IC34 Slides
IACS Cybersecurity Lifecycle - Assess, Develop & Implement, Maintain
Assign SL-T, Implement SL-A, Ensure SL-A >= SL-T
Assess
High-Level Cyber Risk Assessment
Allocation of IACS Assets to Security Zones or conduits
Detailed Cyber Risk Assessment
Develop & Implement
Cybersecurity Requirements Specification
Design and engineering of cybersecurity countermeasures
Installation, commissioning and validation of cybersecurity countermeasures
Maintain
Cybersecurity maintenance, monitoring, and management of change
cyber incident response & recovery
Good risk assessment includes
Risk profile
Highest severity consequences
threats / vulnerabilities leading to highest risks
Target security levels
recommendations
CRS - Cybersecurity risk assessment
SUC Desc - system under consideration
Zone and Conduit drawings
Zone and conduit characteristics
operating environment assumptions
threat environment
organizational security policies
tolerable risk
regulatory requirements
Document in each Zone / Conduit
Name
Responsible parties
Def of logical and physical boundaries
Safety designation
List all access points logical / physical
List data flow of each access point
connected zones or conduits
list of assets / value
SL-T
Security requirements / policy
Assumption and external dependancies
• SL 0: No specific requirements or security protection necessary
• SL 1: Protection against casual or coincidental violation
• SL 2: Protection against intentional violation using simple means with low resources, generic skills and low motivation
• SL 3: Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation
• SL 4: Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
FOUR T’s
Tolerate : risk that is acceptable
Transfer : move risk to a 3rd party
Terminate : stop the process to eliminate the risk
Treat : Reduce the likelihood and impact of the risk
FIVE D’s
Deter : create a perimeter to deter an attacker from attempting to breach your system
Physical fence
Camera
Warning signs
Detect : Identify unauthorized intrusion
Cameras - notifications
IDS - Syslog
Firewall - logs
Delay : slow down an active intrusion, so security can respond
Locking doors
Access controls - privilege segmentation
Area segmentation
Deny : Keep unauthorized persons out
Access controls - authentication
MFA
Defeat : security response to an attack
Anything that ends the attack
Law enforcement arrest
Detection strategies and tools
Intrusion detection systems (IDS)
Security incident and event monitoring (SIEM)
anti-virus
firewalls
email / url filtering
training to detect phishing and social engineering
Delay strategies and tools
Security hardening
patching
encryption
network segmentation
access controls
honey pot systems
Deny strategies and tools
Firewalls
whitelisting
IPS - Intrusion prevention systems
access controls
Defeat strategies and tools
Malware removal tools
policies and procedures
intrusion prevention
Security constraints
essential functions
compensating countermeasures
external source
physical security
least privilege
Foundational Requirements (FR)
Acronym - IUSDRTR
"I Usually Suspect DNS, Rarely Trust Results."
• FR 1 – Identification and authentication control (IAC)
Identify and authenticate all users before allowing them to access to the control system.
• FR 2 – Use control (UC)
Enforce the assigned privileges of an authenticated user
• FR 3 – System integrity (SI)
Ensure the integrity of the IACS to prevent unauthorized manipulation.
• FR 4 – Data confidentiality (DC)
Protection against eavesdropping and unauthorized access
• FR 5 – Restricted data flow (RDF)
Segment the control system via zones and conduits to limit the unnecessary flow of data.
• FR 6 – Timely response to events (TRE)
Be able to respond quickly to events and should not adversely affect IACS
• FR 7 – Resource availability (RA)
Ensure the availability of the control system against the degradation or denial of essential services
Technologies for Access Control
Active Directory
Radius
LDAP
TACACS+
Technologies for System Integrity
Physical security
Secure communication protocols
Malware and antivirus software
EICAR test string
Source code management
Secure programming techniques
Technologies for Data Confidentiality
Physical security
Encryption
Secure protocols
Technologies for Restricted Data Flow
Physical network cables
VLAN
Firewalls
Data Diodes
Technologies for Timely Response to Events
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS)
syslogs, SNMP, logfiles
Security Incident and Event Monitoring (SIEM)
Technologies for Resource Availability
Backup/restore
rate limit firewalls
source code management
UPS
“Please Do Not Throw Sausage Pizza Away”
Please – Physical
Do – Data Link
Not – Network
Throw – Transport
Sausage – Session
Pizza – Presentation
Away – Application
ZCR - Zone and Conduit Requirements (ZCR)
3.1 : Establish
3.2 : separate IT and OT
3.3 : separate safety assets
3.4 : separate temp devices (guest)
3.5 : separate wireless
3.6 : separate remote devices (external)
Firewall - Plan > Install & Configure > Test > Deploy > Manage
HIDS - Host Intrusion Detection Systems
• Narrow scope
• Bandwidth independent
• Low false positive rate
• No additional hardware
NIDS - Network Intrusion Detection Systems
• Broad scope
• Bandwidth dependent
• High false positive rates
• Hardware required
System Hardening : Secure by reducing attack surface
Removal of unnecessary software
OSI Layers
“Please Do Not Throw Sausage Pizza Away”
Layer 1 - Physical
Layer 2 - Data Link
Layer 3 - Network
Layer 4 - Transport
Layer 5 - Session
Layer 6 - Presentation
Layer 7 - Application