The NSA and CISA released new cybersecurity guidance to stop malicious activity and reduce OT exposure. This new NSA/CISA ICS cybersecurity advisory outlines the tactics, techniques and procedures (TTPs) that malicious actors use to compromise OT/ICS assets and the steps you should be taking against them.
The underlying theme in this new cybersecurity guidance is having a Zero Trust architecture, something we discuss here.
Why the ICS Cybersecurity Advisory is Important
OT cybersecurity has specific needs and challenges. Traditional industrial control systems assets are inherently difficult to keep secure due to their design. These devices are purpose built, are made to last for many years (15- to 25-year lifecycles) and utilize unique logic and protocols for communication. Because of this, they have not been designed to address today’s risks and threats and therefore they lack today’s modern defenses.
These devices provide functional operations within their individual industries and are a critical part of business. They also present risks to the reliability of the organization’s operations. We’ve discussed before why it’s critical to use a system like ConsoleWorks in mitigating these risks, however, we want take the opportunity to refresh and reinforce the importance of doing so.
OT assets are increasingly being targeted. In the not-too-distant past some of the highest profile breaches were related to Industrial Control Systems and internal users. This threat will only continue, and defense measures need to increase to counteract these threats. The ICS cybersecurity advisory aims to assist by educating on best ways to approach mitigating the risk.
NSA/CISA ICS Cybersecurity Mitigations
Limit Exposure of System Information
Your operations, system information and configuration data are critical. As the ICS cybersecurity advisory emphasizes, the importance of keeping this data confidential can’t be overstated. Disclosure of information about your system hardware, software, firmware, etc. in any public space, even internally to unprivileged users, opens you to more threats. Your attackers then have an idea of the best TTPs to use to attack you.
It also stresses the importance of including information protection education in the training for personnel, which should certainly make part of a robust cybersecurity training and awareness program.
As such, make sure you know where the data is going and that it is classified correctly. Label the data to ensure appropriate protections can be put in place that ensure storage is authorized and that access to sensitive data is based on a need-to-know or least-privileged authorization level. Provide appropriate mechanisms for data in transit and at rest, and last but not least put guard rails, or controls, around where the data goes or where it can be consumed.
Identify and Secure Remote Access Points
OT owners/operators need to have a comprehensive inventory of hardware, software and identified systems with controls that keep the information updated. This is often referred to as an asset inventory, however it must go beyond just the inventory it needs to also be managed. Hardware controls and software controls help identify vulnerabilities, unauthorized changes, and misoperations.
The ICS cybersecurity advisory recommend layering network security through network segmentation, which includes firewalls and DMZs. The intent of segmentation and micro-segmentation is to define boundaries between different levels of criticality as well as limiting the impact experienced from a breach and/or misoperation. With the addition of boundary controls for each segment and each device, using firewalls and/or software-defined networking, the organization can mitigate threats introduced from the edge as well as any east/west lateral movement threats.
Ensuring that the configurations of these systems are maintained is just as critical and often is overlooked. Having a platform like ConsoleWorks in place to ensure you do not have configuration drift will ensure you can identify unauthorized changes or behaviors.
ConsoleWorks’ Baseline Configuration Management tells the complete story of who, what, where, when, and why, changes were made to your established baseline. The inventory of every piece of hardware and software registered within your environment allows the organization to establish a “Master” image that can be compared against to identify any deviations. You can customize the frequency of inventory interrogation to meet your impact rating needs within your environment, up to verifying configurations after every connection.
Restrict Tools and Scripts
As the ICS cybersecurity advisory noted, “limit access to network and control system application tools and scripts to legitimate users performing legitimate tasks… carefully apply access and use limitations to particularly vulnerable process and components to limit the threat.”
This is where Consoleworks really shines and provides an extensive privileged-access management framework based on device and user roles. The controls are very granular and provide the organization with containerized views, connectivity, and operations based on assigned access. Additionally, these controls are logged and recorded in Consoleworks at the user session level as well as the captured device event logs.
Additional conditional access controls are available that provide authorized command sets by user profile. If the user issues commands that are not authorized during an established session, mitigations can be put in place to notify a supervisor or terminate the session and not allow a reconnection until investigation clears the behavior.
This approach reinforces and ensures that the operational environment is not impacted by unexpected behavior and is part of the control set in establishing a Zero Trust architecture.
Conduct Regular Security Audits
Regular security audits should be part of your cybersecurity routine. We’ve discussed the importance of these audits before, particularly when considering your supply chain, as you need to identify and document any vulnerabilities, practices or procedures that should cease to improve your security posture and prevent the opportunity of an attack occurring.
The controls mentioned above are not just critical for an organization’s employees, but even more important for the system’s third-party support. With the capability provided by Consoleworks, audit reports of third-party users and reporting based on specified criteria, you can ensure a consistent schedule to enforce a security review framework.
To ensure that the product itself adheres to good security practices, we perform annual SOC for Supply Chain certifications for our cybersecurity platform Console Works.
Implement a Dynamic Network Environment
The NSA/CISA advisory encourages, when possible, avoiding a static network environment. A static environment provides bad actors the opportunity to collect intelligence about the system over time, gain and maintain access over time to the system and use TTPs to affect the control system.
By deploying additional firewalls and routers from various vendors, modifying IP address pools, updating hardware and operating systems, you are implementing an environment that is dynamic rather than static, and makes you a harder target for attack.
Consoleworks can provide the control between the system administrator and the network gear administration to provide consistency in configuration along with the same controls for the network that are provided for the ICS systems.
Bolster Your ICS Security Against Today’s Threats
Today’s sophisticated threats are always on the lookout for weakness. Zero Trust is your best approach to an effective cyber defense to mitigate and deter these threats from entering your network.
You can talk to us here to learn more about how ConsoleWorks helps you enforce Zero Trust and secure your environment.