Fundamentals of ICS Security – US CERT TA17-164A

Introduction

The United States Computer Emergency Readiness Team recently revised Alert TA17-164A, detailing technical details on the tools and infrastructure used by cyber actors of the North Korean government.  While the alert was written to address the specific actors, the mitigating actions recommended in this alert are effective against similar techniques used by any actors.  As these techniques become well known by the user community, other actors may use them or derive similar techniques for use in their own campaigns against other targets.

The alert should be of particular concern to owners and operators of industrial control systems because these actors “commonly target systems running older, unsupported versions of Microsoft operating systems.”  The actors have also used vulnerabilities targeting the Adobe Flash Player and Microsoft Silverlight applications.  The versions of Microsoft Windows commonly used in industrial control systems typically lags those used in commercial environments, and are not always replaced or upgraded when Microsoft ends support.  The Adobe Flash Player and Microsoft Silverlight applications are sometimes used in support of machine interface or supervisory applications in operational technology environments.

The alert encourages all network administrators to apply several mitigation strategies.  These strategies work best when integrated together to form a stronger security fabric. A few of these strategies are particularly applicable to industrial control systems:

  1. Patch applications and operating systems
  2. Use application whitelisting
  3. Restrict administrative privileges
  4. Segment networks and segregate them into security zones
  5. Understand firewalls

Patch Applications & Operating Systems

Owners and operators should take every opportunity to patch their control system assets.  Traditional claims that patching activities are a greater risk than the vulnerabilities neglect the experience of the last several years, beginning with the revelations of the Stuxnet software and continuing with its derivatives and a steady drumbeat of vulnerabilities specific to industrial applications, controllers, and common support equipment.  Any owner or operator of an industrial control system should have an active program to periodically evaluate and install patches to applications and operating systems for all devices in their environment, even if the period is annual or semi-annual, depending on the downtime requirements and perceived risk of process disruption.

Application Whitelisting

The use of application whitelisting and the restriction of administrative privileges in operational technology environments is becoming a best practice, particularly on systems using Microsoft operating systems.  Controllers and common support equipment don’t typically support whitelisting (or the function is effectively supplied by the manufacturer at varying degrees of effectiveness).  Application whitelisting can be particularly effective in a controls environment because the application use is relatively limited and static.  Many of the biggest issues with whitelisting in the IT context, i.e., whitelisting “bloat”, is significantly lower in control systems.

Restricting Administrative Privileges

Restricting administrative privileges is a security best practice.  However, the increased risk of denying support personnel ready access to these devices may offset the benefits of restricting the privileges against this threat. There are several means of achieving this objective – from installing more advanced and limited password usage, to alerting on new admin account access, to review of admin account usage on a regular basis. Importantly, these solutions must depend on the type of device at issue.  We find that employing a range of “alerting & review” solutions along with true restriction on certain devices is the most balanced approach to security and operational reliability.

Network Segmentation & Understanding Firewalls

Segmenting networks and use of effective firewalls are critical elements to any cybersecurity or reliability solution, for that matter. Segmentation can improve overall reliability of industrial control systems, harden these systems against lateral movement of malicious actors within the environment, and aid in managing the scope of an incident response effort.  Further, continual review and updating of rules and protocols on how to control network traffic, enforce communications protocols, and provide central intrusion detection functionality enables the network administrator to apply the principles of continuous improvement to the network’s security profile over time.

Critical to segmentation is a thorough understanding of firewalls and routers.  In certain cases routers can be used as less functional firewalls where complex networks can benefit from less traffic control between closely interdependent segments.

One can segment networks into security zones in many ways.  Two common strategies are to segment networks by service provided to the facility or to segment networks by class of asset.  Both of these strategies can be equally effective, although it may be less costly to use one over another depending on the details of the environment.

Segmenting networks by service provided allows each service to the facility to be isolated during an incident, whether the incident is non-malicious (such as a simple broadcast storm) or malicious (worm activity spreading by the SMB protocol).  When an incident occurs, a router or firewall can provide some warning of unusual activity to network administrators or security analysts and possibly prevent an incident from directly impacting more than one service to the facility.  Many facilities have storage or redundancy of utility services that can allow for the continued provision of at least limited service during an incident.  While the use of a large storage tank may be independent of the segmentation strategy, conscious decisions should be made about the co-location of redundant services within a segment.  Spanning parallel networks (either physical or virtual) throughout a large facility is no longer considered a standard practice in commercial network design, but still finds widespread use in industrial control systems.

