Dragos recently published the Dragos 2021 Year In Review report, which highlighted four key findings within the operational technology (OT) cyber threat landscape. This blog continues the series that expands on each of these findings, focusing on external connections to the internal industrial control systems (ICS) environment.
The report stated, “70% of industrial control system (ICS) environments have external connections from original equipment manufacturers (OEMs), information technology (IT) networks, or the internet to the operational technology (OT) network, which is more than double the amount from 2020.”
What are externally routable connections to ICS environments?
Since the emergence of industrial infrastructure, on-site support has been one of the only options to manage or troubleshoot OT systems. Any changes to critical systems would require on-site intervention and corresponding on-site support/response conditions. As we continue to increase connectivity systems are being retrofitted to provide remote functionality, as opposed to a more rigorous re-engineering of the system entirely. Retrofitting systems could include monitoring and increasing overall visibility, troubleshooting, and/or maintenance activities for these critical systems – increasing the opportunities for malicious actors to do so, as well.
An external connection is defined as any internet protocol (IP) and/or asset that communicates beyond a pre-defined security perimeter. The ICS environment security parameters consist of implemented levels or zones for network architecture and segmentation that typically follow the Purdue Model. The Purdue Model consists of standardized level or zone numbers assigned to groupings of logical or physical assets that share common security requirements. The levels or zones are typically assigned as follows in the table below.
The security policy of a level or zone is typically enforced by a combination of appliances and processes both at the zone edge and within the zone. Zones can also be considered hierarchical as they can be comprised of a collection of sub-zones. Bidirectional communication must be considered and should be limited to only what’s required for operational purposes.
External access can be described as any user communicating from outside the security perimeter of a zone. This definition can also extend to communication that originates from a location that is remote and outside of the company’s boundaries – i.e., in the case of third party connections (3PCs).
Protect the environment with network segmentation/micro-segmentation
Segmentation is typically implemented by OSI Layer 3 networking devices such as firewalls, routers, routers, etc. These devices allow for a large, flat network to be broken up into discrete, [hierarchical] segments that may or may not allow for segment inter-communication. Network segmentation involves developing and enforcing a ruleset for controlling communication between specific hosts and services between zones. Implementing effective network segmentation is a critical component for a defensible ICS/OT network architecture.
The more security controls that can be implemented at each layer, the greater resiliency the architecture will be to attack. There is also an important distinction to be made between physical and logical segmentation. Physical segmentation includes air-gapping between network segments and ensuring NO communication to any other network segments. Network micro-segmentation is a cybersecurity technique that can include both physical and logical segmentation and segments the internal networks based on a diverse set of attributes to describe a network zone.
77% of service engagements from the Dragos team showed issues with network segmentation. The most common external connections into the OT environments are third party connections (3PCs) or vendors of that organization. As such, organizations can inherit the security posture and accompanying risks of their 3PCs. 3PC connections should stipulate adopting identified security controls to ensure a secure remote access connection and should be monitored for any suspicious activity.
Five best practices for better cybersecurity
Where possible, leverage available industry guidance with specific ICS recommendations on network segmentation and remote access, including – ISA/IEC, 62443, NIST SP 800-82, and NERC CIP.
Implementing network segmentation improvements helps identify and phase-out any externally communicating assets into the OT environment. Here are some tips:
- First and foremost, implement a dedicated VPN gateway, or jump-host, within the enterprise DMZ. This should be the only access point into the plant environment for remote users, and remote access should never be enabled by default.
- Implement a default “deny all” access policy across the external-to-internal communication boundary (Level 4 to any lower Purdue Model level).
- Establish remote access multi-factor authentication (MFA), where possible. Otherwise, consider alternate technical controls such as a jump-host with increased logging and monitoring.
- Implement enhanced logging and monitoring across the IT/OT boundary, as well as for any highly critical assets within the OT environment. This can help to ensure you are able to identify and confirm allowed network traffic from rogue devices that may have gained access to the OT network.
- Implement network micro-segmentation. For example, create separate VLANs (Virtual Local Area Networks) for distinct groups of assets. Micro-segmentation also allows for easier and improved visibility surrounding groups of critical assets and provides flexibility in designing network access policies.
Overall ICS/OT vulnerabilities in 2021 doubled compared to 2020, totaling 1,665 vulnerabilities. Further, vulnerability analysis showed that 35% could cause both a loss of view and loss of control, which are among the worst operational scenarios to occur in an ICS/OT environment. About 90% of these identified vulnerabilities had no mitigations in place. An essential way to identify and mitigate any externally routable connections is to lock down and monitor the Level 4/Level 3 boundary – the gateway into the ICS/OT environment.
– This originally appeared on Dragos’ website. Dragos is a CFE Media and Technology content partner.
Original content can be found at Dragos.