Follow-us

© 2016 PM SCADA.
All rights reserved.



S2CI OR ICS2 : INDUSTRIAL CONTROL SYSTEMS

Industrial Control System (ICS) is a general term that encompasses several types of control systems used to automate industrial processes, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC).

These systems are used in a variety of critical applications and industries including energy and utilities, transportation, health, manufacturing, food and water treatment.

PM SCADA offers professional services tailored to the specific industry needs of its clients.

Conceive, imbed and protect, that’s our motto!

SCADA SECURITY SERVICES

Advanced architecture using SCADA technology and security

▲  Specifications definition meeting the client’s needs.
▲  Technological tests performed in a laboratory setting based on the client’s settings.
▲  Reviewed and improved architectural solutions.

Existing architecture assessment and improvement

▲  Intrusion tests.
▲  Vulnerability assessment.
▲  Vulnerability governance and management plan assessment.
▲  Technological tests performed in a laboratory setting based on the client’s settings.
▲  Improved Solution.

  

Customized Cyber Defence

▲  Security Proof of Concept(PoC).
▲  Infrastructure strengthening adapted to your context.
▲  Distributed-Denial-of-Service (DDDS) solutions implementation.
▲  Malware eradication.
▲  Software and Patch (OS) Management Plan.

Technological security solutions selection support

▲  Developing an agenda based on the client’s needs.
▲  TTechnological tests performed in a laboratory setting based on the client’s settings.
▲  Improved solution.


RECOMMENDED CYBER SECURITY BEST PRACTICES FOR ICS

Cyber security starts by developing an understanding of the risks an organization faces, and those it may expose its clients and the community.

Given some of the applications of ICS, these risks can extend beyond financial and business risks and include loss of life and injury. It is therefore imperative that organizations consider their exposure to cyber threats, assess the resulting risks, and implement safeguards accordingly.

The risks are evaluated based on the specific industry the company belongs to. The security solutions are tested in a secured laboratory, offline, before being implemented in a real world environment.


NETWORK SEGMENTATION

The reason behind network segmentation is to partition the system into distinct security zones and to implement layers of protection to isolate critical parts of the system using a policy enforcement device.

To implement network segmentation separating business networks from control systems networks. The ISA99 describes six levels of segmentation:

Level 0 - Instrumentation Bus network;
Level 1 - Controller LAN;
Level 2 - Supervisory HMI LAN;
Level 3 - Demilitarized zone (DMZ), operations;
Level 4 - Enterprise LAN;
Level 5 - DMZ, internet.

Use a Demilitarized-Zone (DMZ) capable firewall between ICS and IT segments or use paired-firewalls to create a DMZ.

PM SCADA evaluates equipments and solutions. Depending on the on the situation, we will jointly work with suppliers to ensure that teh product respects the clients' business, sector and specifications needs.

Firewalls configuration and management:

▲  Ensure that all physical access to the firewall is tightly controlled;
▲  Document all data flows that need to cross security zone boundaries including a business justification with risk analysis;
▲  Implement a default deny all rule;
▲  Implement egress filters where there is no need for outbound traffic;
▲  Review firewall configurations regularly to ensure that the business case for the rule or policy is still valid and the security controls are in place;
▲  Ensure that firewall configuration changes are subject to at least the same change management requirements as any ICS device configuration;
▲  Monitor the logs and intrusion detection systems (IDS) events to look for anomalous traffic and possible intrusion attempts; and
▲  Define the role of the ICS firewall in a cyber incident response plan.

PM SCADA studies the tools needed to automate various processes and the deployment strategy needed to respond to the specific industrial and business needs of our clients.


REMOTE ACCESS

It was the well-known “6 walls” of security, that led to new modern technologies offering secured remote access to technological devices. This secured access requires strict security policies to be in place as a means of protection including but not restricted to:

▲  Defined terms of employment, user access, material and data use policies that are understood by everyone, enforced and maintained to reflect changes happening in the organization or its environment;
▲  Ensured vendors and contractors remote access compliance with the organization's security policies;
▲  TCP port numbers change for well-known remote access protocols from their defaults;
▲  VPN configuraion to avoid split tunneling;
▲  Session logging (user ID, time, remote access duration, etc.) and use monitoring;
▲  Communications encryption over untrusted networks (any network that is not exclusively used by the control system);
▲  • Configure remote access software;
▲  Defined strong passwords requirements;
▲  Restrict remote connections to special machine in the ICS DMZ (e.g. a Jump Host), which then has access to select resources in the control system; and
▲  IDS configuration that ensures all the VPN tunnel incoming and outgoing traffic is inspected.

