(Summary) Guide to Industrial Control Systems (ICS) Security NIST 800-82r2

Threats to industrial control systems can come from various sources that can be classified as adversarial, accidental, environmental, and structural. It’s necessary to have a risk management plan and robust security measures, such as patch management, to keep ICS secure from potential vulnerabilities. The threat source must be well-understood to define and implement sufficient protection. To properly address security in industrial control systems, it is essential for a cross-functional cybersecurity team to share their diverse domain knowledge and experience to assess and mitigate risks to ICS.

With the proliferation of smart devices and advanced technologies, the Internet of Things (IoT) and Industrial Control Systems are evolving. It transforms ICS networks, optimizes productivity and efficiency, and increases usability. However, with all these benefits, there come security risks. Advanced technologies and the latest digital devices significantly impact ICS security.

Today, widely available internet-enabled devices and software applications have been integrated into ICS, increasing system vulnerability. With the advancement in technology, cybercriminals are using sophisticated malware that specifically targets vulnerabilities in ICS, posing significant threats to national security.

This article provides information on how to secure industrial control systems while addressing their unique performance, safety requirements, and reliability. It will provide you with an overview of ICS security, identifies common threats and vulnerabilities, and gives recommended security solutions to mitigate associated risks.

Industrial Control System is a general term encompassing different types of control systems, including Distributed Control Systems (DCS), Supervisory Control and Data Acquisition (SCADA), and other control systems found in the critical infrastructure and industrial sectors. An industrial control system consists of a combination of control components acting together to achieve an industrial objective.

Many ICS are now evolved due to integrating IT capabilities into existing systems, usually replacing physical control mechanisms. For instance, embedded digital controls have replaced analog mechanical controls. Improvements in performance and cost have encouraged this progress, resulting in smart technologies. These include smart transportation, smart electric grid, smart manufacturing, and smart buildings.

Control systems are used in other critical infrastructures and industrial sectors, including distribution, transportation, and manufacturing. A typical industrial control system contains various control loops, remote diagnostics, human interfaces, and maintenance tools using a suite of network protocols on the layered network architecture.

Security for industrial control systems is defined as protecting ICS from threats and cyber-attacks. It’s generally referred to as OT security and includes a wide range of security practices. These include

• Vulnerability management
• Asset inventory and detection
• Endpoint detection and response
• User and access management
• Network intrusion protection and detection
• Patch management

ICS security differs from conventional security in various ways.

1. The devices are generally sensitive to unintended changes, including a whole new class of OT assets, generally known as embedded equipment.
2. Risks are there to information confidentiality, integrity, and availability of the process or safety to property and personnel.
3. Risk remediation requires different techniques due to differences in device types.

Industrial control systems security prioritized machine operations by ensuring processes that support it are protected from cyber threats. Common threats to ICS include:

• External threats & internal threats
• Lateral movement from the IT network
• Phishing attacks to compromise ICS security
• Direct access to Internet-facing systems
• The exploitation of vulnerable internet-connected systems and IoT devices

ICS security is critical because these systems are under attack risks and the consequences of cyber-attacks are significant operationally, financially, and security-wise. Its security is concerned with the following.

1. Securing and protecting industrial control systems and the hardware and software used in operating and controlling machines.
2. Keeping processes and machines running smoothly
3. Ensuring the data and information shown on the control room screens and dashboards are accurate.

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Organizations need to manage risks every day while meeting their business objectives, including financial and personnel safety risks. Organizations should develop a process to assess the associated risks with their businesses. Businesses using ICS have historically managed risks through robust security practices. Safety assessments are well established in various sectors and are usually incorporated into regulatory requirements.

A risk management process must be employed throughout an organization via a three-tiered approach to address risks at

• Organization level
• Business/mission process level
• Information system level

This process is carried out seamlessly across three tiers to improve an organization’s risk-related activities continuously. For ICS operators, safety is a major consideration directly impacting decisions on how systems are operated.

The physical operating environment is another aspect of risk management that organizations consider while working with ICS. Industrial control systems generally have particular environmental requirements, or they may be tied to their physical environment for operations.

