Are you planning to visit your industrial control system (ICS) or operational technology facilities to advance your control system security program? Use this guide to prepare for discussions on cybersecurity and safety, conduct ethical hacks of the physical security perimeter, and establish an ICS asset inventory for proactive defense and information security.
Consider the points outlined below to maximize your efforts to identify critical assets during on-site ICS visits, promote ICS security awareness, and facilitate a smooth ICS cyber incident response process.
1. OSINT for ICS Defenders
While often overlooked, an open-source intelligence (OSINT) exercise provides a starting point to understand an organization’s information attack space, and it does not disrupt or introduce any risk to industrial operations and is not detectable by ICS defenders.
An OSINT exercise reveals the Internet-connected devices, remote access services, open ports, and protocols that are in use at an organization. In the hands of an adversary, this information can be pieced together to build an attack against a target.
ICS defenders should at least know what information is publicly available about their organization and operations through common search engines such as Google. They should also know which Internet-connected devices are deployed from search results from Shodan or similar tools. An OSINT exercise shows what adversaries already know, which is critical to building defenses. Common Shodan website filters examples are:
Search organization IP range: net:x.x.x.x/y
Search by organization name: org:”name”
Search by IP : x.x.x.x
Search by city: city:”name of city”
Search by webpage title: title:”text here”
Search for common remote access: port:"3389"
BacNET port:"47808"
Modbus port:”502"
EtherNet/IP port:”44818"
After conducting an OSINT exercise, ensure that Internet-connected assets are removed where feasible and that remote access has secure multi-factor authentication with monitoring and auditing in place. Verify with the key stakeholders and applicable on-site teams before changing anything.
2. Coordinate with Safety and Security Teams
Establish and maintain relationships with fire and safety, physical security, and engineering teams before arriving at the site. These teams know just about everything about the facilities, including the location of physical assets, how to navigate the site, network architecture, and critical assets. You may have to rely on these teams for help throughout the ICS incident response process going forward.
Site safety is always going to be top of mind, even above cybersecurity. Follow the lead of the safety team and the safety protocols to ensure that you and your team remain physically safe. This means wearing your personal protective equipment (PPE), among other measures. Most sites require that you have completed safety training and show certificates of completion before entering the site.
3. Ethically Hack the Physical Security Perimeter
When arriving at the site, there’s always an opportunity to audit physical security controls. This can be done by observing authentication processes, starting with the front gate. Wait to show a badge until it is requested, document tailgating observations, and look for unlocked doors, doors being propped open, fences with gaps, etc. – all while keeping safety as the highest priority. Conduct passive wireless sweeps looking for rogue access points and/or unsecured wireless settings.
Always seek documented approval from management for ethical hacking exercises of this nature before attempting them.
4. Plant Floor Cybersecurity Discussions
Organizing direct discussions on security and safety at the facility allows for direct observations and provides operational context for the environment where digital assets are located. However, some operating environments may have prohibitive noise, safety or access limitations that make it necessary to hold these discussions elsewhere. The discussions should include process engineers, field technicians, programmers, operators, and managers. Cybersecurity staff need to know how the physical processes and the plant operates, and which systems are critical to operations and safety. Walk the teams through industry case studies such as CRASHOVERRIDE, TRISIS, HAVEX, STUXNET, etc.
Start a discussion around what might constitute an impactful event in the environment. The individuals who operate the facilities will certainly have thoughts about what could fail, or even experiences with something that has failed before.
Leverage the physical engineering safety culture by drawing parallels between physical and cyber safety, and highlight the cyber defense safeguards that are in place to ensure the safety and reliability of engineering operations.
In security awareness memos, replace cyber “security” with “cyber “safety.”
5. Spreadsheet, Laptop Stand, and Network Diagrams
Start by reviewing network diagrams. Use an encrypted laptop with at least a basic spreadsheet application to start storing your ICS asset information. At a minimum, capture the following attributes for commonly targeted assets such as Data Historian, HMI, PLCs, engineering workstations, core network devices, and Safety Instrumented Systems (SIS):
- Site name, location, facility type
- Asset type and ID tag
- Asset location: Room, cabinet, rack
- Description of asset function
Impact to operations if unavailable
- IP and MAC address
- Operating ICS protocols
- Model/manufacturer, serial number
- Firmware version
- Applications installed and versions
6. Follow Up with Traffic Analysis
Maintenance windows and safety risks can prevent the physical inspection of certain assets. Augment the physical inspection inventory with passive network traffic capture. This will require coordination and approval from operations staff and a configured SPAN with a network security monitoring platform such as Security Onion. Common capture times range from 2 to 24 hours. Identify critical assets through packet analysis and by observing ICS protocol traffic patterns. Use features in free tools like Wireshark to help:
Wireshark > Statistics > Endpoints
Wireshark > Statistics > Protocol
Hierarchy
Wireshark > Statistics > Conversations
7. Storing Asset Inventory Back at the Office
The asset inventory is incredibly valuable. When back at the office, store inventory updates in a database that is:
Scalable - Scalable databases help ensure that site inventories can be updated or expanded; back them up regularly.
Searchable - All fields should be indexed to enable quick searches across inventories gathered when used in conjunction with threat intelligence or vulnerability information.
Secure - Standard data protection and security practices, including authentication and network segmentation, should be used to protect this sensitive data.
8. Asset Inventory for ICS Defense
Use threat intel to drive searches across an established inventory database for vulnerabilities and targeted assets for proactive defense changes. Targeted assets include the following:
Data Historian – This is a database that stores operational process records. It can be abused to pivot from a compromised asset in IT to one in the ICS network(s).
Engineering Workstation – This workstation has access to software to program and change programmable logic controllers and other field device settings/configurations.
Human Machine Interface - The HMI is a visual interface between the physical process and operators that is used to review and control the process.
Programmable Logic Controllers – PLCs connect the physical hardware in the real world and run logic code to read the state or change the state of the engineered process.
Check out the SANS ICS Cheat Sheets and Other Free ICS Resources here!
Join the SANS ICS Community Forum for Tips, Tricks, and a Q&A to secure your ICS!
Learn more about Dean Parsons’ ICS contributions and check out his bio here!
Dean Parsons’ Upcoming ICS515 teaches here:
- SANS Paris June 2021 Online | June 14 - 19 | Register Today
- SANSFIRE 2021 Online | July 12 - 17 | Register Today
