Did you know that the average cost of data breaches worldwide was $4.35 million in 2022, with phishing being the most common form of attack?
Demand for ransom, locking critical data files, stealing sensitive data, etc., are common forms of attacks. Many industries bear the brunt in the form of high costs for data recovery, lack of reputation, poor business relationships, legal complications, etc. All these bring to light the need for cyber security assessment and analysis to provide an effective defense against threats.
What is ICS security assessment?
Industrial Control Systems (ICS) security assessment involves evaluating the ICS of an organization for vulnerabilities and weaknesses and ensuring that effective controls are in place to defend against cybersecurity attacks. The assessment encompasses:
- Tracking all connected devices to ensure that the access is authorized
- Using multi-layered boundary defense mechanism
- Devising a comprehensive vulnerability management strategy
- Monitoring login activity
- Employing secured configuration
- Exploring malware defense at multiple checkpoints
- Identifying security gaps
Evaluation of safety with cybersecurity audit
A cybersecurity audit is an evaluation of the security and strength of the ICS environment of an organization. Some of the essential steps in a cybersecurity audit are:
- Defining the scope
The scope of the audit, the networks that will be assessed, and the standards that must be adhered to are required to be defined as a first step.
- Examining existing policies
The relevant ICS security policies and standards should be reviewed to understand what is in place at present.
- Analyzing network architecture
The network architecture for critical and non-critical systems should be analyzed to check the segmentation of networks.
- Compliance with standards
Cybersecurity audit also ensures that the ICS environment adheres to the industry standards, like IEC 62443.
- Vulnerability assessment
A thorough network scanning should be done to assess the weaknesses of the ICS environment.
- Reviewing the incident response plan
Get a free copy of the template here: Incidence response plan & Template
Logging of incidents should be as per the best practices for an incident response plan. An audit will review this and provide information on lapses.
- Audit report
Once the audit of the ICS environment is complete, an audit report on the findings about vulnerabilities should be prepared. The report should also contain relevant recommendations for further action.
On the basis of the report, necessary follow-up actions should be taken to address the issues and weaknesses identified. Effective follow-up also helps keep a watch on emerging threats.
CIA triad: The ICS security assessment model
The CIA triad is a popular method for security assessment. CIA stands for Confidentiality, Integrity, and Availability. All three aspects carry importance while reviewing the system for vulnerabilities and risk assessment. For safe operations of industrial processes, there should be a balance in confidentiality, integrity, and availability.
Maintaining the privacy of the data of an organization and restricting unauthorized access are key parts of confidentiality. In this digital age, there are frequent attempts to compromise the safety of industrial control systems. Maintaining confidentiality involves maintaining safety by way of encryption, multi-factor authentication, labeling data, etc.
Integrity ensures that the data is reliable and trustworthy. Data is protected from unauthorized alteration to maintain the authenticity of the information through non-repudiation.
Data that is secure must also be available and accessible to the stakeholders. Timely availability of data without any interruption is of prime importance. Various acts, like natural disasters, ransomware attacks, denial-of-service, etc, can compromise availability.
The CIA triad method offers a comprehensive methodology for the assessment of security lapses. It helps identify what went wrong and how well the existing systems were able to protect the data.
The need for ICS cybersecurity assessment
Even technology leaders had to mitigate an average of 1,435 Distributed Denial-of-Service (DDOS) attacks daily in 2022.
This statement is an indicator of the gravity of the situation. Cybersecurity assessment is the need of the hour when the digital landscape is deluged with multiple types of cyberattacks. There have been instances of severe losses and compromises in many industries due to overlooking cyber security assessments.
Here are some cyber incidents that shook industries due to the lack of assessments.
- Triton was an incident that happened in the year 2017 at an oil and gas plant in Saudi Arabia. The hacker had planned a plant-wide explosion. This could have been devastating, but, luckily, the malware had a bug and the attempt was a failure. Had the plant carried out frequent assessments as per protocols, this could have been averted.
- There was a ransomware attack at Colonial Pipeline in 2021 that led to the complete shutdown of the fuel distribution pipeline. Within 2 hours of interception, nearly 100 GB of data were stolen. To restore the fuel distribution, Colonial Pipeline had to shell out $5 million approx. as ransom to the hackers.
