Increasingly, industrial environments are threatened by the growing incidence of cybersecurity issues. The convergence between OT and IT networks and their growing interconnection with Internet-connected assets has increased the attack surface. This scenario requires specific security solutions for industrial environments, where business continuity and physical security are just as important as digital security.
In the following article written by Samuel Pampillón, a software developer at InprOTech, the “Five ICS Cybersecurity Critical Controls” developed by the SANS Institute—a renowned organization in the field of cybersecurity—will be presented. The article will also explain how InprOTech Guardian aligns with the security requirements and compliance provisions of these controls.
ICS cybersecurity critical controls
These controls were published on November 7 of 2022, by Robert M. Lee and Tim Conway. The motivation behind the creation of these controls is to address specific security challenges in industrial environments, with a focus on prevention of the NIST Cybersecurity Framework.
The five critical controls are as follows:
- ICS incident response plan
- Defensible architecture
- Visibility and monitoring
- Secure remote access
- Vulnerability management
These controls represent the minimum necessary to defend against real attacks and organizations must take additional steps to reduce risk.
Critical Control Nº1: Incident response plan
It is vital that organizations have an incident response plan specifically designed for ICS. In fact, this plan should be considered the foundation of the organization’s security program, as a common mistake is to think of incident response as the final step in the program, which can result in previously implemented security controls not being aligned with the needs that incident response may demand.
OT incident response plans prioritize actions according to potential operational impact and seek to position the system to continue operating during an attack, reducing both the effect of the attack and the impact on the controlled process.
A specific plan for ICS can be divided in three phases:
- Determine which scenarios represents the greatest risk.
Firstly, real-world incidents should be considered, as they provide a practical and realistic basis for the potential risks affecting the industry. These scenarios should be prioritized, as they are attacks that have already occurred and are more likely to happen again.
- Consider consequence-based scenarios
After analyzing some real-world scenarios, one or more consequence-based scenarios should be developed. That is, identify, regardless of whether a previous attack has occurred, an impact that is of concern to the organization and determine whether it could be achieved through a cyberattack, mapping out the possible actions of the attacker. It is advisable to take advantage of the experience and knowledge of the internal team, which may have information that the adversary does not know.
- Putting the scenarios on the table
Once the scenarios are identified, the ICS-specific response plan includes a tabletop exercise. This consists of applying each scenario to the organization’s environments and sites (management, operations, security, etc.), working together to determine the requirements that each incident would have and defining the appropriate response.
InprOTech’s services, together with its InprOTech Guardian product, support the creation of a response plan aligned with business needs. In addition, Guardian facilitates the generation of detailed reports that support incident investigation and analysis, enabling decisions to be made based on accurate data.
Critical control Nº2: Defensible architecture
A defensible architecture is one that, through its design and implementation, minimizes risks and facilitates the work of those responsible for its security.
Although there are different frameworks, from the Purdue approach to architectures based on ISA/IEC 62443, what is essential is their correct implementation, which makes it possible to reinforce the security of the organization.
The attributes of a defensible architecture are:
- Identification of asset inventory
- Segmentation of environments to limit entry and exit points
- Determining when bi-directional access is needed
- Ability to collect network and communications traffic
- Critical event logging and analysis
- Ability to establish a robust security posture that restricts unnecessary connections and eliminates non-essential devices
InprOTech Guardian offers a set of capabilities that facilitate the implementation of a defensible architecture. Its traffic blocking functionality serves as a mechanism to minimize the attack surface. In addition, thanks to the AirWatcher functionality, it can detect wireless devices, which allows monitoring and preventing unwanted access that could compromise the security of the infrastructure.
Critical Control Nº3: Network visibility and monitoring
Network monitoring is necessary to understand the interactions between ICS systems. Having visibility of what is happening in the network is vital, as it allows data collection and detection of risk scenarios associated with critical control Nº1, continuous validation of the architecture described in critical control Nº2 and the improvement and implementation of controls Nº4 and Nº5 below.
