Industrial Control Systems (ICS) attacks have a direct impact on people's lives. The consequences of these attacks can be unpredictable, which is why ICS protection is a hot topic in security right now. Defining the right protection layer and best approach to secure communications in this environment is crucial. Historically, ICS departments operated independently from the rest of the organization with their own ecosystem often air-gapped. Now we see rapid change as IT more and more often becomes a business enabler for Operational Technology (OT). With this we also see an increase of ICS cybersecurity attacks, but it's interesting to note a large majority of those originate from IT expanding their footprint into OT networks.
There is no magic wand to turn OT networks into a safe place to be, but these three steps will help you to better understand what's going on within an ICS infrastructure, the IT implications, and - most importantly - responding to attacks.
If we don't know where the "crown jewels" are it will be impossible to define the right protection strategy. It is critical to map each OT object (Human Machine Interface, Programmable Logic Controller, Remote Terminal Unit etc.) to the OT process they support.
Once we have the processes mapped we need to assign responsibility based on the Area of Responsibility (AoR); defining the list of people and IT objects allowed to interact with such processes. Various methodologies help define the risk specific objects have within the process analyzed, usually a questionnaire will help assign the importance of a specific process based on business needs.
This approach is really useful in the coming steps as the outcome of the information produced in the risk assessment is critical in shaping the IT - OT data stream convergence and defining incident response procedures
Converging IT and OT
The majority of ICS cyberattacks start from the IT network leveraging well known TTPs (techniques, tactics and procedures), such as Spear Phishing, Lateral Movement, Command and Control architecture and so on.
IT users and services usually communicate directly with OT through standard ICS or proprietary protocols with IT typically seeing lots of connections between the internet (or extranet) and OT networks. From an IT prospective this is a painful situation. The lack of visibility and knowledge about the content and the type of risks prevent the traditional Security Operations Center (SOC) from assuring the company as to the reliability of those communications.
Leveraging the risk assessment results allows us to map, not only each OT object to a specific OT process, but also to map them with the threats discovered. IT will then be able to establish the relationship between the OT process and the IT threat model.
A powerful network packet monitoring tool and flexible meta-framework play a key role in defining the important relationships between IT, OT and threat modeling. The SOC analyst needs a clear view into the type of risk mapped to the OT process. The incident severity is better understood using the risk assessment data.
When it comes to ICS Incident Response a different approach is strongly required. It is often impossible to reimage a corrupted server or pc hosting a Data Historian (DH) or Human Machine Interface (HMI) service due to systems availability requirements and legacy software installed. A key role will be played by the endpoint solution capable of determining which .dll, .exe or file is corrupted and how it behaves within that systems, highlighting the deviations with respect to a standard image that IT/OT approved.
Major ICS services, such as DH and HMI, usually run on Windows or Linux operating systems At the OS level it is crucial you analyze anomalies without interrupting the normal operation as availability is the primary concern in this environment.
The main advantage of applying this framework allows for the possibility to have analysts without OT knowledge to detect and handle incidents or anomalies within the ICS infrastructure, filling the gap between IT and OT in terms of process, procedure and technology. Taking this approach helps ICS organizations define a different, yet still efficient, cybersecurity program to quickly respond to cyberattacks.