Segmenting networks by class of asset isolates threats to individual platforms.  Machine interfaces typically need to communicate with controllers, but not with each other.  Placing all machine interface hosts in a common segment and using private virtual networking begins to apply micro-segmentation to the environment; each machine interface host can easily communicate with its controllers but not with other similar hosts.  By keeping the controllers on a separate segment, the firewall has the opportunity to limit communications between the host and the controllers to only those protocols used for control functions.  Malicious code introduced to any host will be unable to compromise the dissimilar platform using any protocol; many denial of service attacks targeting controllers from the machine interface hosts also become ineffective in this case.

A key consideration in designing network segments is the definition of security zones.  Zones can be defined using the NIST guidance.  Common zones used in operational technology environments include but are not limited to

* Process Information Network (aka Demilitarized Zone, providing process information to the commercial environment)

* Remote Access Network

* Management or Supervisory Network (providing management workstations and supervisory network services such as log collection, performance monitoring, and event analysis servers)

* Process Control Networks (Distributed Control Systems, Supervisory Control and Data Acquisition Systems, or hybrid machine interface, controller, and instrumentation networks)

* Operational Networks

** Operational Supervisory Network

** Basic Control Network (typically machine interfaces, alarming, and controllers)

** Safety Network (independent safety controllers and instrumentation)

** Process Network (networked instrumentation, including both sensors and control elements

Summary

Security vendors and the press often discuss all of the more advanced security features of new products and technologies. And all of these solutions can potentially help make a network more secure. However, this recent CERT release explains how critical the fundamentals of cybersecurity are, especially in critical industrial control systems. Patching, application whitelisting, admin privilege management, segmentation are all critical to get right to ensure you can both protect as we as detect potential threats.

Dragonfly, Energy Targets and General ICS Security Hype

Introduction:

Just the other day Symantec published an article about the recent ‘re-discovery’ of a group known as ‘Dragonfly’.  Now the article itself is a decent analysis of the threat/attack vectors this group uses and even has a handy chart displaying their ‘progress’ since the last time they were discovered.  My only real critique is the fact that Symantec says twice in this article that “Symantec customers are protected against the activities of the Dragonfly group.”  This I have a problem with.  On many fronts.  Symantec is a good company that does good things.  They even have the ability with their suite of products to likely prevent or minimize damage to their clients’ assets.  But this statement provides a false sense of security because in an ICS network you cant deploy all the tools a product like Symantec has to offer with the level of automatic updating and intervention it provides.  In reality you are maybe able to use half of its features (AV but not end point or end point but limited to specific systems or scaled down functions like alert but don’t block, etc).  This is not the fault of Symantec but rather a consequence of the reality of OT equipment and OEM vendor control/support.

What would provide an appropriate level of security comfort is something that very few currently have and that is a detailed, up to date profile of their asset fleet.  There are a few qualifiers to that statement so lets walk through them.

Detail:

When I say asset list I don’t mean a list of IP addresses.  That is just a base level ‘head count’.  I mean detail.  Like what is the device (relay, controller, PLC, engineering station….)?  What is running on it (hardware, firmware, serial number, software, OS, etc).  And where is it located physically and functionally in your plant or where along the process?  I am talking about the sort of detail that lets you truly understand what is really out there and how it is configured.

Automatic:

Too many times we see an ‘asset list’ from a client and they are pretty sure it is ‘reasonably’ accurate.  Like 90% accurate but this is rarely the case.  In the last 5 client asset lists I have seen in the last 3 months only one was 90% accurate.  At the other end of the spectrum, we found there were 590% more IP enabled assets at a particular site than they thought.  The only way to combat this is to be active.  I don’t mean actively scanning an OT network but I do mean implementing a proactive set of data collection and asset inventory tools.  They can be native to that system, they can be passive in listening (though this does lack system specific details) and/or they can make use of agents on OS based devices.  More likely, however, it is a combination of multiple data profiling techniques and technologies that will provide you an accurate inventory.

Benefits:

Once compiled the data in this asset list/database is invaluable.  It allows for you to create profiles of assets or classes of assets.  These profiles then enable more accurate creation and tuning of security tools like white listing, vulnerability scanning and change management.  But what is most beneficial is the ability to query the database for a specific risk.  By being able to show only those devices that are in scope for a current or emerging threat you are refining your work load to only that which is truly at risk.  For example the recent WannaCry threat which we wrote about as well: imagine if you could query your asset database to show just those systems with SMB ports 139 and 445 enabled?  You don’t need to run around with a windows disk patching all systems, you could just disable the ports on those systems.  Crisis averted!

