Industrial Control Systems (ICS) are software, hardware, and networking components that are used for manufacturing. These systems are increasingly connected to the network with smart technologies to improve visibility, control, and productivity.
However, connecting ICS to the network can also create significant cybersecurity risks. Attacks against these systems can disrupt production, create threats to physical safety, and leak an organization’s intellectual property.
Industrial Control Systems systems work in unique environments where availability and productivity are the highest priority. As a result, ICS systems are often long-lived and only receive occasional, scheduled maintenance to minimize impacts on availability.
With long-lived systems and the need to keep production systems online, ICS devices rarely receive updates or patches for known vulnerabilities. As a result, these legacy devices can be difficult to secure and may contain numerous exploitable vulnerabilities. In addition, traditional IT security solutions may not be applicable for ICS environments.
ICS security differs significantly from traditional IT security. Below you will find some security best practices for ICS security:
In the past, ICS systems relied on an “air gap” for security. By disconnecting these systems from the corporate IT network and the public Internet, the goal was to make them immune to cyberattacks.
However, Stuxnet and other attacks have demonstrated that physical access to ICS devices can be used to deliver malware and perform other attacks. Securing physical access is essential to the cybersecurity of ICS.
It is impossible to effectively secure systems that an organization does not know exist. The size and complexity of ICS networks can mean that organizations lack a complete inventory of their ICS devices, their software and hardware, their location, and other important factors. Manual discovery processes are slow, unscalable, and unable to rapidly adapt to changing environments. Automated solutions should be deployed to discover and identify ICS assets connected to the network.
Traditional, signature-based threat detection methodologies can only identify known threats for which a signature is known to the detection system. This leaves them blind to novel attacks or attacks against legacy devices that are old enough that the signature has been deprecated. Identifying novel threats to ICS devices requires the ability to identify anomalies on the ICS network. If an organization develops a baseline of normal network activities, it can detect anomalies such as potential attacks or new devices being connected to the network.
Network segmentation is essential to achieving network visibility and managing access to ICS. Without network segmentation, an attacker may be able to move laterally through the ICS network without detection, while a segmented network provides opportunities for threats to be identified and prevented. The Purdue Enterprise Reference Architecture (PERA) provides a reference model for the design of ICS networks. This includes the deployment of firewalls to segment the network based on the roles of various systems.
The principle of least privilege states that users, devices, applications, and other entities should only have the access and permissions that are essential for their job role. By eliminating unnecessary access, an organization can reduce the probability and impact of an attack because an attacker has less opportunity to attack critical assets without detection.
In the Industrial Control Systems space, implementing least privilege includes not only limiting the devices that can communicate with ICS devices but also the commands that can be sent by them. Enforcing least privilege access requires firewalls that have awareness of ICS network protocols and that can block traffic that violates least privilege access controls.
ICS environments commonly contain long-lived systems that are vulnerable to legacy attacks. High availability requirements and the limitations of legacy systems make it difficult to patch vulnerabilities that leave them open to exploitation. Protecting these systems requires a prevention-focused approach to security that blocks attempted exploits before they reach vulnerable systems. To do so, organizations should deploy an intrusion prevention system (IPS) to detect and block known ICS and legacy OS and network exploits.
Operators commonly require remote access to ICS devices; however, this can also create significant security risks. A 2021 attack against a water plant in Oldsmar, Florida that attempted to add unsafe chemicals to the water supply took advantage of insecure remote access technologies. Remote access to ICS should be provided by secure remote access solutions. This includes zero-trust access controls and monitoring to identify suspicious and potentially malicious access to ICS systems.
ICS security is vital to ensuring the availability, productivity, and safety of ICS devices. However, ICS devices face unique security threats and require security solutions designed for and tailored to them.
Check Point has extensive experience in designing security to meet the unique needs of ICS environments. To learn more about how Check Point’s ICS security solutions can help protect Industrial Control Systems, check out this solution brief. Then, see its capabilities for yourself by signing up for a free demo.