We clearly see a strong link between current geopolitical events and the continued escalation of cybersecurity issues, especially around industrial environments. As a reminder, industry 4.0 partly aims to converge toward the digitization of production environments. The IoT is essentially part of this approach. I suggest that you discuss, in more or less detail, the basic cybersecurity recommendations for connected industrial environments.
Mapping of assets and security objectives
This recommendation is not really a recommendation related directly to the safety of the industrial environment, but rather a preparation to receive it correctly. This first step is quite classic: determine the assets to be defended and their criticalities. A risk analysis (EBIOS RM or other) would make it possible to meet this objective, which is essential for the proper application of our more technical recommendations.
- Property mapping;
- Performing a risk analysis.
Architecture
The first technical security recommendation, and surely one of the most important, relates to the architecture of your industrial environment. It is important, as for any type of information system, to define a secure architecture with basic principles including the segmentation of assets in relation to their sensitivities, their operations, their architectures and the risks identified previously. A simple example would be to segment the enterprise information system from the industrial information system. This segmentation represents a basis on which we can add a set of elements related to perimeter security (firewalls, security incident detection probes, etc.) and defense in depth (hardening of systems).
The following points can be learned:
- Segment your architecture into zones based on asset independence principles and isolate ICS/SCADA systems and networks from corporate networks and the Internet using perimeter controls and limit all communication in and out of ICS/SCADA perimeters ;
- Determine barriers or lines of protection (technical, procedural and human means);
- Integrate multi-factor authentication for all remote access to ICS/SCADA networks and devices, where possible, although we do not recommend the use of remote access to industrial information systems;
- Limit network connections of ICS/SCADA systems to only specifically authorized management and engineering workstations;
- Install detection and response (EDR) solutions and ensure antivirus file reputation settings are configured;
- Solidly protect management systems by configuring Device Guard, Credential Guard and Hypervisor Code Integrity (HVCI) protection means.
I would like to add a point of vigilance which seems important to me around the segmentation of the architecture. The notion of segmentation seems clear to us for the IT world, but this is less the case in industrial environments. During our architecture studies, we notice that this notion of segmentation is well taken into account, but some machines are bridges between two or more networks. For an “OT”, a machine that has two network cards does not represent a bridge between the two networks. Unfortunately, it does, and in attack scenarios, we show how far ransomware could reach through its bridges.
Configuration
Once again, this recommendation is quite basic and yet we often mention it (too much for my taste) during our various audits. Any ICS/SCADA device and system arrives before production with a basic configuration that is provided by the manufacturer. The correct configuration of the device is important for it to operate as expected, obviously, but its configuration is also a basic element of its security. Here are some examples, although some are not applicable to all systems:
- Modify the default passwords of ICS/SCADA devices and systems using strong and unique passwords, before going into production;
- Modify the default certificates of ICS/SCADA devices and systems;
- Regularly change all passwords for ICS/SCADA devices and systems in order to limit, in part, brute force attacks;
- Backup, off the production line, controller firmware ( early launch anti malware), and configuration files;
- Perform constant monitoring and regularly update ICS/SCADA devices and systems;
- Apply the principle of least privilege. Use administrator accounts only when necessary for certain tasks, such as installing software updates.
See and predict
One of the last basic notions to take into account is the integration of means of detecting security incidents and preparing for incident response. Prevention is better than cure by planning the crisis exercise before the crisis.
Security incident detection represents a major challenge that could limit, as much as possible, the action of a malicious actor on the industrial information system.
- Use a continuous monitoring solution enabling the detection of malicious behavior by monitoring systems and internal communications to detect hostile actions, lateral movements, etc. A multitude of tools exist to meet this objective and identify abnormal traffic;
- Incorporate robust collection and retention of logs from ICS/SCADA systems and management subnets. This will be useful for both detection and response to a security incident;
- Have an incident response plan and exercise it regularly with stakeholders in cybersecurity, operations and don’t forget leadership and communication which will play a critical role;
- Audit your information systems regularly and apply the associated action plans.
An essential point linking all the recommendations is the regular implementation of a control plan in order to affirm the application of the security policy as well as its proper application.
This list is not exhaustive, I know, but it allows you to integrate the basics on a subject that is sometimes complicated to set up because of objections related to production. Several publications exist and you will find several references at the end of this article, but keep in mind that it is imperative to take the subject in hand before being impacted.
I know that some points are difficult to apply because of the responsibility of the manufacturer who, contractually, often has no commitment in terms of cybersecurity. We recommend adding the notion of cybersecurity to each new contract in order to commit the manufacturer to maintain ICS/SCADA systems in a safe condition. To conclude, do not hesitate to be accompanied on your projects, our (with our colleagues in the field) feedback is at your disposal.
