of local cybersecurity coordinators;
2. Create an industrial cybersecurity team and its associated management structures that bring together:
   • A framework of key activities that local players will need to manage;
   • The participative construction of the tools that will help this network of local managers carry out their cybersecurity activities;
   • The development of approaches to manage the increase in security maturity levels and change (such as maturity matrices, site-level budget-modeling tools, the definition of steering indicators, central services that the sites can draw on, etc.).

Implementing the management processes can start immediately after the program and therefore benefit from the initial network of site-level cybersecurity coordinators put in place.

Once constructed, it becomes a question of energizing the initiative and steering progress on the sites and industrial ISs, in terms of both security and maturity levels.

Doing this typically involves:

• A network of local cybersecurity coordinators, of size 0.5 to 2 FTEs[6] per site, who are responsible for carrying out projects, implementing ongoing cybersecurity activities, continuous security improvements, and reporting;
• A central team of 3 to 10 FTEs, to provide overall steering and support local managers – especially in terms of expertise.

[1] IAM i.e. Identity and Access Management.

[2] IDPS i.e. Introduction Detection and Prevention Systems.

[3] SIEM i.e. Security Incident and Event Management.

[4] SOC i.e. Security Operation Center.

[5] CERT i.e. Computer Emergency Response Team.

[6] These figures can vary significantly depending on the size and number of local sites; they are the typical arrangements we observe in the large international organizations that Wavestone supports

Cet article Saga (3/3) – Feedback from the field and good practices for the protection and the security maintenance of industrial ISs est apparu en premier sur RiskInsight.

Administration – the nerve center of network architecture

Good administration of an IS is essential to guaranteeing its availability and security. When carrying out an IS security program, you must be clear about the objectives you want to achieve. The good practices we observe in the field include:

• Creating an administration network isolated from the production network with both central and local scope whose aim is to protect administration flows and avoid integrity losses on flows used to manage sensitive operations;
• Protecting the administrative equipment to prevent an attacker from controlling these critical elements directly;
• Standardizing, as far as possible, practices and equipment to facilitate the deployment of secure, or even centralized, administration architecture, and to maintain security levels over time. This can be achieved by pooling resources within a central, dedicated team.

To note: here, we are discussing only the administration of industrial IS infrastructure. Production PLCs, for example, are administered by the business functions in terms of configuration and will pass through the dedicated configuration and maintenance team, when updates are required.

The first step is to create the structure of the isolated and overarching administration network. This objective can be achieved by putting in place the following measures:

• To optimize and pool resources, and especially to assure the DRP[1], the administration network must be constructed around one or more datacenters.
• In order to reduce the risk of an attack propagating by using an infected site as a springboard, the WAN[2] network placed between the datacenter and the industrial installations can be configured as a hub and spoke[3] network, which ensures the separation of each installation.
• To guarantee the integrity and confidentiality of administrative flows, these must be isolated within a specific VRF[4] or VPN[5] administration network between the datacenter and each site.  Putting in place such a dedicated administration network requires, in particular, the use of telecoms and security equipment, as well as dedicated interfaces on the servers.
• For the most important sites, the risk of intrusion via the user LAN[6] can be reduced by setting up an administration LAN which is only accessible from the datacenter’s administration LAN. However, such architecture must provide a resilient solution in the event that the WAN is cut to allow sites to access it directly and also for equipment that simply cannot be maintained remotely.
• Companies with multiple sites can also use a standardized housing that embeds all the security functions required for the site to be interconnected. This facilitates configuration and security maintenance.

Diagram showing the interconnection of a site with or without a SCADA

The second step consists of connecting the administration tools and equipment to be administered to this network, while protecting it from compromise.