Conclusion:

Best in class IT tools are great for the function they provide assuming you are able to take advantage of them.  However for a more robust, more accurate ability to act and react to threats to ICS networks you need to start with a much more inclusive view of what you have installed in the first place.  Visibility is what lifts the veil of uncertainty and allows ICS security teams to focus their very limited resources to what is truly at risk in a way that is safe for OT.

 

 

WannaCry and What to do for ICS

As we are very certain by now you have heard all about WannaCry and its multitude of possible variants.  What is maybe not so clear is what should you do about it.  To cut to the chase the following should be investigated/executed at a minimum as soon as possible:

  1. Apply the Windows SMB Patch as soon as possible. Note an emergency patch for unsupported versions of windows including: Windows XP, Vista, Server 2003 or 2008 is available for older systems as well (See Microsoft Security Bulletin MS17-010 – Critical)
  2. Block SMB ports (139 and 445) between IT/OT networks   (no connection between systems since uses data diodes)
  3. On systems that don’t require use of SMB, disable it altogether (Microsoft instructions can be found here) or block it using the endpoint firewalls
  4. On systems that may require SMB for services that are less important, consider disabling SMB  until patches can be applied
  5. Quickly review disaster recovery plans and determine which windows-based ICS systems have current backups. Image or backup those systems as soon as possible to aid in rapid recovery if these systems become infected
  6. Additionally, ICS security teams need to remain vigilant for new variants of the WannaCry which may use new replication techniques.

Now that you have your marching orders here are a couple of other sources of information for you to review.  The first article is one written by our very own Technical Director for EMEA based in the UK.  His article ‘When Worms Attack Critical Infrastructure ‘can be found here.

Additionally our senior advisor and ‘godfather’ of ICS security Eric Byres helped out our friends at ISSource with his article titled ‘How to Protect Against WannaCry’.

And be sure to check back soon – very shortly we will be publishing a more detailed analysis about how an orchestrated tool like our Verve Security Center and its 100% visibility into your assets, their status and the ability to tune end points from our portal could speed future efforts like this.  Stay tuned!

RKNeal Orchestration Concept Published in ARC View

The risk of cyber incidents remains high for industrial plants and critical infrastructure. Many operators have invested in sophisticated cyber de-fenses, but most struggle to sustain them. Staffs are overwhelmed with the complexity of managing a never-ending stream of product patches and updates for a multitude of assets and security products.

Verve Security Center helps to cut through the confusion, minimize the effort and maximize accuracy and efficiency of an operational based cyber security program. Recently Verve worked with ARC to define and describe what has been coined an ‘orchestrated approach’ to cybersecurity. To read the full ARC view report click here.

Where To Find ICS Security Breach Data

It can be a struggle to find real data regarding what is going on in the ICS threat landscape. But if you know where to look, the data is out there. A recent article highlights 6 great resources:

For more for background on these ICS threat data sources, and the full article see: Where-to-Find-Hard-to-Get-Industrial-Security-Data

Protecting Industrial Control Systems: An Integrated Approach

Technical white paper

Through our work with critical infrastructure operators we have studied a significant number of security solutions offered to meet both the minimum regulatory requirements as well as the more stringent security requirements of industry leading companies. Our findings are not unsurprising, but unfortunately we did not find a solution that was comprehensive or offered the defense-in-depth strategy necessary for adequate protection.

The purpose of this white paper is to present a novel cyber security framework for deploying and managing best-in-breed cyber threat management products across multiple OEM vendors.

To read the full white paper, please click here.

,

What Specific NERC CIP Standards Does The Verve Security Center Apply To?

Verve recently developed a new brochure to highlight what specific NERC CIP version 5 standards the Verve Security Center applies to. The Verve Security Center is a centralized security suite that consolidates multiple best of breed technologies into a unified management console.  We understand the unique differences between traditional IT environments and industrial control systems (ICS) because of our extensive ICS background. For the past 22 years, Verve and its predecessor, Rkneal,  have been focusing on turnkey DCS, PLC and SCADA upgrades within the utilities industry. In fact, the power industry represents 90% of our business.

Verve helps automate many of the requirements associated with CIP 005, 007, 009 and 010. It also provides several layers of evidence gathering. For more information, please download our NERC CIP Mapping brochure.

,

DHS Report, Application Whitelisting And Patching Play A Crucial Role

Application whitelisting and patch management are just two of the technologies integrated into the Verve Security Center

According to a recent United States Department of Homeland Security (DHS) report, application whitelisting and proper patch management mitigate 67 percent of “common exploitable weaknesses in “as-built” control systems.” The December 2015 report, “Seven Strategies to Defend Industrial Control Systems” highlights the rise in cyber attacks targeting U.S. critical infrastructure.

