ICS security assessment in the Gulf region.
ICS security field experience
at my company ICS Defense Force, I conduct industrial control system (ICS) security assessments, incident response tasks, and incident response tabletop exercises across multiple critical infrastructure sectors around the world. In fact, I recently performed these tasks for the oil, gas, and power sectors in the Gulf region. It is important to describe my actual fieldwork in this context. This allows you to meet with security teams, engineering staff, and those responsible for cyber security risk management and defense. This includes decision makers seeking technical solutions and tactical training to address identified cybersecurity challenges.
in Part 1 of this series25% of survey respondents 2023 SANS ICS/OT Cybersecurity Survey We consider the current cybersecurity threats to ICS to be serious/critical. This is consistent with modern adversaries repeatedly demonstrating the brazen steps they take to defeat traditional security controls and impact safety and engineering reliability. Proactive control system cyber defense requires a dedicated ICS tactical security team with the engineering knowledge to keep ICS and Operational Technology (OT) operations secure. More information on the ICS threat landscape and common ICS security challenges in the Gulf region is detailed below. part 1.
In part 2 of this ICS series, I want to focus on securing networks in ICS/OT environments. Let's get into this topic below.
ICS/OT network segmentation
Common ICS attack techniques are from IT networks to the ICS environment via trusted network paths or trusted assets between these networks. in fact, 38% of ICS environment breaches in 2023 Compromises in IT networks allow threats to enter ICS networks and enable attacks specific to engineering systems. Such attacks can lead to loss of visibility, loss of control, or manipulation of control of engineering operations.
From a defensive perspective, we know that performing a secure and tactical ICS network perimeter assessment can reveal targeted paths and weaknesses between your IT and ICS networks. The scope of such an assessment should extend to all access, including remote access to the ICS, access that is deemed to have multi-factor authentication and vendor connectivity.
However, there is a big difference between assessment and penetration testing. Specifically, its purpose, i.e. its effect and associated remedial actions if a gap is found. Penetration testing carries an inherent risk of introducing unintended system inconsistencies during scanning or active system interaction. This is especially true for legacy engineering devices, which can result in system loss, unavailability, downtime of engineering systems, and can also have safety implications. Therefore, passive assessment promotes greater security and reliability than penetration testing and is the recommended assessment approach for ICS/OT environments.
Tactical teams must contextually design their strategies to take advantage of the benefits of segmenting their ICS networks. purdue model. Next, add security to Purdue using: SANS ICS410 SCADA Network Architecture. This architecture naturally provides incident response capabilities and network traffic collection points that support effective ICS network visibility. After deployment, we recommend evaluating this effective ICS network architecture.
Address the lack of visibility in your ICS/OT network
ICS network visibility is achieved by deploying specific ICS protocol-enabled network intrusion detection systems (IDS) at strategic locations within the control system network. These IDSs monitor and alert on anomalous engineering network activity, including abuse of ICS protocols.
Mature ICS facilities have implemented or plan to implement ICS network visualization tools and processes in the near future. According to recent information, 2023 SANS ICS/OT Cybersecurity Survey DataRespondents ranked the deployment of ICS-specific network visibility technology and dedicated ICS/OT-trained defenders to leverage it as No. 1 in importance and expect to achieve this within the next 18 months. He said he plans to introduce strategies.
Ranked 1st.
It is essential that this type of technology is detection-based rather than prevention-based to avoid false positives and disruption of critical engineering operations. This technology must recognize his ICS protocol. You must know how to correctly interpret the industrial protocols running in your environment and the associated engineering commands on your network. Common Industrial Protocol (CIP), Distributed Network Protocol 3 (DNP3), EtherNet/IP, IEC61850, ModbusTCP, OPC, Profibus, PROFINET, S7, BacNet, to name a few.
ICS/OT network visibility deployment
The precise placement of such ICS-specific network intrusion detection technologies deployed in industrial networks is critical to their effectiveness. The tactical team should have a technical discussion with the faculty network architect about the exact location of the deployment within the environment. However, I will present some suggestions and related use cases.
Ideally, the tactical ICS security team would work with the engineering staff to provide ICS network perimeter visibility (north/south traffic) and internal ICS network visibility (east/west traffic) as a guide below. traffic).
Gain both ICS network perimeter visibility and internal ICS network visibility.
Common use cases for north/south network collection, analysis, and response by trained tactical active ICS defenders:
- Attacks from the corporate IT network to OT.
- Remote access to a trusted ICS DMZ jump host may have been compromised.
- Detect possible externally bound C2 activity network activity.
Common use cases for East-West network collection, analysis, and response by trained tactical active ICS defenders:
- Access to build engineering asset inventory.
- A defense that detects lateral movement from external networks into the ICS.
- Defense ability to detect attacks by ICS living on land.
- Defenses against network and ephemeral device-based threats.
- Defense capabilities to detect and respond to supply chain breaches.
- Engineering root cause analysis support function.
Once the solution is deployed (in one or both of the selected deployment locations), operating the ICS network visualization tools requires dedicated resources specifically trained in IT and ICS security and with safety as a priority. Become.
ICS/OT network visualization, industrial accident response training
SANS course, ICS515: ICS visibility, detection, and response Address some of the latest ICS security challenges using practical techniques and applied knowledge for effective ICS security to protect critical infrastructure. ICS515 utilizes hands-on labs to teach students how to perform tactical ICS incident response. The lab involves assembling and running programmable logic controllers (PLCs) like those found on factory floors. Students keep their PLC kits to continue learning after class. IT, ICS, Engineering, and other students detect and defend against threats in several realistic ICS environments.
In conclusion, what works for IT business networks and assets is often destructive or disastrous when applied to ICS/OT engineering systems and environments. Therefore, it is important for ICS/OT-focused tactical cybersecurity defenders to ensure they embrace the differences between IT and ICS. Never “copy and paste” IT security processes, technical controls, or policies into your ICS security environment.
Today's most effective way to achieve practical, technical, and effective cyber defense of critical infrastructure is to be specifically trained in ICS security, utilize ICS-specific security tools, and: It's about having a technical team that understands this. 1) IT security threats, 2) ICS/OT security threats, and 3) safety-first engineering systems and operations.
On behalf of myself and the EMEA team, thank you for taking the time to review this important topic for tactical ICS/OT cybersecurity roles as it relates to protecting critical systems in the Gulf region. Masu. I look forward to teaching and talking with you and your team. Next SANS Gulf event.
Protect yourself from industrial accidents!
For more information about SANS, see: here.