Diagram showing the interconnection of a standalone site

There may also be a variety of reasons to keep part of the IS fully disconnected. A disconnected IS removes the ISS risks, leaving only business risks. Disconnection also lowers the level of exposure and therefore the risk of intrusion. A risk analysis should be carried out to determine how to proceed. The associated infrastructure will need to be modified: moving from simple local administration to dedicated administration – which can be costly. These various network bricks, then, enable administrators to access the industrial equipment. However, they must also be given access to the necessary tools.

Administrator tools: how to meet needs while guaranteeing security

Because corporate and industrial ISs are generally managed separately, they each use their own tools – although these may be based on identical products.  This type of configuration meets several objectives. It:

• Assures access control on the administration interfaces, reducing the likelihood of appropriating a means of attack and the fraudulent use of the tools;
• Tracks administrator activity to reduce the potential impact of an attack, by providing a means of detection and response, and facilitating investigation following an event.

This requires the implementation of an administration chain.

Diagram showing the main functions involved in a chain of administration

To centralize access and maintain close control of authorizations, an administration bastion must be set up. Generic accounts are handled by the bastion and protected in its digital safe. This also ensures the traceability of activity and reduces the risk of theft from generic, privileged accounts. The bastion can also secure administration flows by performing protocol translation (for example, from Telnet[8] to SSH[9]).

Equipment, especially telecom equipment, whose security levels are sufficiently mature (including detailed management of rights, traceability, individual accounts, etc.) can be directly administered without passing through a bastion.

The establishment of a dedicated administration workstation, where the tools needed for corporate management will be housed, requires a process to be put in place for their installation. This will ensure the workstation can remain secure and that the list of tools being deployed on the IS can be documented.

Planning for external maintainers

Lastly, it’s essential that access by third-party maintainers is secure in order to limit the risks that arise from improper or unmanaged access, such as infection of the IS after the installation of an unauthorized tool, data loss triggered by a malicious third party, the unavailability of equipment, etc.

An external access point with strong authentication will be needed to confirm the identity of users. Such an access point allows maintainers to access a rebound server which is controlled and hardened by the customer, while also ensuring the traceability of activity. Here, more sophisticated customers deploy solutions that allow the third-party access to the IS for the duration of the intervention only – and then only once access has been approved internally.

The configuration and maintenance servers that are dedicated to the site and PLCs must be rigorously monitored to keep them up to date and secure, especially in terms of the tools deployed on them.

For more detailed information, note that there is an ANSSI[11]  working group dedicated to the cybersecurity of industrial systems. Its PIMSEC framework[12]  recommends a range of security requirements that can be incorporated into contracts with industrial IS service providers.

We now have knowledge of our equipment and the solutions to secure and manage it. However, cybersecurity issues evolve over time, so it is essential to guarantee a level of security over time and to deploy adequate means of detection. How can this be done? This will be the topic of our next article!

[1] Disaster Recovery Plan.

[2] WAN i.e. Wide Area Network.

[3] Hub and Spoke i.e. A network around the datacenter.

[4] Virtual Routing and Forwarding

[5] VPN i.e. Virtual Private Network.

[6] LAN i.e. Local Area Network.

[7] VLAN i.e. Virtual Local Area Network

[8] Telnet i.e. Terminal Network, Telecommunication Network, or Teletype Network.

[9] SSH i.e. Secure Shell

[10] RDP i.e. Remote Desktop Protocol

[11] ANSSI i.e. The French National Cybersecurity Agency.

[12] PIMSEC i.e. ANSSI’s framework for security requirements for industrial systems integrators and maintenance providers.

Cet article Saga (2/3) – Feedback from the field and good practices for the protection and the security maintenance of industrial ISs est apparu en premier sur RiskInsight.

Opening things up to corporate ISS is now a necessity… but it also carries risks

Historically, industrial ISs were not connected to corporate ISs, either because there was no need or as a way of limiting the risk of exposure. The majority of interventions were local, with work taking place directly on equipment, or remotely, using specific methods. The management of this work and the operations themselves were mostly local too.

