Module 1-10 Flashcards
Assess Phase?
- High-Level Cyber Risk Assessment
- Allocation of IACS assets to Zones/Conduits
- Detailed Risk Assessment
62443-3-2
Development & Implementation Phase?
- CRS
62443-3-2 - Design and Engineering of Cybersecurity Countermeasures (CC)
62443-3-3 - Installation, Commissioning, and Validation of CC
Maintain Phase?
- Cybersecurity Maintenance, Monitoring, and MoC
- Cyber Incident Response and Recovery
62443-2-1
Continuous Process
Cybersecurity Management System (CMS): Policies, Procedures, Training, and Awareness
Periodic Cybersecurity Audits
62443-2-1
Interpreting CRS
The output of the risk assessment (CRS) is the input for the Development & Implementation
Security Level (SL) Definitions
0 = No reqs. or security protection needed.
1 = Protection against casual/coincidental violation
2 = Protection against intentional violation with low resources/skill/motivation
3 = Protection against intentional violation with moderate resource/IACS skill/motivation
4 = Protection against intentional violation with extended resource/IACS skill/motivation
SL Types
SL-T = desired security level for system
SL-A = actual security level of system
SL-C = potential security level of system
Four Ts for Managing Risk
Terminate
Tolerate
Transfer
Treat
5 Ds of Treating Risk
Defeat
Delay
Deny
Detect
Deter
Steps to Developing a Security Strategy
I R E I D
Identify Zones
Review Risk Assessment results
Establish SL-T
Identify Physical and Cyber Access points
Develop 5D physical & cyber strategy for each point
Seven Foundational Requirements (62443-3-3)
I U S D R T R
1. Identity and Authentication Control
2. Use Control
3. System Integrity
4. Data Confidentiality
5. Restricted Data Flow
6. Timely Response to Events
7. Resource Availability
FR Technologies
System Integrity: Malware/Anti-virus
Data Confidentiality: Encryption
Both: Physical security, secure protocols
Restricted Data Flow: Firewall, VLAN
Timely Response to Events: IDS/IPS
Resource Availability: Backup/recovery tools
62443-4-2 Overview
Used by suppliers to identify security capabilities of their components (Software App, Embedded Device, Host Device, Network Device)
Series of Component Requirement (CR) and Requirement Enhancements (RE)
Expands System Requirements (SR) and RE
Network types for IACS
Mesh, Star/Hub, Spoke, Ring, Bus, Hybrid
ISO/OSI Reference model layers and description
- Physical - physics of getting messages between devices (Ethernet - IEEE 802.3)
- Data Link - rules for framing, converting electrical signals to data, physical/MAC addressing (802.3)
- Network - routing messages through complex network (IP, ICMP, ARP)
- Transport - transparent transfer of data between systems/hosts, end2end recovery, flow control (TCP/UDP)
- Session - persistent logical linking of 2 software apps, mechanism for opening, closing, managing sessions (RPC)
- Presentation - delivers/formats data for L7 data, format conversion, encryption/security, SSL
- Application - interfaces with software apps that have a communicating component, Email (SMTP), File (FTP),
HTTP
Problems with OSI model?
Layer specification is FUNCTIONAL only
Too complex for many applications such as industrial protocols where L5,6,7 are combined
How do Network Discovery and Security Auditing Tools affect IACS
May adversely affect hazardous materials/operations/equipment
Safety systems could be triggered
Disrupt the flow of the control system
Three classes of firewalls
Packet Filter - filters based on packet headers
Stateful Inspection - tracks state of connections and blocks packets that deviate from state
3 states Connection Establishment, Usage, Termination
Deep Packet Inspection - basic intrusion detection technology that analyses protocols for malware
Steps in Firewall Planning
P I T D M
Plan - select technologies
Install & Configure - Install device, soft/firmware, patch/update. Configure users, policies, rules, ACLs
Test - Connectivity, rulesets, security, performance
Deploy - notify users, integration with routers/switches, test, back up
Manage - Maintain policies, patching, MoC, Config mgmt., Logs, Audits
IACS Firewall configuration best practices
Deny all, allow by exception
No direct connections from internet to ICS network
Restrict access between CORP/PROD
Host Intrusion Detection System (HIDS)
Monitors and analyzes internal and network interfaces on a single host
Agents monitor SI, applications activity, file changes, logs, Policy enforcement
NIDS vs HIDS
Broad vs Narrow
Near real-time vs after suspicious activity
Bandwidth-dependent vs independent
High false positive rates vs low
Hardware vs no hardware
IDS Best practices
Distributed Deployment
Use SCADA IDS Signatures
Careful not to block necessary traffic with IPS
Security Requirements (SRs)
CAD SIR
Confidentiality
Access control,
