The United States Computer Emergency Readiness Team revised Alert TA17-164A, detailing technical details on the tools and infrastructure used by cyber actors of the North Korean government. While the alert was written to address the specific actors, the mitigating actions recommended in this alert are effective against similar techniques used by any actors. As these techniques become well known by the user community, other actors may use them or derive similar techniques for use in their own campaigns against other targets.
Alert TA17-164A is of particular concern to asset owners and operators of industrial control systems because these actors “commonly target systems running older, unsupported versions of Microsoft operating systems.”
The actors used vulnerabilities targeting the Adobe Flash Player and Microsoft Silverlight applications. The versions of Microsoft Windows commonly used in industrial control systems lag those used in commercial environments, and are not always replaced or upgraded when Microsoft ends support. The Adobe Flash Player and Microsoft Silverlight applications are used in support of machine interface or supervisory applications in operational technology environments.
The alert encourages all network administrators to apply several mitigation strategies. These strategies work best when integrated together to form a stronger security fabric.
Applicable strategies for industrial control systems:
- Patch applications and operating systems
- Use application whitelisting
- Restrict administrative privileges
- Segment networks and segregate them into security zones
- Understand firewalls
Patch Applications & Operating Systems
Owners and operators should take every opportunity to patch their control system assets. Traditional claims that patching activities are a greater risk than the vulnerabilities themselves neglect the experience of the last several years, beginning with the revelations of Stuxnet software and continuing with its derivatives and a steady drumbeat of vulnerabilities specific to industrial applications, controllers, and common support equipment.
Any owner or operator of an industrial control system should have an active program to periodically evaluate and install patches to applications and operating systems for all devices in their environment. This should be commonplace, even if the period is annual or semi-annual, depending on the downtime requirements and perceived risk of process disruption.
The use of application whitelisting and the restriction of administrative privileges in operational technology environments is best practice, particularly on systems using Microsoft operating systems. Controllers and common support equipment don’t typically support whitelisting (or the function is effectively supplied by the manufacturer at varying degrees of effectiveness).
Application whitelisting is particularly effective in a controls environment because the application use is relatively limited and static. Many of the biggest issues with whitelisting in the IT context, i.e., whitelisting “bloat”, is significantly lower in control systems.
Restricting Administrative Privileges
Restricting administrative privileges is another cybersecurity best practice. The increased risk of denying support personnel ready access to these devices may offset the benefits of restricting the privileges against this threat. There are several means of achieving this objective from installing more advanced and limited password usage to alerting on new admin account access, to review of admin account usage on a regular basis. Importantly, these solutions must depend on the type of device at issue.
Employing a range of alerting and review solutions, along with true restriction on certain devices, is the most balanced approach to security and operational reliability.
Network Segmentation & Understanding Firewalls
Segmenting networks and the use of effective firewalls are critical elements to any cybersecurity or reliability solution. Segmentation improves overall reliability of industrial control systems, harden these systems against lateral movement of malicious actors within the environment, and aid in managing the scope of an incident response effort.
Continual review and updating of rules and protocols on how to control network traffic, enforce communications protocols, and provide central intrusion detection functionality enables the network administrator to apply the principles of continuous improvement to the network’s security profile over time.
Critical to segmentation is a thorough understanding of firewalls and routers. In certain cases routers are used as less functional firewalls where complex networks can benefit from less traffic control between closely interdependent segments.
Networks are segmented into security zones in many ways. Two common strategies are to segment networks by the service provided to the facility or to segment networks by class of asset. Both of these strategies are equally effective, although it may be less costly to use one over another depending on the details of the environment.
Segmenting networks by service provided allows each service to the facility to be isolated during an incident, whether the incident is non-malicious (such as a simple broadcast storm) or malicious (worm activity spreading by the SMB protocol). When an incident occurs, a router or firewall provides some warning of unusual activity to network administrators or security analysts and possibly prevent an incident from directly impacting more than one service to the facility.
Many facilities have storage or redundancy of utility services that allow for the continued provision of at least limited service during an incident. While the use of a large storage tank may be independent of the segmentation strategy, conscious decisions should be made about the co-location of redundant services within a segment. Spanning parallel networks (either physical or virtual) throughout a large facility is no longer considered a standard practice in commercial network design, but still finds widespread use in industrial control systems.
Segmenting networks by the class of assets isolates threats to individual platforms. Machine interfaces need to communicate with controllers, but not with each other. Placing all machine interface hosts in a common segment and using private virtual networking applies micro-segmentation to the environment. Each machine interface host easily communicates with its controllers but not with other similar hosts.
By keeping controllers on a separate segment, the firewall has the opportunity to limit communications between the host and the controllers to only those protocols used for control functions. Malicious code introduced to any host will be unable to compromise the dissimilar platform using any protocol. Many denial of service attacks targeting controllers from the machine interface hosts become ineffective in this case.
A key consideration in designing network segments is the definition of security zones. Zones are defined using the NIST Cybersecurity Framework for guidance. Common zones used in operational technology environments include but are not limited to:
* Process Information Network (aka Demilitarized Zone, providing process information to the commercial environment)
* Remote Access Network
* Management or Supervisory Network (providing management workstations and supervisory network services such as log collection, performance monitoring, and event analysis servers)
* Process Control Networks (Distributed Control Systems, Supervisory Control and Data Acquisition Systems, or hybrid machine interface, controller, and instrumentation networks)
* Operational Networks
** Operational Supervisory Network
** Basic Control Network (typically machine interfaces, alarming, and controllers)
** Safety Network (independent safety controllers and instrumentation)
** Process Network (networked instrumentation, including both sensors and control elements
Security vendors discuss advanced security features of new products and technologies and their ability to make a network more secure. However, this recent CERT release explains how critical the fundamentals of cybersecurity are, especially in critical industrial control systems. Patching, application whitelisting, admin privilege management, segmentation are all critical to get right to ensure you can both protect as we as detect potential threats.