Author: Miles Pfefferle
2021-22 ICS Advisory Report (PPC)
What is MITRE ATT&CK? The Definitive Guide.
What is MITRE ATT&CK? The Definitive Guide.
Power Case Study for Securing Different Asset Types
Building an OT Cyber Security Roadmap
The Ultimate Guide to Understanding OT Security
–
Achieve CMMC Security Maturity (whitepaper)
Whitepaper: Applying the MITRE ATT&CK Framework
OT Endpoint Management Whitepaper
CPG Manufacturing Case Study
Summary
Verve worked with a leading Consumer Packaged Goods manufacturer to drive measurable and rapid improvements in their OT/ICS security, combining Verve Security Center and Verve Industrial Protection (VIP) services.
After a successful pilot project at a European facility where Verve conducted a technology-enabled vulnerability assessment, the client chose Verve as its global OT/ICS security platform and VIP services to deploy Verve and key third-party, integrated security components. Over a 12-month period, the CPG manufacturer achieved visible improvements in security by gaining deep asset inventory, risk visualization, and remediation across their global footprint from the United States to Europe to Asia.
Schedule a Demo
The Challenge
A leading consumer goods manufacturer completed an IT security transformation and sought to achieve the same level of security and systems management in OT as they had in IT.
Unfortunately, the OT team was not well- versed in security and had a wide variety of security approaches and overall OT ICS security maturity. Like many companies in the manufacturing sector, this organization went through multiple acquisitions and had different security strategies based on the plant it was acquired from.
The CISO and the board wanted a consistent IT/OT security approach so they could manage the overall security profile of the company. They needed a solution that could deliver similar IT security functionality, but take into account the complexities and sensitivities of manufacturing devices.
The Solution
Verve brought together the Verve Security Center platform and our VIP services to provide a turnkey solution to OT/ICS security. The client first deployed VSC to one site to ensure ease-of-use and product capability for plant IT to manage the solution. Based on the success of this initial plant, the rolled out VSC globally.
The first key characteristic of the solution was a simple, global deployment and maintenance operation given their limited plant staff. Verve’s software-based architecture, without the need for on-site deployment of hardware, was paramount to their success.
Second, the platform needed to enable rapid remediation to demonstrate progress. Verve’s closed-loop architecture ensured that the minute the software was deployed, remediation could begin.
Third, the solution needed to scale to enable central resources to analyze risks and plan remediation. Verve’s Think Global; Act Local architecture allowed central IT/ OT teams to evaluate risks, plan for remediation and design actions that could be distributed to sites for local automation.
The Verve services team deployed backup, application whitelisting, and other security tools alongside VSC and integrated those into the Verve dashboards for a single view into the client’s OT/ICS security requirements.
The Impact
Over a six month period of time, Verve and the client delivered measurable security improvements to the plants globally. Remote deployment and VIP services significantly reduced cost and time to maturity. The client delivered significant improvements without adding significant headcount.
Moreover, they were able to match its security capabilities across their entire global manufacturing footprint.
PPC – 5 Steps to Build an ICS Cybersecurity Program with IEC 62443 Standards
The ISA/IEC 62443 cybersecurity documents contain a lot of guidance that easily overwhelms or confuses people when unpacking its components. It covers a range of topics including how to:
- Build a Cybersecurity Management System (CSMS)
- Structure industrial cybersecurity assessments (while not replacing actual ISA 84 for example)
- Define security requirements for several Foundational Requirement (FR) areas
- Define, determine, apply, and evaluate target Security Levels (SL)
This article though is not to rehash those topics – those can be found in our ISA 62443 all-in-one guide – but instead, this article aims to help asset owners, integrators and customers understand how to begin a cybersecurity program to improve overall maturity against the elements of the IEC 62443 standard.
In the IT cybersecurity world, there is a plethora of frameworks and education. But in OT cybersecurity, it is paralyzing to understand and properly implement meaningful security. The good news is that it can be done safely in a way that considers both enterprise/IT and OT/ICS audiences via a phased and pragmatic approach.
Schedule a Demo
5 Steps to Build an ICS Cybersecurity Maturity Program Using the IEC 62443 Standards
- Security Foundations – Cyber Security Management System (CSMS) definition
- Develop the objectives, policies, metrics, and governance for the overall ICS security program
- Risk assessment
- Develop a detailed view of risks at each facility, endpoint, network, and user
- Design of security program
- Prioritize a set of initiatives to reduce risks across each area to achieve the security objectives established in phase 1
- Implementation & Testing
- Execute the plan and conduct robust testing of solutions, stand-alone as well as in concert with each other
- Maintenance & Continuous Improvement
- Ensure controls and execution is monitored and tracked and improvement occurs over time
For audiences that are more visual, the following diagram illustrates the five phases aligned for IEC 62443 compatibility:
Key Takeaways from IEC 62443 Standards
- Achieving IACS cybersecurity requires a combination of people, processes, and technologies. The foundational elements of a CSMS define an enterprise’s overall cybersecurity objectives including its risk tolerance, the potential impacts of events, the policies that the organization will adopt to ensure security, etc. These are not a “tool”. They require thoughtful debate and trade-offs, debated at senior levels of an organization.