All these necessitate timely intervention by assessments so that potential threats can be identified and defense mechanisms can be put into action.
ICS security standards
Organizations follow different security standards based on industry requirements. We will discuss some of them here:
1. ISA/IEC 62443
The set of standards in IEC 62443 offers guidelines for securing industrial automation and control systems. Such control systems are found in power plants, oil and gas plants, water treatment plants, etc. These standards provide assistance by way of informing the type of controls to be put in place in ICS platforms.
- Access controls provide the guidelines for the maintenance of robust access controls to prevent unauthorized access to ICS.
- Software security offers regular updates to fix known vulnerabilities.
- Network security offers measures to protect ICS from external threats.
- Incident response plans for immediate response to security lapses.
- Regular audit of ICS assessments to identify weaknesses.
IEC 62443 is mainly used by industries in the industrial automation and control sector. With a comprehensive set of policies, they are considered one of the best to be followed by industries.
2. The North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP)
The NERC CIP are standards that are specific to the power grid sector. They are used to protect the security of electricity industries. These include:
- Access controls for maintaining strong access to eliminate unauthorized access to critical assets.
- Physical security by way of perimeter security and limiting access to sensitive areas.
- Cybersecurity for defense against cyber threats.
- Incident response for instant response to threat incidents.
- Audit of assets to identify vulnerability and initiate necessary protection.
Some common ICS tools used for cyber security assessment
These tools are widely used by analysts to identify and track vulnerabilities to amplify protection.
With this tool, analysts identify hosts that reside in a network. It helps detect threats and discover open ports and services. It can map an entire network and detect open ports easily.
This is a simple tool with a powerful ability. It can instantly recognize all routers, servers, switches, and mobile devices on single and multiple networks. It helps identify web servers and DNS servers that are running on a system. It has a GUI called Zenmap through which you can develop visual mappings of a network.
Visit Now: NMAP
Shodan is a search engine that helps find servers, routers, etc., on the internet using various filters. With Shodan, you can identify if any devices on the ICS are accessible through the internet.
Data collected by Shodan is comprehensive. It is in metadata format and contains data like hostname, geographical location, OS, and properties related to application layer protocols. This helps identify insecure devices.
Visit Now: Shodan
you can leverage Sectrio to conduct host discovery and vulnerability analysis and provide solutions to correct the vulnerability detected in the host. It is a remote scanning tool that sends an alarm if any malicious attempts are made.
Sectrio can scan and identify for any misconfigurations, DDOS attempts, default passwords/common passwords, malware breaches and unauthorized access to systems.
Request for an ICS vulnerability assessment with Risk and Gap analysis from Sectrio
This is a real-time diagnostic tool built exclusively for ICS. By maintaining data of fingerprints on the ICS network, any malicious attempts are easily diagnosed. This tool also allows tailor-made reports based on activity analysis.
Read More: Sophia
Cybersecurity Evaluation Tool helps organizations protect critical national assets. It offers a systematic approach for assessing the security posture of cyber systems. This tool has been developed by the US Department of Homeland Security (DHS).
Visit Now: CSET
ICS risk management and assessment
The ICS Security risk assessment process in an ICS environment has four components:
- Framing: This involves developing a framework for risk management decisions. The physical operating environment, availability of services provided by ICS, and interaction with security requirements are important considerations in risk framing. Specific requirements of ICS environments should be explicitly stated while risk framing so that risks are properly detected.
- Assessing: This component of risk management involves assessing risks and exploring the possibilities for threats to occur. The potential impact of an ICS incident on the physical processes, dependent processes, and physical environment is included in assessing.
- Responding: This aspect is the organization’s response to the identified threat. It will include the possible actions to mitigate the risk. The responses may have constraints like system requirements, impact on operations, and regulatory compliance regimes.
- Monitoring: This component involves periodic monitoring of risk. It includes monitoring of the implementation of chosen risk strategies, external changes that may affect risk prediction, etc.
All these components are interdependent and apply to the management of risks arising in information security, physical security, safety, and financial security.
