This chapter discusses industrial standards and guidelines including ISA-99, IEC-62443, NERC CIP, ISO, and others, and how to translate specific cyber security guidelines into actionable recommendations. Includes a chapter reference of where to find additional guidance for common requirements within this book.
Table 13.1
ISA 62443 Security Levels15
Security Level | Description |
1 | Prevent the unauthorized disclosure of information via eavesdropping or casual exposure |
2 | Prevent the unauthorized disclosure of information to an entity actively searching for it using simple means with low resources, generic skills and low motivation |
3 | Prevent the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with moderate resources, IACS specific skills and moderate motivation |
4 | Prevent the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with extended resources, IACS specific skills and high motivation |
Table 13.2
Industry Best Practices for Conducting ICS Assessments
Publishing Organization | Description |
American Petroleum Institute / National Petrochemicals and Refiners Association (USA) | Security Vulnerability Assessment Methodology for the Petroleum and Petrochemicals Industries |
Centre for the Protection of National Infrastructure (UK) | Cyber Security Assessments of Industrial Control Systems – A Good Practice Guide |
Department of Homeland Security (USA) | Can be used to test ability to exploit vulnerabilities (Ethical Hacking) |
Institute for Security and Open Methodologies | Open-Source Security Testing Methodology Manual |
National Security Agency (NSA) | A Framework for Assessing and Improving the Security Posture of Industrial Control Systems (ICS) |
Table 13.3
Sample Mappings of Regulations and Guidelines to Cyber Security Controls
Example Requirements | Recommendations | Chapter to Reference |
• Establish Electronic Security Perimeter (NERC CIP)
• Establish System Boundaries (CFATS)
• Establish Secure Conduit (ISA-62443)
• Segregation of Networks (ISO/IEC 27002:2005)
• Sensitive System Isolation (ISO/IEC 27002:2005)
• Cyber Security Controls (CFATS)
• Access Control Lists (CFATS)
• Network Connection Control (ISO/IEC 27002:2005)
• Network Routing Control (ISO/IEC 27002:2005)
• Information Flow Enforcement (NRC)
• Network Architecture Control / Firewall between Corporate Network and Control Network (NIST 800-82)
• Security Control, Intrusion Detection and Prevention (NIST 800-82)
• Network Access Control (NRC)
• Information Flow Enforcement (NRC)
|
• Implement network segmentation at Layer 2 (VLANs), or Layer 3 (Subnets). If segmentation is not supported due to ICS requirements (e.g. multicast messaging), filter traffic at the switch to control traffic.
• Add network security to control traffic between segments. This can include:
• NAC
• ACLs
• Firewalls
• NGFW
• IPS
• Application Filters
• UTM
|
• Chapter 5, “Industrial Network Design and Architecture”
• Chapter 9, “Establishing Zones and Conduits”
• Chapter 10, “Implementing Security Controls”
|
• Electronic Access Control (NERC CIP)
• User Authentication for External Connections (ISO/IEC 27002:2005)
• Password Requirements (NRC)
• Password management (CFATS)
• Unique Accounts (CFATS)
• User Registrations (ISO/IEC 27002:2005)
• Access Enforcement (NRC)
• User Identification and Authentication (NRC)
|
• Require authentication to access all privileged network zones and all data contained therein.
• Maintain least-privilege and separation of duties on all user accounts
• Maintain strong password management on all user accounts
• Monitor all user activity for indicators of inappropriate data access.
• Implement Identity Access Management (IAM) tools to manage user accounts and ensure strong authentication and authorization practices.
|
• Chapter 10, “Implementing Security Controls”
• Chapter 12, “Security Monitoring of Industrial Control Systems”
|
• Monitoring Electronic Access (NERC CIP)
• Network Monitoring (CFATS)
|
• Monitor network flows to validate network segmentation and ensure that network configurations and implemented security controls are functioning as intended. This can include the use of:
• Network Management (NMS)
• Network Behavior Anomaly Detection (NBAD)
• Log Management System (LMS)
• Security Information and Event Management system (SIEM)
|
• Chapter 11, “Exception, Anomaly and Threat Detection”
• Chapter 12, “Security Monitoring of Industrial Control Systems”
|
• Denial of Service Protection (NRC)
|
• Ensure that proper zoning is in place and that industrial systems are not exposed to the Internet.
• Implement anti-DoS technology in outer perimeters (e.g. between business networks and the Internet).