PM SCADA tests various security solutions to limit remote accesses to specific control systems and uses a specialized gateway which is adapted to the specific needs of its clients.


WIRELESS COMMUNICATIONS

Wireless access to the ICS network introduces extreme vulnerabilities and is susceptible to attacks resulting in infiltration (MiTM) and denial of service (DoS) attacks. A wireless DoS attack can be detected, but it cannot be prevented it if it is a physical level (RF) attack.

▲  Create a Wireless LAN (WLAN) security policies adapted for each audience;
▲  Separate and segment the WLAN from the wired LAN;
▲  Mandatory access authentication to the WLAN for all users and devices;
▲  Strong encryption to protect the WLAN traffic(e.g. 802.11i /WPA2, do not use WEP);
▲  Traffic restriction (applications, protocols and source/destination communication pairs);
▲  Power and antenna transmission limitations;
▲  Wireless access points scanning to detect unauthorized users;
▲  Default access points and adapters configuarations avoidance;
▲  Disable SSID beacon transmissions
▲  SSID naming conventions use and static IP addressing of devices on the WLAN instead of dynamic;
▲  ARP broadcasts from the wired network to the WLAN avoidance mechanism;
▲  Strictly prohibit the connection of any wireless equipment directly on to the ICS network not approved for use; and
▲  Wi-Fi Protected Setup (WPS) deactivation and periodically auditing.


PATCH MANAGEMENT

Patch management is an important component of an overall control system security strategy. In some cases, it's the most effective mitigation strategy against for a newly discovered vulnerabilities. The difficulty with patch management is deployment into the ICS environment without risking operations disruption. Careful maintenance window scheduling, testing and associated policies and practices are required to balance system reliability.

PM SCADA undergoes these tests in its laboratory to:

▲  Understand the vulnerabilities that exist in the ICS, the exposure of the vulnerable components, and the relevant controls available;
▲  Assess risks by determining the right balance between vulnerabilities consequences, patches advantages and deployment efforts required and impacts at the applications, operating systems and organization levels;
▲  To respect a strict deployment scheduling;
▲  Use a dedicated patch manager and an anti-virus server located in the ICS DMZ.


ACCESS POLICIES AND CONTROLS

Crucial to ensure IT infrastructure and devices, physical premises and people protections, here are some aspects to be addressed:

▲  Appropriate logical and physical rules and access rights definition for each user or group of users;
▲  Multiple factors authentication methods deployment for critical ICS;
▲  Ushered access (also called "shadowing") requirements for high risk and impact tasks such as industrial operations with, safety and environmental (HSE) consequences or critical business activities that just can't be interrupted;
▲  High sensitivity data segregation and using access control limitations;
▲  Make use of domain controllers to manage access control to ICS resources;
▲  Domain controllers use to restrict access to ICS resources;
▲  Trust relationships between IT domains and ICS domains restrictions;
▲  Password policy and change default passwords enforcement.


SECURE THE HOST (SYSTEM HARDENING)

Components hardening means locking down the functionalities to prevent unauthorized access or changes, to remove unnecessary functions or features and to patch any known vulnerabilities. It involves some of the following tasks:

▲  Host security logs and DNS logging enabling;
▲  ICS manufacturer collaboration for recommendations and tools;
▲  Password policy and change default passwords enforcement;
▲  Firmware updated.

PM SCADA employs numerous solutions against technological vulnerabilities.


INTRUSION DETECTION

All systems require activity monitoring system and surveillance to identify potentially malicious events or inappropriate network use.

