ICS/SCADA Security

“It takes 20 years to build a reputation and five minutes to ruin it! If you think about that, you`ll do things differently.”

Warren Buffet

Building cyber resilience into Critical National Infrastructure (CNI) and industrial infrastructure are undoubtedly complex as Operational Technology (OT) is increasingly connected to the internet introducing new risks.

Security vulnerabilities in Industrial Control Systems (ICS) are too important to ignore as cyber-attacks disrupt production of healthcare and pharmaceutical facilities worldwide, resulting in significant downtime, patient safety and financial impact.

The Convergence of OT and IT Networks

Traditionally, Information Technology (IT) and OT are separate functions with different priorities – ‘Confidentiality and Privacy’ versus ‘Safety and Availability’. Today’s industrial world is experiencing the convergence between OT, the operations needed to carry out the industrial processes, and IT, the use of computers to manage data needed by the organization’s enterprise processes.

This convergence has many advantages (e.g. optimisation of operations, better use of resources, cost savings, etc.), but it also raises additional issues, such as the need for cybersecurity of ICS and Supervisory Control and Data Acquisition (SCADA) systems. The threat landscape and increased sophistication of attacks indicate the need to improve ICS/SCADA cybersecurity capabilities.

Operational Technology was not designed to be connected to an IP network and therefore Medicare Network has established strategic partnerships with leading vendors with a proven track record defending critical infrastructures worldwide.

1

Most companies believe compliance and annual audits is good enough

Some companies believe that just NIST or ISO provides adequate protection

2

Companies forget the odds, against all adversaries believing that IT can cope

Cyber is a reality that changes rapidly, and compliance can give a false sense of security

4

3 Cyber Risk Strategies

Cyber risk must now firmly be on the risk register to assess how this translate to effective risk management for OT and IT networks. High profile destructive malware such as Stuxnet, Shamoon and Black Energy 3 have highlighted the cyber risks facing operational technology and industrial control systems.

In late 2018, cyber criminals have been incorporating wiper elements into their attacks, such as with new strains of ransomware like LockerGoga and MegaCortex.” The most common initial infection vectors are phishing emails, theft of credentials required to enter an internal network, watering hole attacks, and the successful compromise of third parties with a connection to the true target.

Collaboration to ensure that robust risk management strategies are in place to deal with cybersecurity risks.

Cybersecurity Frameworks and Standards

Establishing a comprehensive ICS security framework is important and the NIST Cybersecurity Framework (CSF) is an overarching document that addresses cybersecurity in both IT and OT for critical industrial. It is designed to be aligned with several top-level leading industry frameworks and standards for developing a cybersecurity program to support both OT and IT network infrastructures:

NIST CSF
NIST SP 800-53
NIST SP 800-82
ISA/IEC 62443
ISO/IEC 27001
ISO/IEC 15408
NERC CIP
COBIT 5

An important point to remember is the fact that the NIST CSF does not undergo an independent verification of security, privacy and compliance controls, such as ISA/IEC 62443 and ISO/IEC 27001 standards, which are audited annually for achieving certification and compliance.

Assessment Approach

The ISA/IEC 622443 addresses security risk assessment and network design and it suggests how organizations should segment their network into zones and conduits, grouping systems, which are similar in functionality and restricting access to limit threat exposure and propagation.

To ensure the success of ISA/IEC 62443, it is important to systematically work through the following four steps:

Security Advisory

You cannot correctly secure your network if you do not know what it is that needs securing.

Gathering accurate asset information, including details on how they communicate and how your network operates, is a fundamental first step to enhance its security.

Network Security Assessment

This step involves analyzing the results of step one and assessing your network’s current state of security.

This will allow you to determine the best strategy for applying required modifications or adjustments.

Solution Build

Step three leverages the criticalities and priorities identified in step 2 and prepares the network for the implementation of the required countermeasures.

This includes the definition of procedures, the identification and separation of the network into zones and the definition of conduits (i.e., communication flows).

Solution Deployment

The final step in securing your network is to deploy the chosen countermeasures, which could, for instance, be represented by segmentation and monitoring technology.

These measures need to be integrated into daily operation to maintain the security of your network and its processes.

Without complete and accurate data assessment, and without implementing solutions built around well-defined procedures, a successful outcome cannot be guaranteed, and the network may remain inadequately protected from various threat vectors.

Securing ICS Networks

An effective ICS/SCADA protection plan requires comprehensive identification and mapping of all devices, connections, ports and other network assets. Only then will you be able to detect vulnerabilities and exposures and assess them in terms of severity and potential impact if compromised.

Our assessment procedure is performed by our security consultants and they employ the most up-to-date methodologies. Upon completion of the assessment, the client is presented with a detailed report that includes all the information collected and logged, the findings resulting from the analysis, and a comprehensive cybersecurity plan for the organization.

When implementing the ISA/IEC 62443 standard to an Industrial Automation and Control System (IACS) domain, the Cyber Security Management System (CSMS) will be at its core. The CSMS is used to stay in control of an organization's cyber security and is effective for any size company.

The development and implementation of the CSMS can take time, depending on the requirements, resources available and the size of the organization. Such an implementation requires a structured and phased approach. Medicare Network has thorough experience supporting organizations with the development and implementation of their CSMS, which is tailored to each organization’s requirements.

ICS Security Cycle

We will provide insight into threats, best and good practices, vulnerabilities and the controls to mitigate them thorough a well-defined process.

Pre-Assessment

Preparation, coordination and pre-assessment review of self-reported network topology, ICS/SCADA equipment, vendors, and other relevant information.

Engage with key stakeholders to review network structure and components, delineate known problems, and define a test plan and workflow. During this time record samples of your network traffic for topology mapping and analysis.

Analysis

An operational activity baseline is created based on the analyzed network traffic, to detect traffic type, vulnerabilities and possible attack vectors.

Identify and map all network devices, operating systems, applications and connections, down to the IT and OT ports, protocols and components.

Report

A report is generated and submitted to the operator with recommended actions to be taken to remediate identified risks and vulnerabilities.

The report includes a summary dashboard-style presentation of our conclusions and recommendations for senior management, as well as a comprehensive technical report.

Secure

A full list of identified vulnerabilities rating in order of severity and likelihood, along with a description of the consequences of a hacker exploiting these vulnerabilities.

A threat model detailing the impact on your organization in the event a hacker was to exploit the most critical vulnerabilities identified.

A mitigation plan with recommendations for addressing these vulnerabilities and bridging security gaps including suggested updates to equipment configurations and settings.

Document updates on devices, (e.g. PLCs, RTUs, HMIs, etc.) and changes to policies, procedures, and processes.

The defence-in-depth strategy must include not only a preventive protection strategy but also surveillance, detection and response measures.

The Partnership You Can Count On

Don’t let a skills gap or staffing shortage stand in the way of your success.

Purpose built solutions help your organization achieve business outcomes with confidence. Anything's possible when you put the power of certainty to work.