Assessing risks requires that companies identify their vulnerabilities and threats, the harm caused by these threats, and the likelihood that adverse events occur from them. There is a need to have proper plans and security measures to protect your organization from potential threats and vulnerabilities.

The patch should be implemented in industrial control systems to protect them from future risks. In the past, if a single component of a control system failed, it could easily be traced, isolated, and repeated. But today, with the advent of increased network communication, a single component failure could lead to a cascading failure. A good patch management plan helps you avoid such damage.

It includes configuration management, patch testing, backup plan, disaster recovery plan, and incident response plan. These plans need approval and input from all affected organizations with necessary support and direction from senior management and help mitigate potential cyber risks.

The nature of industrial control systems is that when an organization performs a risk assessment, there may be some additional considerations that don’t exist while doing a risk assessment of a traditional IT system. Because the impact of a cyberattack on an ICS may include both digital and physical effects, the risk assessment should incorporate those potential effects.

There is a need to understand the

1. 1. Impact on safety and use of safety assessment.
   2. The physical impact of a cyberattack on an industrial control system includes:
      • A larger physical environment.
      • An impact on process control.
      • The physical impact on the ICS itself.
   3. The consequences of risk assessment of physical control components within an ICS.

Effectively integrating security into industrial control systems requires describing and executing a comprehensive program addressing all security aspects, ranging from finding objectives to the day-to-day operation and auditing for improvement and compliance. It’s important to understand the basic development of a security program for industrial control systems.

These include:

• Developing a business case for ICS security
• Making and training a cross-functional team.
• Defining charter and scope.
• Defining particular ICS procedures and policies.
• Implementing an ICS risk management framework.
• Defining the mitigation controls.
• Implementing security measures, such as patch management.
• Raise security awareness and provide training for ICS staff.

A single security product or technology can’t protect an ICS adequately. Securing an ICS is based on robust security policies and a well-configured set of security controls. The selection and implementation of a security control application to an ICS may have major implications on operations. Therefore, it’s essential to consider

• Which security controls are required to sufficiently mitigate risks to an acceptable level, supporting business functions and organizational missions?
• Have selected controls been implemented, or is there a realistic implementation plan?
• What’s the required level of assurance that the selected controls are implemented effectively?

A robust and cohesive patch management plan needs to be developed to overcome these challenges. This plan is effectively created when personnel from IT security, operations, process engineering, and senior management are actively involved.

Patches are additional pieces of code designed to solve specific issues or defects in current software. Vulnerabilities are defects in software that can be exploited to gain unauthorized access to IT systems or give people access to more rights than they should have.

A cost-effective approach to monitoring and deploying software patches can assist enterprises in improving the overall security of their IT systems. Organizations that actively manage and utilize software patches can lessen the likelihood of their IT systems’ vulnerabilities being exploited and save time and money spent reacting to vulnerability-related issues.

The main goal of patch management is to ensure that all computers in an organization are up-to-date with the latest security patches. This is important because hackers often exploit vulnerabilities in software to gain unauthorized access to systems. If a hacker finds one vulnerability, they can use it repeatedly until it’s patched and closed off.

The management of patches is an essential component of maintaining the integrity and security of your industrial control systems. It’s also a critical component for ensuring your system’s proper operation and compliance with regulations.

Patch management is difficult in an operational technology (OT)/industrial control system (ICS) environment. Many firms struggle to define what is in scope due to proprietary hardware and software, a lack of people, inadequate or non-existent testing equipment, regulatory reporting, and system maintenance. As a result, patches go uncontrolled.

Patch management is an important part of the security of industrial control systems (ICS). While ICSise is often physically separated from other networks, they are connected to them by trusted third parties.

ICS-CERT has published a draft guide for patch management in industrial control systems. The guide includes recommendations such as:

• Ensure compliance with vendor recommendations for patch deployment;
• Use proper tools and processes to validate patches before deployment;
• Ensure all critical patches have been applied when evaluating an asset’s security posture; and
• Create a patch management process that includes ongoing monitoring, maintenance, and patch review.