• Validate critical network, security and ICS components are robust (i.e. test for resiliency during traffic anomalies and floods).
|
• Chapter 10, “Implementing Security Controls”
• Chapter 8, “Risk and Vulnerability Assessments”
|
• Remote Diagnostic and Configuration Port Protection (ISO/IEC 27002:2005)
|
• Maintain a protected network zone for all external connectivity and remote communication, and control access into and out of this zone.
|
• Chapter 5, “Industrial Network Design and Architecture”
• Chapter 9, “Establishing Zones and Conduits”
• Chapter 10, “Implementing Security Controls”
|
• Change Control and Configuration Management (NERC CIP. NRC)
• Change Management (ISO/IEC 27002:2005)
• Changes to File System and Operating System Permissions (NRC)
|
• Host configuration monitoring using built-in Windows security audit tools and/or Linux auditd tool
• Additional host cyber security controls for File Integrity Monitoring (FIM) and Configuration Management
• Host cyber security controls to prevent file tampering or changes, including Host Intrusion Detection Systems (HIDS) and Application Whitelisting (AWL).
• Monitor hosts for indications of file tampering or unauthorized changes. This can include the use of:
• Log Management System (LMS)
• Security Information and Event Management system (SIEM)
|
• Chapter 10, “Implementing Security Controls”
• Chapter 12, “Security Monitoring of Industrial Control Systems”
|
• Ports and Services (NERC CIP)
• Removal of Unnecessary Services and Programs (NRC)
• Open and Insecure Protocol Restrictions (NRC)
|
• Monitor hosts for open ports and services using asset management or configuration management tools.
• Monitor network and log behavior for indicators of unauthorized ports and services that may be in use, using SIEM and similar tools.
|
• Chapter 12, “Security Monitoring of Industrial Control Systems”
|
• Patch Management (NERC CIP)
• Control of Technical Vulnerabilities (ISO/IEC 27002:2005)
• Cyber Vulnerability Assessment (NERC CIP)
• Vulnerability Scans and Assessments (NRC)
|
• Perhaps the most difficult challenge in industrial cyber security, patching is fundamental to maintaining a strong security posture.
• The most important ingredient to good patch management is knowledge: keep informed of the latest vulnerabilities and threats, and keep your patch management procedure fluid enough to accommodate urgent patching requirements.
• Automated solutions can ease this burden (e.g. using WSUS for Windows system and security patches).
|
• Chapter 8, “Risk and Vulnerability Assessments”
|
• Cyber Asset Identification (CFATS)
|
• Implement access management either procedurally or through the use of asset management tools.
• Implement security monitoring tools such as SIEM, preferably with integrated asset management capabilities.
|
• Chapter 8, “Risk and Vulnerability Assessments”
• Chapter 11, “Exception, Anomaly and Threat Detection”
• Chapter 12, “Security Monitoring of Industrial Control Systems”
|
• Malicious Software Prevention (NERC CIP)
• Cyber Security Controls (CFATS)
• Controls against Malicious Code (ISO/IEC 27002:2005)
• Host Intrusion Detection System (NRC)
• Malicious Code Detection (NIST 800-82)
• Anti-virus
• Malware Protection
|
• To protect against malware, both host-based and network-based security controls should be used. Because malware changes often, multiple layers of defense are recommended, and all anti-malware efforts should be well-managed, and kept current with any necessary patches or updates.
• Host cyber security controls including:
• Endpoint hardening to minimize the vulnerability of devices to malware
• Anti-virus, Application Whitelisting and/or HIDS to prevent the effectiveness of malware
• Network
• Network cyber security controls including:
• Segment the network to minimize the propagation or spread of malware if/when it occurs.
• Implement Network traffic inspection (DPI) using IPS to prevent known exploits and malware from traversing the network.
|
• Chapter 5, “Industrial Network Design and Architecture”
• Chapter 9, “Establishing Zones and Conduits”
• Chapter 10, “Implementing Security Controls”
|
• Incident Reporting (CFATS, NERC CIP)
• Audit Logging (ISO/IEC 27002:2005)
• Reporting Information Security Events (ISO/IEC 27002:2005)
• Collection of Evidence (ISO/IEC 27002:2005)
• Records Retention and Handling (NRC)
|
• While incident reporting can be largely procedural, a good Log Management or SIEM solution can assist with the auditing of evidence and activities surrounding an incident, produce supporting documentation, and store the records (in this case, the event logs) in a secure, nonrepudiated manner.
|
• Chapter 12, “Security Monitoring of Industrial Control Systems”
|
• Monitoring Electronic Access (NERC CIP)
• Security Status Monitoring (NERC CIP)
• Network Monitoring (CFATS)
• Monitoring System Use (ISO/IEC 27002:2005)
• Security Alerts and Advisories (NRC)
• Continuous Monitoring and Assessment (NRC)
|
• Again, a good Log Management or SIEM solution will collect data from the network in addition to security events, providing a continuous monitoring solution needed to support a variety of standards. Most solutions will include standard-specific report templates as well, further easing compliance efforts.
|
• Chapter 12, “Security Monitoring of Industrial Control Systems”
|