Business functions’ changing needs and the optimization of production processes have brought with them new and less localized requirements (such as remote supervision, remote maintenance, the emergence of the IoT1, the standardization and rationalization of technologies and skills, cyber threats, etc.), which are designed to improve performance and facilitate operations. These challenges have led to a need to digitalize and interconnect industrial and corporate ISs.

Although this is now essential for a company’s business functions to operate effectively, our discussions with operational staff highlight the fact that such changes have also led to risks of intrusion and the propagation of threats between these interconnected ISs. These affect:

• Operations and quality – with potential shutdowns and modifications to production lines resulting in financial, reputational, and even people impacts;
• The security of facilities, where production equipment being seriously compromised can have impacts on both people and the environment.

Mitigating these intrusion and propagation risks and their consequences means implementing security measures in several different stages:

• Industrial IS mapping;
• Putting in place secure network architecture;
• The hardening and security maintenance of the various systems over time;
• And, lastly, putting in place the measures to detect incidents and respond to them.

Regulatory authorities have also been considering these risks. For the most sensitive installations, they are now mandating these types of measures and others too.

Interventions (such as patch management, account audits, integrity control, etc.), sometimes done remotely and often frequently, may now need to be carried out by teams more distant from site operations. These quickly come up against a traditional operating model designed to prioritize the continuity and integrity of operations, quality, hygiene and safety – while minimizing disruptions to production.

How can these measures be implemented without losing sight of the industrial IS’s core purpose – to operate a physical process in the way designed?

Mapping, a prerequisite for dealing with cybersecurity risks on industrial ISS

To assess the risks and control the potential impacts of implementing any new measures, the first step is the IS mapping of your industrial installations, which enables you to:

• Know the systems that need to be administered and kept up to date;
• Identify the users (operators, maintainers, etc.), and therefore those who need to be involved when a change takes place, to manage the operational impacts;
• Evaluate the potential impacts of new vulnerabilities and security breaches in terms of safety, operations, and quality.

Once the mapping process is underway, you will also need to develop formal procedures for updating the map. This means defining the update frequency, according to the level of criticality, and then actively managing the risks.

This is a substantial piece of work requiring dialog and close collaboration with automation and other engineers involved with the installation.

Mitigating risks on an industrial IS by putting in place security architecture

Security isn’t a new concept and it makes sense to follow the established principles for corporate IS architecture and security – adapting them to the particularities of industrial ISs:

• Reducing the risks of propagation and intrusion by clearly partitioning the industrial IS and restricting access to it;
• Securing the administration of the IS by putting in place dedicated administration architecture;
• Equipping administrators with appropriate tools that enable them to make interventions across the entirety of the industrial assets;
• Integrating from the start (as far as possible) interventions made by external maintainers.

These four principles form the cornerstones of securing industrial IS architecture.

Partitioning, the first step in reducing exposure

Corporate and industrial ISs have essentially different goals: one is designed to facilitate the operation of a business (by providing messaging, management systems, collaborative tools, etc.), while the other is used to operate physical processes. In theory, these should be separated, and only certain types of information should be allowed to flow between them. However, feedback from the field tells us that this is rarely the case.

As in any work on IS security, the strict necessity principle should be adopted to limit exposure to cyber threats. Any interconnection between an industrial and corporate IS should serve a specific purpose; for example:

• Sending production orders to SCADA[1];
• Transferring CAM[2] files to digitally controlled machines;
• Collecting production data to enable the control of operations.

An industrial IS must also be internally partitioned to reduce the risk of threat propagation. To do this, you can use the principle of zones and conduits described in the IEC 62443 standard.

In practice, this partitioning has to be carried out in several steps:

• The listing of relevant business activities according to their different levels of sensitivity;
• Grouping activities requiring the same security level into zones (with, potentially, a ”legacy” zone and associated sub-zones);
• Putting in place security rules for each zone according to their needs, as described in standard IEC 62443;
• Checking that the interconnections (conduits) between the different zones comply with security rules;
• Migrating the applications. Ensuring applications are compliant can be a long and difficult task, and it’s best to use a risk analysis to prioritize and manage the work, as well as documenting the nonconformities and associated remediation plans. In addition, the migration process itself may be complex, if you are to avoid an impact on operations.