However, to ensure the implementation of these policies as well as the maintenance and continuous improvement of overall security levels (SLs), technology is a critical component in the overall program. As we hear over and over, the number one challenge in achieving ICS cyber security is resources. Technology enables greater efficiency and effectiveness to reduce the resource burdens required.
- Monitoring is NOT enough. Security requires active management of the devices and systems to ensure they are secured as designed, and that security is maintained – and improved – over time. Certainly, monitoring or initial visibility is an important component. But to achieve true security level improvements, organizations need to conduct “OT Systems Management” to patch, harden configurations, manage users and accounts, manage anti-virus and other protective solutions, etc. This active management is a necessary capability in the overall Cyber Security Management System of any organization.
This point is perhaps best made in reviewing the Foundational Requirements (FR) in IEC 62443.
As seen in ISA 62443’s Foundational Requirements (FRs), monitoring technologies cannot provide sufficient overall coverage to allow asset owners to achieve an SL-T between 0 & 1 (basically, they might tell you something is wrong, but provide no level of resistance/protection).
| Functional Requirements | Security Requirement Area | CTI | Monitoring | OT Systems Management |
|---|---|---|---|---|
| IAC | SR 1.1 – Human user identification | Minimal | Minimal | Moderate |
| SR 1.2 – Software process and device identification and authentication | None | Minimal | Complete | |
| SR 1.3 – Account management | Minimal | None | Complete | |
| SR 1.4 – Identifier management | None | None | Complete | |
| SR 1.5 – Authenticator management | None | None | Complete | |
| SR 1.6 – Wireless access management | None | Minimal | Complete | |
| SR 1.7 – Strength of password-based authentication | None | None | Complete | |
| SR 1.8 – Public key infrastructure certificates | None | None | None | |
| SR 1.9 – Strength of public key authentication | None | None | Minimal | |
| SR 1.10 – Authenticator feedback | None | None | Minimal | |
| SR 1.11 – Unsuccessful login attempts | Minimal | Minimal | Complete | |
| SR 1.12 – System use notification | Minimal | Minimal | Complete | |
| SR 1.1.13 – Access via untrusted networks | None | None | None | |
| UAC | SR 2.1 – Authorization enforcement | None | None | Moderate |
| SR2.2 – Wireless use control | None | None | Minimal | |
| SR 2.3 – Use control for portable and mobile devices | None | None | Minimal | |
| SR 2.4 – Mobile code | None | None | None | |
| SR 2.5 – Session lock | None | None | Minimal | |
| SR 2.6 – Remote session termination | None | None | Minimal | |
| SR 2.7 – Concurrent session control | None | None | Minimal | |
| SR 2.8 – Auditable events | Minimal | Moderate | Complete | |
| SR 2.9 – Audit storage capacity | None | Moderate | Complete | |
| SR 2.10 – Response to audit processing failures | None | None | None | |
| SR 2.11 – Timestamps | None | Moderate | Moderate | |
| SR 2.12 – Non-repudiation | Minimal | Moderate | Moderate | |
| SI | SR 3.1 – Communication integrity | None | Minimal | Moderate |
| SR 3.2 – Malicious code protection | None | None | Complete | |
| SR 3.3 – Security functionality verification | None | None | Complete | |
| SR 3.4 – Software and information integrity | None | None | Complete | |
| SR 3.5 – Input validation | None | None | None | |
| SR 3.6 – Deterministic output | None | None | None | |
| SR 3.7 – Error handling | None | None | Complete | |
| SR 3.8 – Session integrity | None | Moderate | Moderate | |
| SR 3.9 – Protection of audit information | Minimal | Minimal | Moderate | |
| DC | SR 4.1 – Information confidentiality | Minimal | Minimal | Moderate |
| SR 4.2 – Information persistence | None | Minimal | Moderate | |
| SR 4.3 – Use of cryptography | None | Minimal | Moderate | |
| RDF | SR 5.1 – Network segmentation | None | None | None |
| SR 5.2 – Zone boundary protection | Minimal | Minimal | Moderate | |
| SR 5.3 – General purpose person-to-person communication restrictions | None | None | None | |
| SR 5.4 – Application partitioning | None | None | None | |
| TRE | SR 6.1 – Audit log accessibility | None | Moderate | Complete |
| SR 6.2 – Continuous monitoring | Moderate | Moderate | Complete | |
| RA | SR 7.1 – Denial of service protection | None | None | None |
| SR 7.2 – Resource management | None | None | Complete | |
| SR 7.3 – Control system backup | None | None | Complete | |
| SR 7.4 – Control system recovery and reconstitution | None | None | Moderate | |
| SR 7.5 – Emergency power | None | None | None | |
| SR 7.6 – Network and security configuration settings | None | Minimal | Complete | |
| SR 7.7 – Least functionality | None | None | Complete | |
| SR 7.8 – Control system component inventory | None | Minimal | Complete |
- FRs require a wide range of security management across all Systems Under Consideration (SUC) (both device level and process level), requiring holistic security approaches.
