IC34 Slides

IACS Cybersecurity Lifecycle - Assess, Develop & Implement, Maintain

  • Assign SL-T, Implement SL-A, Ensure SL-A >= SL-T

Assess

  1. High-Level Cyber Risk Assessment

  1. Allocation of IACS Assets to Security Zones or conduits

  2. Detailed Cyber Risk Assessment

Develop & Implement

  1. Cybersecurity Requirements Specification

  2. Design and engineering of cybersecurity countermeasures

  3. Installation, commissioning and validation of cybersecurity countermeasures

Maintain

  1. Cybersecurity maintenance, monitoring, and management of change

  2. cyber incident response & recovery

Good risk assessment includes

  • Risk profile

  • Highest severity consequences

  • threats / vulnerabilities leading to highest risks

  • Target security levels

  • recommendations

CRS - Cybersecurity risk assessment

  • SUC Desc - system under consideration

  • Zone and Conduit drawings

  • Zone and conduit characteristics

  • operating environment assumptions

  • threat environment

  • organizational security policies

  • tolerable risk

  • regulatory requirements

    • Document in each Zone / Conduit

      • Name

      • Responsible parties

      • Def of logical and physical boundaries

      • Safety designation

      • List all access points logical / physical

      • List data flow of each access point

      • connected zones or conduits

      • list of assets / value

      • SL-T

      • Security requirements / policy

      • Assumption and external dependancies

• SL 0: No specific requirements or security protection necessary

• SL 1: Protection against casual or coincidental violation

• SL 2: Protection against intentional violation using simple means with low resources, generic skills and low motivation

• SL 3: Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation

• SL 4: Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation


FOUR T’s

Tolerate : risk that is acceptable

Transfer : move risk to a 3rd party

Terminate : stop the process to eliminate the risk

Treat : Reduce the likelihood and impact of the risk

FIVE D’s

Deter : create a perimeter to deter an attacker from attempting to breach your system

  • Physical fence

  • Camera

  • Warning signs

Detect : Identify unauthorized intrusion

  • Cameras - notifications

  • IDS - Syslog

  • Firewall - logs

Delay : slow down an active intrusion, so security can respond

  • Locking doors

  • Access controls - privilege segmentation

  • Area segmentation

Deny : Keep unauthorized persons out

  • Access controls - authentication

  • MFA

Defeat : security response to an attack

  • Anything that ends the attack

  • Law enforcement arrest

Detection strategies and tools

  • Intrusion detection systems (IDS)

  • Security incident and event monitoring (SIEM)

  • anti-virus

  • firewalls

  • email / url filtering

  • training to detect phishing and social engineering

Delay strategies and tools

  • Security hardening

  • patching

  • encryption

  • network segmentation

  • access controls

  • honey pot systems

Deny strategies and tools

  • Firewalls

  • whitelisting

  • IPS - Intrusion prevention systems

  • access controls

Defeat strategies and tools

  • Malware removal tools

  • policies and procedures

  • intrusion prevention

Security constraints

  • essential functions

  • compensating countermeasures

    • external source

    • physical security

  • least privilege

Foundational Requirements (FR)

Acronym - IUSDRTR

"I Usually Suspect DNS, Rarely Trust Results."

• FR 1 – Identification and authentication control (IAC)

  • Identify and authenticate all users before allowing them to access to the control system.

• FR 2 – Use control (UC)

  • Enforce the assigned privileges of an authenticated user

• FR 3 – System integrity (SI)

  • Ensure the integrity of the IACS to prevent unauthorized manipulation.

• FR 4 – Data confidentiality (DC)

  • Protection against eavesdropping and unauthorized access

• FR 5 – Restricted data flow (RDF)

  • Segment the control system via zones and conduits to limit the unnecessary flow of data.

• FR 6 – Timely response to events (TRE)

  • Be able to respond quickly to events and should not adversely affect IACS

• FR 7 – Resource availability (RA)

  • Ensure the availability of the control system against the degradation or denial of essential services

Technologies for Access Control

  • Active Directory

  • Radius

  • LDAP

  • TACACS+

Technologies for System Integrity

  • Physical security

  • Secure communication protocols

  • Malware and antivirus software

  • EICAR test string

  • Source code management

  • Secure programming techniques

Technologies for Data Confidentiality

  • Physical security

  • Encryption

  • Secure protocols

Technologies for Restricted Data Flow

  • Physical network cables

  • VLAN

  • Firewalls

  • Data Diodes

Technologies for Timely Response to Events

  • Intrusion Detection Systems (IDS)

  • Intrusion Prevention Systems (IPS)

  • syslogs, SNMP, logfiles

  • Security Incident and Event Monitoring (SIEM)

Technologies for Resource Availability

  • Backup/restore

  • rate limit firewalls

  • source code management

  • UPS

“Please Do Not Throw Sausage Pizza Away”

  • Please – Physical

  • Do – Data Link

  • Not – Network

  • Throw – Transport

  • Sausage – Session

  • Pizza – Presentation

  • Away – Application

ZCR - Zone and Conduit Requirements (ZCR)

3.1 : Establish

3.2 : separate IT and OT

3.3 : separate safety assets

3.4 : separate temp devices (guest)

3.5 : separate wireless

3.6 : separate remote devices (external)

Firewall - Plan > Install & Configure > Test > Deploy > Manage

HIDS - Host Intrusion Detection Systems

• Narrow scope

• Bandwidth independent

• Low false positive rate

• No additional hardware

NIDS - Network Intrusion Detection Systems

• Broad scope

• Bandwidth dependent

• High false positive rates

• Hardware required

System Hardening : Secure by reducing attack surface

  • Removal of unnecessary software

OSI Layers

“Please Do Not Throw Sausage Pizza Away”

Layer 1 - Physical

Layer 2 - Data Link

Layer 3 - Network

Layer 4 - Transport

Layer 5 - Session

Layer 6 - Presentation

Layer 7 - Application