Security controls for ICS/SCADA environments
An Industrial Control System (ICS) is any technology used to control and monitor industrial activities. Supervisory control and data acquisition systems (SCADA) are a subset of ICS.
These systems are unique in comparison to traditional IT systems. This makes using standard security controls written with traditional systems in mind somewhat tricky. However, ICS owners do not have to make assumptions or try to secure them blindly: there are resources available to assist in securing these systems.
Both the National Institute of Standards and Technology (NIST) and the Center for Internet Security have written guides and controls specific to ICSes.
National Institute of Standards and Technology
The Risk Management Framework (RMF) for federal systems is based on the NIST 800-53. 800-53 has controls specific to enterprise technology systems. NIST has written Special Publication 800-82 (currently on Revision 2), Guide to Industrial Control Systems (ICS) Security.
Because ICSes have unique challenges and are often composed of older legacy systems, 800-82 was explicitly written for these system types. 800-82 identifies some of the security objectives for ICS implementation:
- Restricting logical access to the ICS network and network activity
- Restricting physical access to the ICS network and devices
- Protecting individual ICS components from exploitation
- Restricting unauthorized modification of data
- Detecting security events and incidents
- Maintaining functionality during adverse conditions
- Restoring the system after an incident
Those familiar with the RMF will recognize the security control families outlined in 800-82:
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical and Environmental Protection
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity
- Program Management
- Privacy Controls
Each family has a list of controls that apply to the category. These controls can be technical or administrative. As the ICS is categorized and evaluated, that will determine which controls are applicable to the specific environment. Once this determination is made, implement the controls, verify and test the implementation, and then monitor the control’s success.
Center for Internet Security
The Center for Internet Security (CIS) has written CIS Controls Version 7 to help secure IDS systems. They used seven key principles for writing the controls:
- Address current attacks, emerging technology, and changing mission/business requirements for IT
- Bring more focus to key topics like authentication, encryptions and application whitelisting
- Better align with other frameworks
- Improve the consistency and simplify the wording of each sub-control — one “ask” per sub-control
- Set the foundation for a rapidly growing “ecosystem” of related products and services from both CIS and the marketplace
- Make some structural changes layout and format
- Reflect the feedback of a world-side community of volunteers, adopters and supporters
The controls are broken up into three main areas, with 20 subsections.
CIS has released a companion document to the controls, the V7 implementation guide. This companion document is specific to ICSes and can be used to tailor controls to the specific SCADA environment. Below, we will go into details about each of the 20 control sets.
This could be the most crucial control. You cannot assess or secure your system if you do not know all of your system’s components.
The same is true for the software components of the system. Software comes with unique sets of vulnerabilities and you cannot track those vulnerabilities unless you know they are a part of your architecture.
SCADA environments contain many embedded systems that are used to control essential infrastructure items. Patching and updating these systems can prove challenging. Industrial systems often have required uptimes that limit service times. It is important to remember these requirements as you create a vulnerability management plan specific to the ICS environment.
The purpose of all access controls is to ensure that unintended users do not gain more access than authorized. Administrative accounts need to have strong password requirements and separation of duty requirements in place.
CIS provides benchmarks that can be used to harden IT systems. ICSes can have non-traditional operating systems that the benchmarks may not address. Be sure to follow industry standards and read the manual or vendor websites to ensure implementation of best practices particular to the system.
Embedded systems do not always audit security events at the same default level as traditional IT systems. It also may not be easy to have those logs sent to a centralized monitoring system. Using a Security Information and Event Management (SIEM) designed for ICSes could prove beneficial.
Internet browsers and email clients are very susceptible to security threats. CIS has benchmarks that are used to harden them, based on current security threats.
As noted earlier, maintenance on ICSes can be difficult due to the uptime requirements. Implement malware protection while updating malware and antivirus signatures.
While identifying assets, also identify all of the ports, protocols, and services that the ICS will need to operate as intended. Limit the use of open ports only to the ones needed for the system to function properly.
Data backup is vital in ICS environments, just as in traditional enterprise environments. Automated backups may prove difficult in some SCADA environments, so keep that in mind when documenting backup and recovery procedures.
Secure network devices are just as important, if not more so, in SCADA environments. Only allow firewall traffic through on approved ports. “Deny” should be the default setting. Remove default accounts and credentials from network devices. Implement multi-factor authentication.
Information should be restricted to only flow through trusted channels. Strategically place control devices to control the flow of information. This includes firewalls, gateways, IDS/IPS, proxies and DMZ perimeters.
ICSes do not contain traditionally sensitive information, such as HIPAA, PII and financial data; however, there is still sensitive information collected, such as valve readings, flow, temperature, pressure measurements and even logic control device commands that are deemed sensitive and should be protected. Implementation of encryption for data at rest, sniffers and anomaly detection tools is a great defense.
Even ICSes can be compartmentalized to separate data into controlled segments. Creating ACLs to ensure only authorized personnel access data they are supposed to.
Ensure wireless traffic uses controlled, preferably private networks. Wireless traffic should use, at a minimum, AES or ECC encryption to protect network traffic.
- Use shared accounts and passwords only when necessary
- Create a process for changing shared account passwords and deleting accounts immediately upon termination of any workforce member
- Remove applications leveraging cleartext authentication or basic security authentication. When this is not possible, use unique credential sets and monitor their usage
- Enforce complex passwords
- Automatically lock accounts after periods of inactivity
Users are the weakest link in the security chain. An effective training program can help to minimize the threat they pose to the internal network.
Applications can have vulnerabilities that need to be identified so they can be mitigated. It is suggested to perform static code analysis and perform debugging.
Even with the best-implemented security controls in place, it is still possible to fall victim to a security threat. If that happens, an incident response team needs to be in place to respond.
Testing security controls after implementation is a great way to ensure they are correctly implemented and working as expected.
ICSes have unique properties that can make implementing security more difficult than in traditional IT settings. These NIST and CIS benchmarks and controls both help create a healthy security posture.