Hardening is when you apply various forms of protection to your network, aimed at reducing vulnerabilities and threat potential as much as possible. Hardening takes place within technology, for example the use of a firewall, and also in how staff are expected to handle that technology, for example strict rules about password requirements. Some factory equipment is difficult to harden because of its specialized purpose, which is why it’s important to have multiple solutions for different parts of the network and different kinds of systems. Here are three strategies to consider applying to your ICS network.
1 – Implement regularly-scheduled health checks using ISMS and technical audits
A good audit should be like a health check for your network security, and like a health check should be performed on a regular schedule.
There are two kinds of audits: policy and technical audits.
A policy audit is a checklist that an administrator will go over to confirm that a firm’s security management and rules are strict enough, sensical, and being properly followed – in short, a policy audit is focused on human behavior. Policy audits tend to deal with things directly related to and controlled by human resources, and so will check that passwords are long enough, or that sensitive information is securely stored.
A technical audit could be something like penetration testing or security diagnostics. Penetration testing is where a white hat hacker directly tests your network for vulnerabilities. A basic security diagnostic will check the employee’s PCs, HMIs, and other devices to verify if company policy is being followed and enforced on all devices and that applications and antivirus are up-to-date. Company policy might involve bans on access to specific processes like remote desktop access or the security shell, or could deny access to certain web sites. The security diagnostic will include a network scan to check network architecture and overall network protection.
2 – Use an IPS to identify cybersecurity threats, malicious behavior, and intruders as early as possible
Every OT network needs an Intrusion Prevention System (IPS). If set in “monitor” mode, EdgeIPS will monitor network traffic using signature-based tracking, as well as using rules set by the administrator. For example, rules for Remote Desktop Protocol – through rules focused on RDP traffic we would identify that traffic, and show an alert when it took place. OT operators would be able to know if it was malicious by looking at the source and other characteristics of the traffic, and by comparing to the known policies for the network (for example if RDP was disallowed).
Alerts significantly improve visibility. While our trusty EdgeIPS can be conveniently deployed in detection mode to serve this purpose if your administrator is worried about interfering with traffic, it can also be run in “prevention” mode for a more aggressive approach.
3 – Prioritize a list of your OT network’s most likely attack surfaces
Different factories have different priorities for different zones depending on their focus as a business. Typically, a factory will focus on machine security and availability. By this priority we can clearly know which devices are the most important to secure – generally, what will keep the operation running! It’s necessary to choose which top three nodes one needs to guarantee the security of. Typically these will be devices at the intersection of weakness and importance.
Have your CIO or IT expert make a detailed checklist of places in your network that are going to be appealing to hackers. The most appealing attack surfaces will be those that are extremely convenient to access or offer a large amount of control in the network. However, even an unassuming attack surface can allow a hacker access to sensitive or high risk areas of your network if the hacker can move “laterally”.