The FRs are comprehensive across a range of security elements. IEC 62443 applies both to product development/procurement as well as to the overall process operations of industrial controls systems. Many manufacturers are pursuing SL 1 or 2 status for their products, which is a great initial outcome of the standards. But true security will require operators, themselves, to adopt the standards across their systems-of-systems. Security of the control system involves the interaction of many components, broken into “zones” and “conduits”. IEC 62443 requires taking this system-wide look at security to increase maturity across the landscape.
To manage IEC 62443 across FRs, organizations need to manage their implementation and continuous improvement across multiple security elements and layers of SUCs. Using just one capability to secure an OT environment would be difficult for any resource, skilled or not, but organizations need to do this across multiple capabilities. Fortunately, the ISA/IEC 62443 committees have a diverse audience of OEMs, asset owners, and security practitioners, and the focus is on a combination of management, action, monitoring, and procedure. Each of these FRs can have specific SRs or another form of enhancement based on the use case.
If we are to continue with the philosophy that an organization’s security is made up of more than a single product’s SL-T designation, then it should stand to reason that cyber risk reduction for an asset owner must not just be for zones, conduits, devices, and endpoints – but instead inclusive of the larger ecosystem at a facility. This would mean an asset owner needs to cover in-depth several FRs, and multiple systems, zones, and conduits.
Verve Industrial and OT Systems Management for IEC 62443
For the past 30 years, Verve has worked with industrial organizations to improve the reliability and security of their control systems. The Verve Security Center platform was built to address this type of security management in an efficient manner. Asset owners need to be enabled to act, not merely stuck with a fire alarm that cannot let them own and manage the assets they have. They need a platform that traverses FRs and provides substantial coverage and functionality. They also need professional service support that can help develop the right foundations and risk assessments based on experience and best practices.
| Phase | Explanation | Applicable Verve Product and/or Service |
|---|---|---|
| Security Foundations / CSMS Definition | Governance and defined processes, procedures, documents, architectures, policies, and requirements for the overall organization, layer, zone, conduit or assets in question. These are broken into a few categories to determine areas requiring definition and application. | Verve advisory services leverages 30 years of ICS expertise and database of best practices to help organizations design the right cyber security management system for their organization. |
| Risk Assessment | A cyber risk assessment that can be performed via any number of methodologies. Most organizations opt for academic/paper-based gap assessments as an initial step before committing to a detailed risk assessment. | Verve Tech-Enabled Assessment: an approach that leverages the unique architecture and technical capabilities to provide a deep/Cross-FR assessment as well as a solution to remediate as well as monitor ongoing improvement and maintenance. |
| Design | Using detailed risk assessment results, projects or initiatives are formulated and executed upon. This generally has requirements analysis, site evaluations, solution inputs, and a plan is drafted towards piecing together an implementation. | Verve’s roadmap and security design services help clients develop appropriate sequenced initiatives to systematically improve their overall security levels. These include roadmap sequencing, network design, solution, and organization design elements. |
| Implementation & Testing | Shifting from design to execution. This includes hardening, patching, user & access management limitations, etc. It also includes new device and SUC testing in advance of deployment of those systems. | The Verve Security Center provides a robust integrated OT system management capability across most of the key tech-enabled FRs. The platform speeds the implementation of many FR requirements and allows for testing. In addition, Verve services assist clients in implementing network segmentation and “zones” and “conduits” implementations. |
| Maintenance, Management & Continuous Improvement | Security degrades as a function of time, updates need to be evaluated for priority & application, users removed or modified, software uninstalled, and other maintenance applied. Technology requires proper systems management, and ICS/OT environments are no different. Frequent and up-to-date dashboard highlighting work areas and having teams/products to action on them is critical. | Verve Security Center constantly monitors the current status of all security across FRs. For instance, providing review of account and user status and risks, new patches and vulnerabilities discovered, devices that drift from hardened security configurations. Verve can also be used to continually update security settings across SUCs to maintain and improve Security Levels (SL). |
It is important to note that depending on the type of asset or even the System under Consideration (SuC), the applicable FRs may change, and so do the solutions possible to enable certain controls. For example, securing a Windows-based HMI or Historian will certainly be different than securing a PLC cabinet. Verve provides controls, improves visibility on cyber-risks, and safely inventories across a variety of device types:
- Routers and switches
- Laptops, desktops, and servers
- Human Machine Interfaces (HMI)
- Programmable Logic Controllers (PLC)
- Flow and valve controllers/sensors
- Distributed Control Systems (DCS)
ISA 62443 alignment requires coverage across all areas of the People-Process-Technology spectrum. In fact, it explores organizational aspects including requiring processes/procedures, maintaining asset inventories, applying security controls, and of course, having the resources or partners to do so. This means an effective security product should be robust and not limit itself to targeting one specific type of asset. Security is not a one-time investment, but a continuous investment similar to purchasing and maintaining a vehicle.