Three Questions Every ICS Security Team Should Ask


“Barak Perelman  wrote an interesting post about Three Questions Every ICS Security Team Should Ask that I would like to share.”

Securing ICS networks is an extremely challenging task. Primarily because they lack many of the threat monitoring, detection, and response capabilities commonly found in IT infrastructures. To put ICS security in context, let’s consider the top three questions every organization should ask themselves about securing their network.

1. Do we know what needs to be protected?

To protect the network, the first step is to create an inventory of the technologies and critical assets in place. Without this baseline understanding, it’s impossible to secure it. Generally, industrial controllers (PLCs, RTUs, DCSs) are the most critical components of ICS networks, since they are responsible for the entire lifecycle of industrial processes. Automation controllers ensure continuous and safe operations.

Securing controllers requires accurate knowledge of the firmware they are running, the code and logic they execute, and their current configuration. Any change to controller firmware, logic or configuration can cause operational disruptions.

Since most ICS networks were deployed decades ago, it is commonplace for some assets to be forgotten about. Most organizations don’t have a clear picture of the critical assets that need to be protected in their environment. Manual processes used to document them are not only inaccurate, but they are also tedious and resource intensive. 

This lack of automated asset discovery and management forces many organizations to rely on manual documentation using spreadsheets. This outmoded approach not only results in employee burnout and gross inaccuracies, it also creates opportunities for network breaches.

Automated asset discovery and management provides ICS security teams an accurate, up-to-date inventory, empowering them to plan and roll-out effective security controls.

2. What is happening in the ICS network?

Unfortunately, a great deal of what happens in ICS networks is unknown. Inherently different from IT networks, they  not only lack visibility and security controls, but also use specialized technologies and vendor specific communication protocols. This makes IT controls unsuitable for these environments.

ICS Cyber Security Conference

Some ICS network monitoring solutions focus on HMI/SCADA application activity, which occurs at the data-plane of ICS networks. This activity is executed over known and standardized communication protocols that are easier to monitor. 

However, the core engineering activities performed on industrial controllers, including changes to control-logic, configuration settings and firmware uploads/downloads, can’t be monitored  in these data-plane network protocols. That’s because these control-plane activities are executed in proprietary vendor-specific protocols, which are are often undocumented and unnamed. This makes them very difficult to monitor. 

In IT networks, performing control-plane activities typically requires special privileges. However, most ICS networks lack authentication or encryption controls. Therefore, anyone with network access can execute the above activities. In addition, there are no audit trails or logs that capture changes and activities which can be used to support forensic investigations. 

Gaining visibility into the engineering activities executed in the industrial control-plane should be a top priority for ICS security teams. This is where malicious activity and human error can cause the greatest disruptions.

3. Can we effectively manage and respond to security events?

Due to the general absence of visibility and controls in ICS networks, most organizations are unable to respond to events in a timely and effective manner. Their failure to do so not only  weakens their defences, but also increases the overall costs of mitigation.

Real-time visibility into industrial networks is the key to ICS security. To protect against external threats, malicious insiders, and human error, industrial organizations must monitor all ICS activities — whether executed by an unknown source or a trusted insider, and whether the activities are authorized or not.

Only with full visibility into data-plane and control-plane network activity  can organizations  apply effective security and access management policies that govern who is allowed to make what changes,  when and how.

The implementation of accurate security policies can also ensure that ICS security teams get timely alerts when unauthorized and unexpected activity occurs. These can provide  the information required  to quickly pinpoint the source of problems and mitigate them to minimize disruptions and damage.




Barak Perelman



No posts to display