Without this ability to monitor a system, minor security issues will remain undetected until they become critical security incidents. Some of the things we like to do to help our clients:

▲  ICS/SCADA specific IDS tools and packages use;
▲  IDS behind ICS firewalls with ICS specific signatures deployment;
▲  Log files as intrusion detection tools use;
▲  Security Information & Event Management (SIEM) tools with centralized view;
▲  Alerts sending to the appropriate personnel configuration;
▲  Internal knowledge sharing through “honeypots”.

PM SCADA makes its laboratory available to its clients to test and to analyse these solutions.


PHYSICAL AND ENVIRONMENTAL SECURITY

Limiting access to critical ICS assets to only those who require access to perform their job and only using approved or authorized equipment. In addition to physical access controls, critical equipment such as ICS needs to be appropriately hardened and protected from environmental hazards. Some actions that should or should not be done:

▲  Protect computer equipment such as routers or firewalls in a locked environment;
▲  Use an equipment tracking system to determine where equipment is located and who has responsibility for it;
▲  Disable all unused data ports at the lowest possible operating system level, preferably BIOS;
▲  Plug in dummy connectors which require a tool for removal to unused ports;
▲  Plug all data ports that are required for temporary or portable equipment access with dummy connectors;
▲  Do not allow external or unmanaged hosts to connect to ICS network segments;
▲  Do not access untrusted removable media.

PM SCADA puts strict policies and measures in place to allow authentic verifications.


MALWARE PROTECTION AND DETECTION

Malware and social engineering are still actual threats to your organization and attacks are more and more sophisticated. Some of the actions to perform:

▲  Deploy and manage anti-virus software on Windows-based as well as Unix and Linux ICS hosts;
▲  Stagger updates so that computers are not updated simultaneously;
▲  Null routing and DNS "sinkholes" allow to quickly identify misconfigured or infected hosts who may be trying to “call home”;

▲  Provide security awareness to personnel.

PM SCADA works in close collaboration with suppliers to create solutions to technological industrial challenges.


AWARENESS

ICS security training and awareness of personnel is an essential tool for reducing cyber security risks. It is critical that any ICS security program have a training and awareness program so that employees understand their role and what is expected of them in the company. Knowledgeable and vigilant staff is one of the most important lines of defense in securing a system.
Here are some ways to ensure your personnel is security aware, responsible and know how to respond to security on an everyday basis and when an incident occurs:

▲  Develop and communicate an organizational policy for control systems security;
▲  Conduct control system security training and awareness;
▲  Monitor the appropriate vulnerability lists, vendor update lists and Computer Emergency Response Team (CERT) security alerts for threats to ICS and the resources protecting to be shared through the organization.

In collaboration with its partners, PM SCADA offers ICS security training sessions.


PERIODIC ASSESSMENTS AND AUDITS

Numerous factors affect the security of a system throughout its life cycle. Therefore, it is important to periodically test and verify to ensure optimized configurations, compliancy and maintenance.


PM SCADA implements customized situational environments to test and identify system vulnerabilities.


CHANGE CONTROL AND CONFIGURATION MANAGEMENT

Change management policy and procedures are used to control modifications to hardware, firmware, software, and documentation to ensure the ICS is protected against improper modifications prior to, during, and after commissioning. For that, you need to:

▲  Restrict access to configuration settings, and security settings of ICS products;
▲  Ensure that all ICS modifications meet the same security requirements as the risk assessment and mitigation plans requirements;
▲  Perform risk assessment on all changes to the ICS network that could affect security;
▲  Maintain ICS network configuration documentation;

▲  Ensure that changes are tracked and authorized before execution.

PM SCADA supplies configuration, documentation, data collection management.


INCIDENT PLANNING AND RESPONSE

A comprehensive cyber incident response plan should include both proactive measures and reactive measures. Proactive measures to prevent incidents or better allow the organization to respond when one occurs, whereas reactive measures can help detect and manage an incident once it occurs. Our experience showed that the best way to achieve that are to:

▲  Define the mandate, goals and objectives of the security incident response team;
▲  Establish a Cyber Security Incident Response Team with appropriate tools, training and resources;
▲  Define and implement means for identifying an incident and assessing their severity;
▲  Define escalation procedures, incident and crises management plans;

PM SCADA, in cooperation with the authorities, implements specific security response plans.