Fundamentals of ICS Security – US CERT TA17-164A

Introduction

The United States Computer Emergency Readiness Team recently revised Alert TA17-164A, detailing technical details on the tools and infrastructure used by cyber actors of the North Korean government.  While the alert was written to address the specific actors, the mitigating actions recommended in this alert are effective against similar techniques used by any actors.  As these techniques become well known by the user community, other actors may use them or derive similar techniques for use in their own campaigns against other targets.

The alert should be of particular concern to owners and operators of industrial control systems because these actors “commonly target systems running older, unsupported versions of Microsoft operating systems.”  The actors have also used vulnerabilities targeting the Adobe Flash Player and Microsoft Silverlight applications.  The versions of Microsoft Windows commonly used in industrial control systems typically lags those used in commercial environments, and are not always replaced or upgraded when Microsoft ends support.  The Adobe Flash Player and Microsoft Silverlight applications are sometimes used in support of machine interface or supervisory applications in operational technology environments.

The alert encourages all network administrators to apply several mitigation strategies.  These strategies work best when integrated together to form a stronger security fabric. A few of these strategies are particularly applicable to industrial control systems:

1. Patch applications and operating systems
2. Use application whitelisting
3. Restrict administrative privileges
4. Segment networks and segregate them into security zones
5. Understand firewalls

Patch Applications & Operating Systems

Owners and operators should take every opportunity to patch their control system assets.  Traditional claims that patching activities are a greater risk than the vulnerabilities neglect the experience of the last several years, beginning with the revelations of the Stuxnet software and continuing with its derivatives and a steady drumbeat of vulnerabilities specific to industrial applications, controllers, and common support equipment.  Any owner or operator of an industrial control system should have an active program to periodically evaluate and install patches to applications and operating systems for all devices in their environment, even if the period is annual or semi-annual, depending on the downtime requirements and perceived risk of process disruption.

Application Whitelisting

The use of application whitelisting and the restriction of administrative privileges in operational technology environments is becoming a best practice, particularly on systems using Microsoft operating systems.  Controllers and common support equipment don’t typically support whitelisting (or the function is effectively supplied by the manufacturer at varying degrees of effectiveness).  Application whitelisting can be particularly effective in a controls environment because the application use is relatively limited and static.  Many of the biggest issues with whitelisting in the IT context, i.e., whitelisting “bloat”, is significantly lower in control systems.

Restricting Administrative Privileges

Restricting administrative privileges is a security best practice.  However, the increased risk of denying support personnel ready access to these devices may offset the benefits of restricting the privileges against this threat. There are several means of achieving this objective – from installing more advanced and limited password usage, to alerting on new admin account access, to review of admin account usage on a regular basis. Importantly, these solutions must depend on the type of device at issue.  We find that employing a range of “alerting & review” solutions along with true restriction on certain devices is the most balanced approach to security and operational reliability.

Network Segmentation & Understanding Firewalls

Segmenting networks and use of effective firewalls are critical elements to any cybersecurity or reliability solution, for that matter. Segmentation can improve overall reliability of industrial control systems, harden these systems against lateral movement of malicious actors within the environment, and aid in managing the scope of an incident response effort.  Further, continual review and updating of rules and protocols on how to control network traffic, enforce communications protocols, and provide central intrusion detection functionality enables the network administrator to apply the principles of continuous improvement to the network’s security profile over time.

Critical to segmentation is a thorough understanding of firewalls and routers.  In certain cases routers can be used as less functional firewalls where complex networks can benefit from less traffic control between closely interdependent segments.

One can segment networks into security zones in many ways.  Two common strategies are to segment networks by service provided to the facility or to segment networks by class of asset.  Both of these strategies can be equally effective, although it may be less costly to use one over another depending on the details of the environment.

Segmenting networks by service provided allows each service to the facility to be isolated during an incident, whether the incident is non-malicious (such as a simple broadcast storm) or malicious (worm activity spreading by the SMB protocol).  When an incident occurs, a router or firewall can provide some warning of unusual activity to network administrators or security analysts and possibly prevent an incident from directly impacting more than one service to the facility.  Many facilities have storage or redundancy of utility services that can allow for the continued provision of at least limited service during an incident.  While the use of a large storage tank may be independent of the segmentation strategy, conscious decisions should be made about the co-location of redundant services within a segment.  Spanning parallel networks (either physical or virtual) throughout a large facility is no longer considered a standard practice in commercial network design, but still finds widespread use in industrial control systems.

Segmenting networks by class of asset isolates threats to individual platforms.  Machine interfaces typically need to communicate with controllers, but not with each other.  Placing all machine interface hosts in a common segment and using private virtual networking begins to apply micro-segmentation to the environment; each machine interface host can easily communicate with its controllers but not with other similar hosts.  By keeping the controllers on a separate segment, the firewall has the opportunity to limit communications between the host and the controllers to only those protocols used for control functions.  Malicious code introduced to any host will be unable to compromise the dissimilar platform using any protocol; many denial of service attacks targeting controllers from the machine interface hosts also become ineffective in this case.

A key consideration in designing network segments is the definition of security zones.  Zones can be defined using the NIST guidance.  Common zones used in operational technology environments include but are not limited to

* Process Information Network (aka Demilitarized Zone, providing process information to the commercial environment)

* Remote Access Network

* Management or Supervisory Network (providing management workstations and supervisory network services such as log collection, performance monitoring, and event analysis servers)

* Process Control Networks (Distributed Control Systems, Supervisory Control and Data Acquisition Systems, or hybrid machine interface, controller, and instrumentation networks)

* Operational Networks

** Operational Supervisory Network

** Basic Control Network (typically machine interfaces, alarming, and controllers)

** Safety Network (independent safety controllers and instrumentation)

** Process Network (networked instrumentation, including both sensors and control elements

Summary

Security vendors and the press often discuss all of the more advanced security features of new products and technologies. And all of these solutions can potentially help make a network more secure. However, this recent CERT release explains how critical the fundamentals of cybersecurity are, especially in critical industrial control systems. Patching, application whitelisting, admin privilege management, segmentation are all critical to get right to ensure you can both protect as we as detect potential threats.