The particularity of safety ISS

Safety ISs are industrial ISs that enable industrial production systems to be put into a safe state. Before the advent of today’s digital systems, such systems had long been used in mechanical, pneumatic, and electrical forms. The particular importance of ensuring their integrity is therefore well understood. A final partitioning step can be considered to achieve this. However, field observations often tell us that existing arrangements act as a brake that complicates the work. When done rigorously, such separation reduces the risks of propagation and enables distinct levels of security to be implemented for the production IS and safety IS according to their risk levels. However, a disadvantage is that doing this requires a dedicated SCADA system, which is both expensive and not operationally friendly.

Diagram of Industrial IS / Safety IS partitioning scheme

After having launched this process of identifying and partitioning industrial IS, it is time to deal with their administration. How to reconcile security, operational gain and availability of the production tool? We will tell you about it very soon.

[1] SCADA i.e. Supervisory Control And Data Acquisition system

[2] CAM i.e. Computer Aided Manufacturing

[3] DMZ i.e. Demilitarized Zone.

Cet article Saga (1/3) – Feedback from the field and good practices for the protection and the security maintenance of industrial ISs est apparu en premier sur RiskInsight.

La couverture des risques dans la durée

Le durcissement des équipements

En complément d’une architecture et d’un outillage d’administration sécurisés, il convient d’élever le niveau de sécurité de chaque équipement en appliquant un principe de strict nécessaire. Un guide de durcissement générique peut être créé et adapté à chaque technologie identifiée lors de la cartographie du SI Industriel. Celui-ci permet de remédier à une partie des vulnérabilités présentes au niveau des configurations et des systèmes.

L’utilisation de solutions complémentaires peut également apporter un surplus de sécurité :

• Les antivirus connectés au réseau ou non (impliquant une mise à jour manuelle) vont couvrir les postes industriels contre les virus les plus communs ;
• La mise en place de règles strictes sur les pare feux locaux des machines va empêcher les communications, et donc intrusions, sur les ports inutilisés, et filtrer l’origine des flux en fonction des protocoles utilisés, permettant de mieux détecter des tentatives d’attaques ;
• Des solutions de gestion des comptes administrateurs locaux (par exemple LAPS pour Windows) peuvent enfin permettre de gérer les comptes administrateur natifs des postes de manière centralisée et individualisée.

Il arrive cependant qu’il ne soit plus possible de durcir un équipement du fait de sa vétusté, il faut alors travailler avec le Métier sur la gestion de l’obsolescence des équipements, sur leur éventuel remplacement et en dernier recours sur les capacités à les isoler du reste du SI. Des bloqueurs de configuration pourront également permettre, sur des postes vétustes, de restreindre l’installation et l’utilisation de composants à ceux uniquement nécessaire.

Il est important de rappeler que le SI Industriel souffre de certaines vulnérabilités, mais est avant tout l’outil de production du Métier. Le dialogue avec ces équipes est donc primordial à la compréhension de l’utilisation qu’ils en font afin de résoudre ces vulnérabilités en limitant les conséquences au maximum pour le métier.

Le maintien en conditions de sécurité

Lorsque les équipements atteignent le bon niveau de sécurité, il faut prévoir son maintien dans le temps. Différents scénarios de gestion des correctifs de sécurité ou « patchs » peuvent être définis pour répondre également aux besoins du Métier (disponibilité, intégrité) et synchronisés avec la maintenance industrielle :

1. Intégration dans les processus nominaux d’exploitation (par exemple : les processus de qualification / qualité d’une installation peuvent imposer que les équipements soient à jour). La mise à jour et l’administration des équipements tireront ainsi profit des arrêts industriels d’autant plus si une re-certification est nécessaire.

