- Disallow Remote Desktop Protocol (RDP) services
Remote desktop connections are extremely convenient, allowing you to access your files or run processes on your computer without being physically present. For this reason, remote desktop connections are naturally one of the most appealing attack surfaces to cyber criminals seeking to insert malware or steal private data. If this feature is not absolutely necessary, it should be disabled. If remote access is truly necessary, you must commit to creating strong passwords, limiting who can log in strictly to the basis of “need”, updating regularly, and maintaining a firewall. It’s extremely challenging to leave a doorway open to full system control while maintaining reliable security.
- Implement basic authentication for file transfers
Limiting file transfers between servers is crucial to preventing malware from spreading. The most basic protection is that users should need to type in their username and password before accessing a server to conduct a file transfer. Active Directory (AD) is a service that is essentially for working with and managing network resources, and is one way to achieve this goal – AD can deploy limiters or security policies to protect assets.
Some factory environments can’t use authentication or Active Directory, and for those we specifically recommend the use of a network trust list (discussed later in this article).
- Disallow the use of common network administration tools from engineering workstations
Any network administration-related tools that your team members don’t need to do their jobs should be disabled on your engineering workstations.
PowerShell, a framework Microsoft provides for configuration management and task automation, includes many administrative tools that the average worker shouldn’t need to mess with. While entirely disallowing PowerShell usage is likely to be challenging, specific parts of PowerShell can be disabled by using Group Policy Objects (GPOs) via Active Directory. A GPO is basically a virtual set of rules, either rules for a computer or rules for a user, which can affect security or application settings (among other things).
- Implement a network trust list (EdgeIPS or EdgeFire)
Use of a network trust list determines access on the basis of IP, MAC address, network protocol, or network behavior, meaning only things specifically listed in a category are allowed to function. A trust list can be used to assure that computers can only communicate as necessary to do their jobs. For hardware to support the use of a trust list requires sensitivity to the many kinds of protocol traffic that can be present in a factory.
A protocol has a limited set of commands it can send through your PLC, and by the nature of a network we can know that certain commands are naturally undesirable. For example, Modbus function 90 used in Schneider Electric devices can take PLC offline, but in typical factories it would be unusual for most nodes to send out this function. For this reason in many cases we can know immediately that use of function 90 is a malicious behavior which a network trust list can block.