Security controls for ICS/SCADA environments

Introduction

The Center for Internet Security (CIS) has written controls and benchmarks that are used to help protect various environments from potential threats. The CIS Controls version 7 is the latest release. They used 7 key principles for writing the controls:

Address current attacks, emerging technology, and changing mission/business requirements for IT
Bring more focus to key topics like authentication, encryptions, and application whitelisting
Better align with other frameworks
Improve the consistency and simplify the wording of each sub-control – one “ask” per sub-control
Set the foundation for a rapidly growing “ecosystem” of related products ad services from both CIS and the marketplace
Make some structural changes layout and format
Reflect the feedback of a world-side community of volunteers, adopters, and supporters

The controls are broken up into 3 main areas, with 20 sub sections:

CIS has released a companion document to the controls, titled, V7 implementation guide for Industrial Control Systems (ICSs). This companion document is specific to ICSs and can be used to tailor controls to your specific SCADA environment. Below we will go into details about each of the 20 control sets.

Basic Controls

Inventory and Control of Hardware Assets

This is the first control because it may be the most important. You cannot assess or secure your system if you do not all of the components that are a part of your system.

Inventory and Control of Software Assets

The same point is true for the software components of your system. Software comes with unique sets of vulnerabilities. You cannot track those vulnerabilities unless you know they are a part of your architecture.

Continuous Vulnerability Management

Because SCADA environments contain many embedded systems, that are used to control important infrastructure items, patching and updates implementation can prove difficult. Industrial systems often have required uptimes that limit the service times. So, it is important to remember these requirements as you create a vulnerability management plan specific to your ICS environment.

Controlled Use of Administrative Privileges

The purpose of all access controls is to ensure unintended users do not gain access to more than they are supposed to. It is important for administrator accounts have good password requirements and separation of duty requirements in place.

Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

CIS provides benchmarks that can be used to harden IT systems. ICSs can have nontraditional operating system that the benchmarks may not address. Be sure to still follow industry standards and read the manual or vendor websites to ensure you are implementing the best practices for your particular system.

Maintenance, Monitoring and Analysis of Audit Logs

Embedded systems do not always audit security events at the same default level as traditional IT systems. It also may not be easy to have those logs sent to a centralized monitoring system. Using a SIEM designed for ICSs could prove beneficial.

Foundational Controls

Email and Web Browser Protections

Browsers and email clients are very susceptible to security threats. CIS has benchmarks that could be used to harden web browsers and email clients.

Malware Defenses

As noted earlier, maintenance on ICSs can be difficult due to the uptime requirements. This means updating malware and antivirus signatures.

Limitations and Control of Network Ports, Protocols and Services

While identifying assets you should also identify all of the ports, protocols and services that the ICS will need in order to operate as intended. You should limit open ports only to the ones you need.

Data Recovery Capabilities

Data backup is important in ICS environments just as in traditional enterprise environments. Automated backups may prove difficult in some SCADA environments so keep that in mind when documenting backup and recovery procedures.

Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Secure network devices are just as important, if not more so, in SCADA environments. Only allow firewall traffic through on approved ports. Deny should be the default setting. Remove default accounts and credentials from network devices. Implement multifactor authentication.

Boundary Defense

You only wanted information to flow through trusted channels. Strategically place control devices to control the flow of information. This includes firewalls, gateways, IDS/IPS, proxies, DMZ perimeters, etc.

Data Protection

ICSs do not traditionally contain sensitive information, such as HIPPA, PII, financial data, etc. However, there could still be information collected that is deemed sensitive and should be protected. Implementation of encryption for data at rest, sniffers, and/or anomaly detection tools.

Controlled Access Based on the Need to Know

Even ICSs can be compartmentalized to separate data into controlled segments. Creating ACLs to ensure only authorized personnel access data they are supposed to.

Wireless Access Control

Ensure wireless traffic uses controlled, preferably, private networks. Wireless traffic should use, at a minimum, AES or ECC encryption to protect network traffic.

Account Monitoring and Control

Use shared accounts and passwords only when necessary
Create a process for changing shared account passwords and deleting accounts immediately upon termination of any workforce member
Remove applications leveraging clear text authentication or basic security authentication Where not possible, use unique credential sets and monitor their usage
Enforce complex passwords
Automatically lock accounts after periods of inactivity

Organizational Controls

Implement a Security Awareness and Training Program

Users are the weakest link in the security chain. An effective training program can help to minimize the threat they pose to your internal network.

Application Software Security

Applications can have vulnerabilities that need to be identified so they can be mitigated.

Incident Response and Management

Even with the best implemented security controls in place, it is still possible to fall victim to a security threat. If that happens an incident response team needs to be in place to respond.

Penetration Tests and Red Team Exercises

Testing security controls after implementation is a great way to ensure they are properly implemented and working as expected.

Conclusion

ICSs have unique properties that can make implementing security more difficult than in tradition IT settings. CIS has controls that could help create a strong security posture.

Reference

https://www.cisecurity.org/blog/cis-controls-version-7-whats-old-whats-new/

https://cdn2.hubspot.net/hubfs/2101505/Implementation%20Guide%20for%20ICS%20using%20the%20CIS%20Controls-1.pdf?__hstc=&__hssc=&hsCtaTracking=9def7bab-8964-4281-8130-56947e76896e%7Cd87fbbda-f06b-4bbd-ba51-a2f47c01084c

https://www.tenable.com/blog/cis-adapts-critical-security-controls-to-industrial-control-systems

https://www.cisecurity.org/white-papers/cis-controls-implementation-guide-for-industrial-control-systems/

https://www.cisecurity.org/controls/inventory-and-control-of-hardware-assets/

https://www.cisecurity.org/controls/inventory-and-control-of-software-assets/

https://www.cisecurity.org/controls/continuous-vulnerability-management/

https://www.cisecurity.org/controls/controlled-use-of-administrative-privileges/

https://www.cisecurity.org/controls/secure-configuration-for-hardware-and-software-on-mobile-devices-laptops-workstations-and-servers/

https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/

https://www.cisecurity.org/controls/email-and-web-browser-protections/