In addition, industrial environments are becoming increasingly complex, so having broad visibility and monitoring of the network will facilitate root cause analysis of a potential incident, saving investigation costs.
InprOTech Guadian is uniquely integrated with Critical Control Nº3 providing extensive network visibility and monitoring capabilities. Its capabilities allow:
- Inventory and complete visualization: Identifies all assets and their communications and generates a network map that illustrates the architecture and connection between components.
- Anomaly detection: Monitors network traffic, alerting to suspicious patterns and detecting anomalous behaviour, both external and internal.
- Proactive prevention: Employs technologies such as honeypots to identify and analyse targeted attacks before they affect operations.
- Traffic blocking: Restricts unauthorized communication flows, reducing the attack surface.
- Event correlation and analysis in ICS: Integrates solutions that enable comprehensive analysis of security events, strengthening critical infrastructure.
These features make InprOTech Guardian a comprehensive solution that enhances network visibility and control, essential pillars of any industrial security strategy.
Critical control Nº4: secure remote access
The digitization of ICS systems and business demands have driven increased use of remote connectivity. In some cases, this connectivity may not be necessary, and it is possible to limit or eliminate it. However, in most industrial organizations it is unavoidable. Remote connectivity brings significant business and operational benefits, but it also carries significant risks.
To mitigate these risks and ensure remote access, it is recommended to implement multi-factor authentication (MFA), which is securely applicable in most ICS environments. It is critical to focus on applying MFA on those connections that are externally accessible. And in situations where MFA is not feasible, organizations should establish appropriate compensating controls.
Critical control Nº5: Vulnerability management
Finally, it is necessary to have a vulnerability management program in the ICS systems.
In the OT environment, systems have a considerably longer life cycle compared to IT environments. This means that detected vulnerabilities can persist for long periods of time.
The vulnerabilities that represent a risk in the ICS are those that allow an attacker to gain access to the ICS or to introduce functionalities that affect its correct functioning.
It should be kept in mind that the approach to vulnerability management in ICS should not be limited to patching, as this option is often not feasible without disrupting critical processes. Instead, the objective should be broader: identify relevant vulnerabilities, prioritize their treatment based on operational impact, implement mitigation measures when patching is not possible, and establish continuous monitoring of their possible exploitation.
This approach allows maintaining a balance between security and operational continuity, which is essential in industrial environments.
InprOTech Guardian also offers a solution for this critical control, as it can perform vulnerability scans on network asset services. This provides the necessary information to identify, locate and address the different vulnerabilities of the infrastructure.
InprOTech Guardian
InprOTech Guardian is a cybersecurity tool specifically designed and developed to protect industrial networks. Its main objective is to monitor the traffic generated in production environments and analyse it based on a combination of static rules, an IDS and artificial intelligence and honeypots, which allows learning from network behaviour and detecting anomalies. This approach makes it possible to effectively identify threats and issue real-time alerts, directly notifying plant managers and/or operators of possible attacks or operational failures, thus anticipating and reducing their impact.
All these capabilities make InprOTech GUARDIAN the ideal tool to address the critical controls mentioned above.
Summary
The five ICS Critical Cybersecurity Controls provide an essential roadmap for critical infrastructure organizations to guide their cybersecurity investments and operations. Implemented in a coordinated and prioritized manner, these controls enable you to build a robust security program that adapts to the real risks of the industrial environment.
In this framework, InprOTech Guardian empowers the strategy by providing comprehensive visibility, proactive detection and vulnerability scanning, facilitating threat-informed decision making. In this way, organizations can optimize their resources, ensuring an appropriate response to identified threats.
True to our principles, InprOTech remains committed to improving and democratizing access to cybersecurity in industrial environments.
Resources
[2] SANS_5_Critical_Controls.pdf
[3] Cybersecurity critical controls
[4] Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1