Data flow,
Security event monitoring,
Industry/regulatory standards
Risk assessment
Network Intrusion Detection System (NIDS)
Monitors network traffic for suspicious activity
IDS sensors/collectors are placed throughout a network connected to a mgmt. console
System Hardening - Reducing Attack Vectors
- Remove unnecessary software, user accounts, unnecessary services
- Install Security Patches
- Strengthen access controls
OS Hardening Guidance
Guidance: Center for Internet Security (CIS) security benchmarks
Microsoft security guides
NIST SP 800-123 Guide to general server security
OS Hardening Steps
Patch/update OS
Remove/Disable unnecessary services/apps/protocols
Configure Access controls
Configure OS user authentication
Install and configure additional security controls
Test the security
CIS Benchmarks
Recommendations for technical control rules/values for hardening OS, software and network devices
Accepted by governments, industry and academia
IACS Guidance
Guidance: NIST SP 800-82 Guide to ICS
Vendor Specific
Independent test reports: ISA Secure
IACS Device Hardening
Disable remote program changes,unused interfaces, unnecessary services, protocols
Compare file hashes
Install vendor firmware updates
Restrict remote access
Protect with IACS firewall
Change default passwords
Enable Logging
Functional Planes of a Network
Mgmt. - SSH/SNMP
Control - BGP, OSPF
Data
Network Hardening Best Practices
Shutdown unused interfaces and services
Restrict remote mgmt.
Install firmware updates
Compare hashes
Change/encrypt passwords
Enable logging
Use secure protocols for remote mgmt.
Use SNMPv3 with Encryption
Access Control
Policies, Procedures, and technical controls that govern the use of system resources.
Access Control Best Practices
D E E M S
Develop an access control policy that enables logical and physical rules and rights
Employ multiple authentication methods of critical IACSs.
Establish separate IACS domains for each production area.
Use Organizational units (Ous) to partition resources into logical/functional units.
Make use of centralized identity and access mgmt. tools
Segregate data with high sensitivity and/or business consequences from other internal info.
Remote Access Best Practices
Require
- use of CORP laptops for remote access
- 3rd parties with RA to contractually comply with orgs security policies
- 2FA >
Provide separate authentication mechanisms for int/external users
Change TCP port numbers for well-known remote access protocols from their defaults
Monitor and log all remote access sessions
Encrypt all communication over untrusted networks
VPNs
VPN appliance is a network device with security features known as Secure Socket Layer (SSL)
Site-to-Site VPN (LAN to LAN, 2 gateways)
Remote Access VPN (Host to Host, 1 gateway)
IACS remote access
Fill me
Types of remote users
System Operators/Integratiors/Support Specialist & Engineers, field technicians
Reporting and regulatory entities
supply chain representatives, managed service providers
Vendors, customers, business partners
Cybersecurity Factory Acceptance Testing (CFAT) Objective?
- Verification of Cybersecurity specifications
- Cybersecurity robustness testing – testing the design of the system to discover and identify weaknesses or vulnerabilities.
Need for Cybersecurity Site Acceptance Testing (CSAT)?
verifies that security settings are properly configured
Cyber Acceptance testing best practices
Select different vendors for testing vs design
Define System-under-Test
Develop a verification and testing plan
Verify cybersecurity configuration settings
Perform robustness testing
Document results
62443-2-4
Security Auditing Tools
Auditing Tools: Center for Internet Security (CIS) has the
Configuration Assessment Tool (CAT) and the Router Assessment Tool (RAT)
Tenable has Nessus audits OS, Apps, DB
Digital Bond has Bandolier audits against optimal security configs for ICS servers and workstations (works with nessus)
MBSA (Microsoft Baseline Security Analyser)
Roles to support asset owner
- Product Supplier Components (in 62443-4-1)
- Integration Provider Design and Setup (Analyzing environment, developing architecture, defining connections, installing, configuring, patching, testing and backups)
- Maintenance Provider Support After Handoff (patching and anti-virus updates, equipment upgrades and maintenance, change management)
Maturity Levels
Level Description
1 Initial - undocumented
2 Managed - written policies
3 Defined - repeatable across the organization
4 Improving - service providers control the effectiveness and performance of the service and demonstrate improvement
I M D I
Based on CMMI SVC Model
Security Program Requirements for IACS Service Providers
62443-2-4
Can be used by asset owner to request or assess specific security capabilities from service provider
