ICS Do's and Don'ts 

We are passionate about ICS security and we are striving to help organizations better understand Industrial Control Systems (ICS). Many organizations don’t realize that they have ICS somewhere on their networks. The truth is, virtually every datacenter, modern building, and corporate campus around the world plays host to environmental controls, building entry systems, safety systems, and many other automation systems that are considered ICS.

In many industries, these systems are a vital component to the enterprises most critical business operations. Considering the specialization and complexity of these systems, many of these systems are managed and operated outside of the traditional IT sphere, leaving traditional vulnerability and risk management programs blind to their existence and the risk associated with these systems.

Some of these systems are even managed and maintained by external third parties, providing a backdoor to your corporate network and hence represent a new weakest link in enterprise information security.

After a typical enterprise ICS security assessment, many clients have questions about what they can do to better manage the security of their ICS. We’ve come up with a few general dos and don’ts when dealing with ICS. Let’s start with the don’ts:

  • Run a traditional vulnerability scanner on ICS devices – Many ICS devices are fragile and were not designed to be aggressively interrogated. When we asked one vendor why their device crashed after a simple port scan, we were told that they were using the “Industrial TCP/IP stack.”
  • Expect traditional tools to identify vulnerabilities with ICS software – Traditional vulnerability management tools simply miss many ICS vulnerabilities. To make matters worse, some ICS vulnerabilities (such as hardcoded, backdoor passwords) are not classified as vulnerabilities, but rather as “features.”
  • Expect timely notification of vulnerabilities – Much of the enterprise vulnerability management space has matured into a science. Notification of vulnerabilities from major enterprise software vendors occurs on a regular, consistent cadence, and in a consistent manner. This is not so in the ICS space. Notification of vulnerabilities can be inconsistent and relevant information to help determine your organizations risk is usually sparse.
  • Recognize that you your organization may be outsourcing management of these devices and their poor security controls to a third party. It is common practice to have building automation managed by someone else. Your organization should know who they are and how they access your equipment. Controls should be in place requiring secure implementation and management of your systems. If you are leasing space for a critical function such as a data center you should check into the building managements policies as well.
  • Expect centralized patch management from vendors – Patching ICS can be difficult. Often times, ICS systems run some of the most critical processes in the enterprise. Taking these systems offline can result in tremendous costs and operational risk. Given the risks associated with patching ICS, there are no centralized, automated patching mechanisms. Nearly all ICS patches must be downloaded and applied manually. In some cases, the patch can only be installed by a certified technician from the vendor.

What are some things you can do to proactively manage the security of your ICS?

  • Identify ICS on your network – Identification of where ICS systems reside on the network is crucial if you are to start proactively managing the risks associated with these systems. Comprehensive identification and enumeration of the ICS systems active in your environment is the foundation to all other ICS security functions.
  • Identify the paths to reaching ICS – Once you’ve identified where the ICS reside on your network, you can then begin to understand how these devices can be accessed. Are they Internet accessible? Are they firewalled properly? Can these devices be reached from a regular, non ICS engineer?
  • Monitor paths to ICS devices – ICS can run some of the most sensitive, crucial business operations for your enterprise. Given the difficulties associated with patching and the fragile security posture of many of these devices, enterprises should consider rigorous monitoring of access to ICS systems. In most cases, access to these devices should be very predictable and the volume of traffic very manageable.
  • Identify users/engineers that work with ICS – With so much focus placed on the end devices, we must not forget the human element of ICS. Identification of ICS users and engineers is a crucial step in managing your ICS exposure. Simple administrative steps like putting ICS users into their own OU can go a long way.

Want to learn more about ICS Security? Check out our Cylance Consulting: ICS  page to learn more.