The importance of patching has been recognized for years, but it’s only recently become a critical part of maintaining ICS security. Many organizations have been slow to adopt patch management best practices, and many vendors have changed their patching procedures in recent years.

Patch management is not just about installing a software update — it’s about keeping your systems up-to-date with the latest patches from hardware and software manufacturers. Patching is an important part of protecting against known vulnerabilities in operating systems, applications, and third-party software that could be used as entry points for an attacker.

A patch may remove a vulnerability. Patches should be adequately tested (e. g., off-line on a comparable ICS) to determine the acceptability of side effects. In addition, patching should take place during planned outages of the ICS.

Patching the vulnerability may cause the OS or application to modify how it interacts with control applications, resulting in losing some functionality. Another issue is that many ICS run on outdated versions of operating systems that the vendor no longer supports. As a result, available fixes may be ineffective.

Organizations should create a systematic, accountable, and documented ICS patch management strategy to manage vulnerability exposure. Other technologies that automate this procedure from a centralized server and with proof that the patch has been applied appropriately are available once the choice to install a patch has been made. Consider isolating the automated ICS patch management process from the non-ICS patch management process applications.

Here are some other solutions that can be used to ICS security challenges.

1.    System and Information Integrity

System and information integrity ensure that sensitive data is not updated or removed in an unauthorized and undiscovered manner. The NIST SP 800-53 System and Information Integrity (SI) family of security controls includes rules and processes for discovering, reporting, and repairing information system defects. There are also controls in this family that detect and defend against unauthorized modifications to software and data, give data input and output limitations, check for data accuracy, completeness, and validity, and manage error conditions. However, they may not be suited for all ICS applications.

2.    Access Controls

All-access control examples are viewing, using, and modifying certain data or device functionalities.

There are also controls in place to address the usage of portable and remote devices and privately owned information systems to access the information system, as well as remote access capabilities and wireless technology implementation.

3.    Awareness and Training

Before authorization to use any information system is granted, the security controls for Awareness and Training offer policy and processes for ensuring that all system users are provided with basic information system security awareness and training materials.

Training for employees must be tracked and documented.

4.    Audit and Accountability

Audit and Accountability (AU) security controls define policies and methods for generating audit records and their content, capacity, and retention requirements.

Data from audits should be safeguarded against tampering and made to be non-reputable.

5.    Security Assessment and Authorization

Accepting residual risk and allowing system operation is the responsibility of a senior organizational official. These are the steps that makeup accreditation. Furthermore, all security controls should be continuously monitored.

6.    Configuration Management

Controls for preserving, monitoring, and documenting configuration control modifications are also defined. Access to configuration settings should be restricted, and IT product security settings should be the most restrictive mode consistent with ICS operational needs.

7.    Contingency Planning

In an emergency, system failure, or disaster, contingency plans are meant to preserve or restore business operations, including computer functions, maybe at a different site.

Controls exist for contingency training, testing, and plan updates, as well as backup information processing and storage sites, in addition to planning.

8.    Identification and Authentication

Security controls provide policy and advice for identifying and authenticating individuals and devices within an information system. Various elements can determine a person’s, device’s, or system’s authenticity, including something you know, something you have, or something you are.

9.    Incident Response

Preparation, detection, analysis, containment, eradication, and recovery are steps in dealing with a security event. Controls also include human incident response training and testing an information system’s incident response capacity.

10. Maintenance

The Maintenance (MA) family of security controls establishes policy and processes for performing normal and preventative maintenance on information system components. This involves the management of maintenance staff and the use of maintenance tools (both local and remote).

11. Media Protection

Media Protection (MP) is a set of policies and procedures for restricting access to media to only authorized users. There are additional controls in place for labeling media for distribution and handling needs, as well as for storage, transport, sanitization (the removal of data from digital media), destruction, and disposal.

12. Physical and Environmental Protection

Controls for physical access, keeping logs, and dealing with visitors are among them. This family also contains controls for the deployment and management of emergency protective measures such as IT system emergency shutdown, power and lighting backup, temperature and humidity controls, and fire and water damage prevention.

References:

• NIST 800-82r2