2. Préparation d’un processus de mise à jour « à chaud » en cas de faille de sécurité critique et d’un processus d’isolation préventive d’une ligne de production le temps que le procédé puisse être interrompu ;
3. Identification des équipements redondants ou périphériques sur lesquels une intervention avec simple information des responsables de sites est possible.

Afin de mettre en place ces process de patch, la cartographie réalisée précédemment doit faire apparaître un inventaire précis des équipements devant inclure :

• L’identification des équipements, leur type, localisation et nombre ;
• Les procédés industriels pour lesquels ils sont utilisés et la criticité associée ;
• Le système d’exploitation/lefirmware, les outils et la configuration ainsi que la mention des versions déployées ;
• Les besoins en termes de cybersécurité au regard des procédés supports ;
• La disponibilité de redondance, de mise en tampon des données et de cold spare ;
• La fréquence de patch requise et l’historique de patch.

Le maintien du niveau de sécurité ne se base pas uniquement sur l’application de correctifs de sécurité sur les équipements. Il convient également de :

• Définir le processus de mise à jour des solutions de sécurité installées sur les équipements coupés du réseau ;
• Installer des solutions de nettoyage de média amovibles qui restent très présents sur les sites industriels – certains produits ont l’avantage d’être portables et donc d’analyser le média pendant le déplacement à l’intérieur du site industriel ;
• Assurer la sauvegarde des configurations des équipements et leurs intégrations au DRP afin de garantir une remise en route post-incident qui réponde aux besoins de disponibilité ;
• Mettre en place un suivi de l’IAM[1] Industriel afin d’avoir un contrôle d’accès physique et logique robuste. Cette action permettra aussi d’automatiser de nombreuses actions fastidieuses de revue de comptes parfois encore faites à la main.

La détection des incidents de cyber sécurité

Les mesures citées précédemment permettent de réduire la probabilité d’occurrence des risques et donc d’augmenter la disponibilité des équipements pour le Métier. Il faut néanmoins se préparer au pire et avoir les outils nécessaires à la détection d’un incident pour le remédier au plus vite et garantir un temps d’interruption réduit au maximum.

La mise en place de la détection

La première étape à réaliser est l’activation des fonctions IDPS[2] sur les équipements réseaux afin d’assurer un premier stade de détection et potentiellement de blocage automatique.

Il s’agit ensuite d’assurer la collecte d’informations en déployant un concentrateur sur site. Les logs des équipement réseaux et serveurs pourront ainsi être envoyés aux SIEM[3] existants ou dédiés dans lesquels se feront corrélation et détection. Les SOC[4] et CERT[5] peuvent alors réaliser les opérations d’analyse, de détection et éventuellement de réaction sur incident en se basant sur des scénarios classiques.

L’anticipation de risques spécifiques

Cependant, la détection basée sur des scénarios classiques n’apportera que peu de valeur aux métiers. La prise en compte de l’ensemble des sources (PC, Linux, UNIX…) et la mise en place de sondes dédiées aux SI Industriels capables de s’interfacer avec des systèmes SCADA peut permettre d’améliorer le système de détection. Toutefois, ces solutions peuvent s’avérer coûteuses.

L’élément clé consistera ici à assurer une montée en maturité et en valeur incrémentale et rapide du SOC.

Se préparer à la remédiation

Pour finir, la détection d’un incident ne pourra aboutir à une remédiation efficace que si le Métier est inclus. Tout comme pour les mises à jour d’équipements, il convient donc de revoir les procédures d’arrêt d’urgence avec les utilisateurs du SI Industriel. La formalisation d’un Plan de Réponse à Incident permet de planifier les actions à mener en cas d’incident cyber-industriel.

Des exercices de gestion de crise dédiés au SI Industriel doivent également être menés pour assurer une préparation optimale des équipes et mettre en lumière les éventuels manques.

