- Hardening is a process whereby a computer is made more resistant to cyber intrusion from malicious attack and from accidental infection.
- Companies should update and patch their systems as often as they can.
- Recording activities, hosting firewalls and preventing untrusted use are also key steps to hardening an industrial computer.
As cybersecurity attacks on industrial processes become more common, the number of companies taking active steps to protect their critical control systems is growing. Advisors and consultants — internal and external — often provide key personnel with a list of requirements and recommendations on how to improve overall security. This list almost always includes a requirement to “harden” industrial computers.
Hardening is a process whereby a computer is made more resistant to cyber intrusion from malicious attack and from accidental infection. Hardening acts by remediating known vulnerabilities, by positioning the system to reject certain classes of attack, and by documenting system activities.
An industrial computer is never going to be completely impervious to intrusion, but the hardening process gives industrial systems additional layers of cybersecurity protection. It is worth exploring six different areas of hardening, each of which deserves an in-depth study. However, as a starting point, consider the following overview:
1. Update and patch industrial PCs
Every attempt to protect a system from a cyber attack is imperfect. Every element of hardware and software has the potential to contain vulnerabilities. Manufacturers release updates and patches to remediate potential and known vulnerabilities. Applying these patches and updates in a timely manner is one of the best ways to keep a computer resistant to attack. A machine continually grows more vulnerable when existing exploits remain unpatched, and when the time since they were identified has increased.
In the industrial world, it is often impractical to halt production to apply patches on a weekly basis, but having a planned schedule for patch application, perhaps quarterly, is recommended. It is also important to recognize not every patch should be immediately applied. When original equipment manufacturer (OEM) control software is involved, the risk of an untested patch causing a failure in industrial software can be high. Most OEMs have their own testing program that validates operating system (OS) patches against their own equipment, and sometimes OS patches drive corresponding updates to OEM systems.
2. Prevent file system mount for industrial PCs
Like any computer, industrial PCs are vulnerable to individuals attaching devices that contain infected data. Even without malicious intent, an operator who wants to show a coworker pictures of their kids might plug in a thumb drive. A well-intentioned engineer who needs to move a data file might use a portable hard drive rather than following the proper secure file transfer methods. Systems that evaluate files for danger are frequently out of date, so it can be more straightforward to prevent access to new file systems completely. It doesn’t matter whether the device is infected or not if the OS refuses to recognize the files.
3. Prevent new network attachment for industrial PCs
It is not uncommon to find evidence of connections from industrial computers to untrusted networks. Whether this is Wi-Fi being connected to a hotspot to watch YouTube, or an iPhone being plugged in with the intention of charging it, any network connection other than an authorized industrial control network is a high risk. Once the designed network connections are established, all extra network connections should be prevented.
4. Prevent untrusted use with application and file control in industrial PCs
The actions of a computer are based on the programs that run on it. Only the programs that are planned for normal use should be allowed. Authorized users should be the only ones allowed to execute the required programs. Unauthorized users must be prevented from executing untrusted or even trusted programs. Likewise, modifying files on disk should also be limited to authorized processes and users.
5. Host firewalls to prevent untrusted network traffic to industrial PCs
Host firewalls are programs that run on the computer locally that prevent unauthorized network communication. They can limit the types of data that can be exchanged, the protocols used for the exchange, and the endpoints of the conversation. Network firewalls should prevent unwanted traffic across the locations where the firewalls are physically installed, but it is generally not feasible to install them adjacent to every individual computer. Host firewalls on every computer will prevent unwanted traffic between computers that are in the same physical network zone.
6. Log to record activities, both for real-time detection and post-event auditing for industrial PCs
System activity logging does not necessarily harden an individual computer by itself, but it can help with the overall hardening of the systems that include them. All activities of note, such as network events, user authentication failures and successes, file system updates and many others should be logged to a location other than on the local computer. A centralized event management system can evaluate the logged events as they happen in order to detect potentially negative activities and prompt protective action. A historical record of events can assist in the evaluation of an attack after the fact so that specific vulnerabilities can be identified and remediated.
Hardening in all six areas can be implemented to some degree with tools and features that are built-in for most OSs. This task requires specific knowledge of the OS, the security requirements and how both interact with the industrial software running on each machine. Security software can be purchased or licensed to perform the tasks in a more user-friendly manner. Some industrial facilities have engineering staff with the required skillsets to implement and maintain an asset hardening program, but many do not. Where resources are limited, a third-party partner can assist with both the up-front effort required to bring the system to the desired state and with the long-term maintenance effort.
When using a third-party partner for implementation and maintenance, and when using commercial security software, it is important to recognize local engineering staff still need to be involved with operating and monitoring the system. Hardening industrial computers is not a one-time activity; it is a continual process that must be constantly reviewed and updated.
Robert Henderson is a principal engineer with Maverick Technologies, a CFE Media content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org
Keywords: cybersecurity, computer hardening
What is your company doing and not doing when it comes to computer hardening?