Of the 295 incidents reported to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) last year, the reports cites 98 percent would have been prevented if system owners would have implemented their recommended strategies. As a result, the report details its top seven strategies to protect industrial control systems (ICS) from today’s modern attacks.

“This is the beauty behind the Verve Security Center,” said Adam Brewer, Director of Business Development. “Verve deploys a true defense in depth strategy. In addition to application whitelisting and patching, Verve consolidates antivirus, change management, security information & event management (SIEM), vulnerability assessments, intrusion detection and backup management technologies into a unified management console.”

Since 2009, Rkneal has deployed the Verve Security Center at multiple power plants and substations.

,

How Is The Verve Security Center Different?

There are a number of cyber security products currently on the market that specialize in change management, asset management and vulnerability assessments. But when it comes to executing and deploying actions (i.e. patching, antivirus scans, backups, etc.) from a single, unified console – these products are quite limiting. As a quick refresher, the Verve Security Center is a centralized security suite that consolidates multiple technologies into a single solution. These technologies include:

  • Antivirus
  • Application Whitelisting
  • Vulnerability Scans
  • Change & Configuration Management
  • Patching
  • Backup Management
  • Security Information & Event Management (SIEM)
  • Compliance

Execute Actions From A Single, Unified Console

Regardless of whether you want to deploy patches, capture a full-image backup, execute an antivirus scan, install agents or run a vulnerability assessment, these actions are all done in the same consistent manner – using a single interface. From a customer perspective, the Verve Management Console is the real power behind the Verve Security Center because it provides a level of simplicity and flexibility not seen in other products.

“Our customers demand a product that is easy to setup and maintain,” says Adam Brewer, Director of Business Development. “This is especially true if the customer wants to standardize their fleet. The Verve Management Console provides users with a single location to not only execute actions, but also gather evidence and generate reports. In addition, it allows our customers to automate many of the processes associated with compliance.”

Vendor Agnostic

As systems integrators, nearly all of the facilities we walk into do not have the luxury of a single DCS or PLC system. Instead, multiple controls platforms are present. We made certain the Verve Security Center was vendor agnostic and able to support multiple DCS, PLC and SCADA platforms. In fact, Verve is currently protecting a power generation facility where eight different control systems are present.

Geared Specifically Toward Control Systems

Verve was founded as Rkneal, an industrial engineering firm, over 20 years ago.  ICS is was what our company was founded on over two decades ago – and this area of expertise remains our core business today. When designing and developing the Verve Security Center, one of our guiding principles was to never impact or disrupt the operations environment. This forced us to take into account CPU usage, scalability and ensuring the technologies we leverage never automatically reboot endpoints. It also allows us to setup vendor profiles based on our controls experience – we know what ports and services are required for each control system and can use predefined templates – saving our customers precious time.

For more information on the Verve Security Center or to schedule a product demo, please contact us.

,

Verve Security Center Case Study

Tripwire, a leading provider of advanced threat, security and compliance solutions, recently featured the Verve Security Center, in a case study. The study highlights the “plug and play” capability, which easily enables our clients to integrate best-in-class solutions into Verve’s centralized management console.

According to Adam Brewer, Director of Business Development, “The decision to integrate Tripwire CCM into our flagship product, the Verve Security Center, was a very easy one: Most of our clients already have it in their current infrastructure so it allows us to leverage their current environment.”

The Verve Security Center is a centralized security suite that consolidates multiple cyber security technologies into a unified management console. Instead of developing our own proprietary technologies, we decided on a hybrid approach to leverage best of breed products. Extensive research, product review and evaluation helped us compile a list of the highest rated cyber security technologies.

To read the entire study, please visit Case Study.

About Verve:

Verve is a world-class engineering firm specializing in industrial control systems, cyber security and technical services. Since 1994, Verve and its predecessor, Rkneal, have successfully completed several intricate control system projects ranging from complete migrations, upgrades and conversions from older legacy systems to modern controls.

Our engineers have worked with every major DCS, PLC and SCADA system currently on the market. This broad range of control system expertise allows us to offer the best solution without bias toward a particular control system vendor. Learn more at rkneal.com.

About Tripwire

Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers
and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based
on high-fidelity asset visibility and deep endpoint intelligence combined with business-context, and enable security automation
through enterprise integration. Learn more at tripwire.com.