Une approche progressive et participative garantira le succès de la démarche

La mise en conditions de sécurité d’un SI Industriel est un chantier complexe qui ne peut être faite qu’avec le Métier. Il convient donc de travailler avec lui de manière progressive et participative sur chacun des chantiers suivants :

• Prendre connaissance de son SI Industriel en réalisant une cartographie en priorisant les éléments les plus critiques ;
• Mitiger les risques sur le SI Industriel en mettant en place l’état de l’art de l’architecture réseau sécurisée et définir les processus d’administration – les SI de Sûreté, par leur criticité, devront faire l’objet d’une attention particulière ;
• Atteindre un niveau de sécurité adéquat par le durcissement et le maintien en conditions de sécurité des équipements dans le temps – des discussions pourront notamment avoir lieu avec les fournisseurs et constructeurs d’équipements ;
• Mettre en place les outils nécessaires à la détection d’incident de sécurité, qui peuvent avoir une influence sur la production, et définir les processus de réaction.

Toutes ces actions ne peuvent pas toujours être menées en parallèle. La définition d’une feuille de route claire va permettre la priorisation des différentes actions pour pouvoir maitriser les coûts et maximiser l’apport pour le Métier.

Si ce vaste chantier est souvent initialisé en central, l’enjeu reste de pouvoir embarquer les sites, parfois répartis dans le monde entier, pour assurer une sécurité pérenne dans le temps. Nous observons, en général, une démarche en deux temps :

1. Un programme cybersécurité pluriannuel (souvent 3 ans) pour un budget de 10 à 15 millions d’euros visant à :

• Réaliser l’inventaire des SI Industriels ;
• Élever le niveau de sécurité du parc existant par la mise en place de protections souvent périmétriques et de filtrage ainsi que la remédiation des vulnérabilités les plus critiques – la définition de procédures est ici nécessaire ;
• Faire émerger un premier réseau de coordinateurs cybersécurité locaux ;

2. La création d’une filière cybersécurité industrielle et de la gouvernance associée réunissant :

• Le cadrage des activités clés à piloter par les acteurs locaux ;
• La construction participative d’outils pour aider ce réseau de responsable locaux à opérer les activités de cybersécurité sur le contenu ;
• La construction des moyens de pilotage de la montée en maturité et de gestion du changement (matrices de maturité, outils de modélisation budgétaire par site, définition d’indicateurs de pilotage, services centraux consommables par les sites…).

La mise en place de la gouvernance peut démarrer après le programme et tirer ainsi profit du premier réseau de correspondants sensibilisés à la cybersécurité bâti par le programme.

Une fois construite, il s’agit ensuite de l’animer et de piloter la progression des sites et des systèmes industriels à la fois en termes de niveau de sécurité et de niveau de maturité.

Cette animation réunit en général :

• Un réseau responsables cybersécurité locaux de 0,5 à 2 ETP[6] par site en charge de réaliser les projets, d’implémenter les activités récurrentes de cybersécurité, d’améliorer continuellement la sécurité et de reporter ;
• Une équipe centrale de 3 à 10 ETP pilotant globalement et appuyant les responsables locaux notamment en termes d’expertise.

[1] IAM i.e. Identity and Access Management.

[2] IDPS i.e. Introduction Detection and Prevention Systems.

[3] SIEM i.e. Security Incident and Event Management.

[4] SOC i.e. Security Operation Center.

[5] CERT i.e. Computer Emergency Response Team.

[6] Ces chiffres peuvent varier significativement en fonction de la taille de l’entreprise et du nombre de sites locaux, il s’agit d’une moyenne observée dans de grandes organisations internationales que Wavestone accompagne.

Cet article Saga (3/3) – Retours d’expérience et bonnes pratiques pour protéger et maintenir en condition de sécurité des SI Industriels est apparu en premier sur RiskInsight.