As cyberthreats increase in both volume and sophistication, securing industrial control systems (ICS) becomes that much more challenging. Despite the varied nature of critical infrastructure, however, most weaknesses in current ICS security fall into one or more of five categories.
Let’s look at these ICS security pitfalls and how to address them.
- Weak passwords
Where possible you should establish and implement policies that require the use of strong passwords. This could include account lockout policies to reduce the chase of someone attempting brute force attacks though not ideal in a ICS environment, this would be more for a system that has to be internet facing.
If strong password enforcement is not something that can be done without risking safety, look at placing some other remediating factor in place like a firewall or terminal server that can facilitate strong password enforcement without impacting the ICS system itself.
- Poor patch management
As we’ve previously discussed, patch management is a tricky endeavor at best. If machines in an ICS infrastructure are properly implemented, all necessary ports and protocols have been identified to allow for proper software functions. In that case, frequent patching usually isn’t necessary because those systems are, for the most part, static in nature.
But that doesn’t mean you can ignore a patch management policy. Your ICS environment requires a plan and process by which apply patches as needed and when possible to help mitigate known vulnerabilities that constitute a threat to your environment. Keep in mind that not all vulnerabilities are a threat to your systems. For example, if you do not run web services on your system, it’s not necessary to patch web services – by doing so, you just increase the risk of damage to your system.
- Flat network design and/or unnecessary exposure to corporate resources and Internet.
Looking back, PCN, ICS, SCADA and other control type networks were designed at a time when network connectivity was not a concern. These system had true air gaps, and it was not until recent times that the increased need for data from these systems did necessitated that IT/OT start looking at providing network connectivity to the enterprise.
One important thing is to introduce ISA 62433 or network segmentation to your environment as as soon as possible. This act alone makes for easy of isolation of your critical assets and provides a clearly defined line of demarcation.
Another best practice is, if possible, to keep these systems from facing the Internet. You can minimize network exposure to control systems by locating them behind firewalls and isolate them from all unnecessary the business network services.
If your systems require remote access, look at employing secure methods that will allow for more granular control over access and provide record or log of enter into the system.
- No authentication to resources
If you isolate ICS behind a firewall you are able to enforce a higher level of access control. If firewalling the system is not an option, you should look at placing some other form of remediating system or device that requires login access.
- Default user accounts with default password
Last but definitely not least, when and where possible disable and or change the default user ID and password for your environment. It is understood that in the controls world safety is paramount and it is understood that when things go wrong you don’t want to have look through a long list of passwords and that you have 50 of these units and they aren’t centrally managed.
Sure, you’re saying: “It will take forever to change all the passwords on the units.” But you should come up with a password for those 50 and change them all, especially on intra/internet-facing assets. The time and energy it takes to make the change in the beginning is a lot less effort than tracking down and dealing with a break, let alone reporting up to C-level why the environment was compromised because of a password issue.
For more on Palo Alto Networks solutions for ICS, head here.
[Palo Alto Networks Blog]