Benefits of ICS cyber security risk assessment in ICS:
- Improves the safety, availability, and reliability of control systems
- Increases investor confidence
- Helps meet regulatory requirements
- Builds corporate image
- Reduces legal liabilities
- Helps build a sustainable business model
ICS security architecture
The ICS network and corporate network should be separated while designing the network architecture for ICS. This is done to avoid DoS or man-in-the-middle attacks that may happen if ICS network traffic is carried out through a corporate network.
ICS security architecture includes the following:
Firewalls control the flow of network traffic between networks that use different safety postures. With the use of firewalls, organizations can prevent unauthorized access to systems in sensitive areas. Firewalls remove non-essential traffic from ICS network and enhance security.
Firewalls need to be monitored frequently for efficacy as emerging threats can escape existing protection. To prevent cyberattacks in an ICS environment, it is essential to have real-time firewall protection.
The ICS and corporate networks need to be separated to maintain security. Some of the possible methods to do this are:
Dual network interface card (NIC)
Dual-homed computers pass network traffic from one network to another without proper security controls, thereby posing a significant threat. All connections between a corporate network and ICS network should be through a firewall only.
Firewall between corporate and ICS network
With a two-port firewall, there can be improvements in security. It can reduce the possibility of external attacks on the network.
Firewall and router between corporate and ICS network
This is a robust design with a firewall and router and provides enhanced protection. The router reduces the load on the firewall and provides in-depth defense.
Penetration testing in the ICS environment
Before learning what penetration testing is, let us understand the impact of not performing it.
Since 2018, there have been 3.26 million complaints at the FBI Internet Crime Complaint Center, amounting to $27.6 billion in losses.
Yes, attacks are on the rise, and it is of utmost importance to perform penetration testing specific to ICS environments to keep them protected.
With the introduction of the Industrial Internet Of Things (IIoT), critical operations are connected in more ways than one, thus exposing them to threats. When there is lack of security, hackers can easily gain access to sensitive data and misuse them. Here comes the role of penetration testing.
It helps detect gaps in security, misconfigurations, unencrypted data, a weak patching program, etc. This testing helps isolate the ICS environment and protect it from potential threats.
Penetration testing is a cost-effective method as it identifies threats before they can impact the ICS networks. Pen tests are conducted in a way not to interfere with the ICS system so that there is no service disruption during the testing process.
Pen tests are a much deeper testing methodology than just vulnerability assessment, which is only a part of it. It helps keep organizations more informed so that effective remedial measures can be incorporated.
Penetration testing is conducted by experienced testers who take care not to disrupt the normal functioning of the ICS environment. Since the threat landscape is evolving, penetration testing has to be a continuous activity. This will help keep controls in place as this activity is considered proactive.
Enhanced protection with ICS cybersecurity self-assessment
Organizations can improve on their security by following self-assessment of the ICS platform.
Here’s the checklist that can help:
- Prepare a comprehensive asset inventory.
- Check if the ICS network is segmented to separate critical and non-critical ones.
- Check if regular updates and patches are applied to ICS networks.
- Arrange for backup in case there is a recovery failure during updates.
- Identify if user access is authorized only with multi-factor authentication.
- Develop an incident response plan and make sure it is working in real time.
- Monitor system logs for malicious activity.
- Approve physical access to ICS facilities, control rooms, etc., to authorized personnel only.
- Offer regular training to personnel involved in ICS security to keep them updated.
- If third-party suppliers have access to ICS systems, monitor the security of their network as well.
- Make sure that ICS security standards are complied with.
- Check if backup and recovery plans are in place.
- Monitor and conduct ICS security assessment audits periodically.
ICS cybersecurity assessment is not a one-off activity. It should be an ongoing process to keep the control systems of industries secure and reliable.
Costa Rica declared a national emergency due to a series of ransomware attacks in 2022. A ransom of $10 million was the demand from the hackers to desist from publishing the stolen information.
Such is the impact of cyberattacks!! The necessity to be proactive and protect the industrial control systems has risen more than before. A potential mega impact can be avoided with proper security systems that are also reviewed periodically. Maintaining a checklist and adhering to the same can be more than effective. With this, we can safeguard the critical industries and ensure their uninterrupted operations.