Owl Cyber Defense
Secure by Design
banner-gradient.png

Owl Blog

Cybersecurity, Technology News and Insights

 
 
2018-Welcome.png

After months of planning, we are thrilled to launch our new blog! Here you’ll find the hottest cybersecurity tech trends, latest industry news and helpful tips and tricks in mitigating cyber threats. As we continue to learn more about what our readers are interested in, we will work hard to create valuable content to help cyber security professionals with product innovations, news and insights on laws and regulations in #InfoSec.

We wanted a new way to collaborate and communicate with our community, share multimedia such as videos, use cases and other helpful resources. Visit often we have lots to share!

We look forward to growing with you as we embark on this new journey. Don’t forget to subscribe above and follow us on social media! Thanks for coming by!

- TEAM OWL


 
 

Implementing DHS Best Practices to Secure Industrial Control Systems

 
By Scott Coleman | Director of Marketing / Product Mgmt.
2018-5_25-article.jpg

May 25, 2018

Modern advancements in industrial control systems (ICS) enable marked improvements in efficiency, production, reliability, and safety, all through increased use of “smart” assets and digital communications. However, this has led to a dependency on communication technology that is seemingly at odds with the ever-increasing pressure to enhance cybersecurity in ICS networks.

To better balance the need for communication and security in OT networks, and to determine how best to secure them, it’s important to recognize the reasons behind each of their connections. The two primary reasons that organizations provide data paths into or out of their OT networks are:

  • To provide information to remote users outside the OT network (production data, SIEM, files, historians, monitoring/maintenance information, etc.)

OR

  • To allow for remote command and control by users outside the OT network (error remediation, system adjustments, etc.)

To this end, the US Department of Homeland Security, in conjunction with the FBI and NSA, has released recommended best practices that any organization can use to help secure their ICSs

1. Map and identify all external connections

Until you have accurately mapped the network, there is no way of assuring that all points of entry into the OT network are secured, including connections to other networks within your organization. Therefore, it is vital to take the time to thoroughly assess, map, and understand the literal ins and outs of your OT network, whether it is performed internally or by a respected third party.

2. Reduce the attack surface of your OT network

No matter what the purpose or number of autho­rized users, it’s very important to recognize that each external connection is a potential attack vector for cyberthreats both into and out of your OT net­work.

The DHS recommends that organizations, “Isolate ICS networks from any untrusted networks, espe­cially the Internet. Lock down all unused ports. Turn off all unused services. Only allow real-time con­nectivity to external networks if there is a defined business requirement or control function.”

Further, the DHS suggests the logical use of net­work segmentation to restrict and further control communication paths. “Enclaving limits possible damage, as compromised systems cannot be used to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.”

3. Convert external connections for monitoring purposes to one-way (out)

Many times it is thought that the only way to per­form remote monitoring is to allow remote access into the network to gather data for monitoring. However pushing or replicating data (historians, databases, SIEM) out to the IT network has proven to be a secure way of getting data into the hands of end-users.

Again the DHS recommends “If one-way communi­cation can accomplish a task, use optical separation (“data diode”). … Where possible, implement ‘mon­itoring only’ access enforced by data diodes.” Data diodes are one-way transfer devices that allow op­erational data to exit the organization for monitoring or use by a remote user, without opening a potential entry point or attack vector into the OT network.

4. Convert data transfers into the OT network to one-way (in)

Despite the desire to lock down the network and keep all threats out, data files, usually in the form of a software patch or update from a vendor, often need to be transferred into OT networks. With a locked down network this is typically achieved with some kind of portable media (thumb drive, laptop, etc.). However, this runs the significant risk of in­fecting the network when something other than the software update exists on the media.

The DHS recommends that organizations, “Get updates from authenticated vendor sites. Validate the authenticity of downloads. Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path and use these to authenticate. Don’t load updates from unverified sources.”

5. Lock down any remaining two-way connections with defense in depth

Most likely, some business or support operations are going to require a two-way external connection. Whether it’s for remote command and control, error remediation, or some other critical purpose, it’s not always possible to eliminate two-way external con­nections completely, but it’s vital that these remain­ing connections be heavily controlled.

As part of a layered, “defense in depth” cybersecu­rity strategy for ICS communications, a variety of tools are employed, from role-based access con­trols, multi-factor authentication, whitelisting, and more. Beyond these baseline tools, the two major transfer technologies used to control access points within OT networks, firewalls (software-based) and data diodes (hardware-based) provide the strongest means to secure ICS communications.

6. Keep in Mind

While defending the perimeter may have fallen out of vogue recently in favor of intrusion detec­tion, advanced biometric authentication, and other measures, keeping intruders out is still one of the best methods to prevent damage to or hijacking of critical systems. Following these five concrete steps from the DHS can help to dramatically improve the cybersecurity of industrial control systems with min­imal disruption to normal business operations.

 

ABOUT THE AUTHOR
Scott Coleman has 25+ years of expe­rience working in high tech as a Pro­grammer, Product Manager and now Director of Product Management & Mar­keting for Owl Cyber Defense. His breadth of experience includes healthcare, telecom, and cybersecurity, for both private and public sectors. He is a published au­thor and an invited speaker at many conferences