With all the news surrounding industrial cybersecurity—fromRussian hackerstargeting industry to themaze of new companiescreated to address industrial control system (ICS) security—it can be a confusing time for companies of all sizes.
How vulnerable are we, really? How much protection do we really need and where should we focus it? Should we staff up internally or rely on external expertise? These are just a few of the questions that come to mind for many companies as they assess their stand on cybersecurity.
Though all of these questions and many more need to be answered, Gary DiFazio of Tripwire, a supplier of industrial cybersecurity software and services, says there are fundamental measures that everyone needs to take to help identify and mitigate the impact of cyber events on the industrial process. Following his seven-step checklist of cybersecurity fundamentals will provide a solid grounding that will help you to protect your systems and more knowledgeably assess next steps.
DiFazio’s seven-step checklist includes:
- Network design:DiFazio says the first thing every company should do, if they haven’t already, is to make cybersecurity part of the industrial network design cycle. "This way, you will make sure cybersecurity event risk reduction is enacted from the start vs. trying to bolt on industrial security controls after a control system is deployed,” he explains.
- Event monitoring:Cybersecurity event monitoring should now be considered an integral part of any industrial cybersecurity approach. “Gone are the days where you can implement a control system and have a ‘set it and forget it’ mentality,” he says.
- Asset inventory:You must recognize everything that is connected to your network. From controllers to human-machine interfaces (HMIs) to engineering workstations, all assets on your network should be accurately inventoried so there aren’t any unknown devices. This enables quick identification of rogue assets.
- Log management:Through a centralized log repository, operators can gain an understanding of what information their devices are producing so that they can optimize performance and ensure these devices are not about to fail, DiFazio says.
- Configuration management:“Harden and manage changes to the configuration states for all devices connected to the process control network. This includes SCADA [supervisory control and data acquisition] systems, network devices, firewalls, controllers and authentication systems,” he says. “Manage these configuration states against industrial specific guidance, such as IEC 62443 or NIST SP 800-82.”
- Industrial firewalls:Firewalls are often considered basic table stakes in cybersecurity today. But in many cases, they are not activated or used properly. When it comes to industrial applications, DiFazio recommends the implementation of firewalls that can perform deep packet inspection against the industrial protocol to block traffic that is trying to use the protocol in ways that it was never intended to be used. "Leverage industrial firewalls that can enforce the correct communication between industrial devices," he says. "For example, only allow HMIs to read certain Modbus registers on the controller and not write to them, or only permit specific industrial protocols such as EtherNet/IP and deny all other industrial protocols.”
- Privilege control:Only the supervisor’s maintenance terminal should be permitted to write to specific Modbus registers. “Only allow the SCADA master to write to registers," DiFazio says. "All others should only have read capability. Based on a user’s role within the organization, grant access to systems and devices based upon their job function.”
While these seven steps don't address every industrial cybersecurity contingency, they do address the core steps every industrial company should take to secure their control systems at the most basic level. What’s more, this list serves as a useful reference to refer to frequently to make sure you’re staying on top of the basics.
“It’s critical for control engineers to know that good cybersecurity hygiene equates to good operational procedures,” says DiFazio. “This will result in the reduction of the mean time to repair for operational and cybersecurity event outages, if and when they happen.”