ICS Security Audit

The threat landscape for industrial automation systems and the Industrial Internet of Things (IIoT) is evolving as connectivity between heterogeneous devices and networks grows. It is imperative to plan and implement effective protection strategies and adjust security measures. To obtain the objective state of the facilities, an automated process control safety audit is required, which will be discussed in this article.



According to the Symantec Internet Security Threat Report 2018, over the past year, the number of vulnerabilities associated with industrial management systems (ICS) has increased by 29%. Given the valuable and critical safety processes that these systems connect and control, security breaches can have costly, widespread, and dangerous consequences.



Industrial facilities and organizations of the oil and gas and energy complex are one of the key interests of modern attackers, which is associated with the following areas of their activities:

• business intelligence and industrial espionage by competitors;
• acts of vandalism and the threat of cyber terrorism.

Main threats

Successful attacks on technological segments can lead to various consequences that range from minimal interruption of production processes to critical failures and long shutdowns.

Hackers

Individuals or groups with malicious intent can bring the technology network to its knees. By gaining access to key ICS components, hackers can unleash chaos in the organization, which can range from disruptions to cyber warfare.

Malware

Malicious software, including viruses, spyware and ransomware, can be dangerous for ICS systems. Although malware may be targeted at a specific system, it can still pose a threat to key infrastructure that helps manage an ACS network.

The terrorists

In cases where hackers are usually driven by profit making, terrorists are driven by the desire to cause as much chaos and damage as possible.

Employees

Internal threats can be as destructive as external threats. The risks of a security breach must be foreseen as from an unintentional human error to an unhappy employee.

Vulnerabilities

The main types of vulnerabilities in industrial segments are as follows:

• Vulnerabilities in software.
• Unused software.
• Simple passwords.
• The default passwords.
• Lack of basic security settings.
• Perimeter of industrial control system.
• Lack of access controls.
• Weak or absent security mechanisms in process control systems.

This is due as a ghostly hope of limiting or lacking network access to technology segments; the inability to patch "combat" systems; legacy policy of processing and reaction of vendors to vulnerabilities in software.

ICS Security Audit

Conducting a security audit of industrial control systems and SCADA systems allows us to assess the security of key elements of the industrial network infrastructure from possible malicious internal and external influences:

• process control systems (ACS TP);
• dispatching systems (SCADA);
• used communication channels and information transfer protocols;
• enterprise systems and business applications of commercial accounting;
• instrumentation and telemetry equipment.

By analyzing the assets and processes of technological segments, threats to the safety, reliability and continuity of processes will be identified. Security auditing is a good start to start, which should include three simple steps:

Asset inventory

Although this seems simple and predictable, most operators do not have a complete picture of the assets they need to protect, such as programmable logic controllers (PLCs), supervisory control and data acquisition systems (SCADA) and others. It is necessary to divide assets into classes with common properties and assign data attributes for each resource. This is an important starting point in the protection of industrial control systems, because if the company does not know what exactly it needs to protect, it will not be able to protect it.

Network Inventory

An inventory of network devices will enable companies to understand the physical assets that are connected to the network. This step will lead to an understanding of how these assets are connected through a network architecture. The transparency of the network configuration allows you to understand how an attacker can gain access to network devices. The physical and logical map of the enterprise network will allow companies to succeed in the third phase of the security audit.

Inventory of data streams

Understanding data streams is critical. Since many protocols used in industrial automation do not have options for protecting traffic, many attacks can be carried out without any exploit - simply with access to the network and understanding of the protocol. Understanding the requirements for the port, protocol, endpoints, and timing (determinate or not) can help you understand where the data should go through the network nodes identified in the previous step.



With security, there is no install and forget rule. In the ever-changing threat landscape, yesterday's best practices are no longer relevant. Starting with a security audit, companies receive the necessary information about assets and data flows within the framework of automated process control systems, preparing them for the implementation of an in-depth program to protect technology segments from threats. Considering possible losses, intellectual property and a possible threat to life, it is more important than ever that the necessary measures be taken to improve the safety level of industrial control systems.



Recommended reading: NIST Special Publication 800-82 (Revision 2) Guide to Industrial Control Systems (ICS) Security .