The U.S. Cybersecurity and Infrastructure Security Agency (CISA) put out a Shields Up advisory in conjunction with Russia’s invasion of Ukraine. It’s probably necessary, as they would have been disparaged if they didn’t, and not terribly useful. The recommendations were primarily the same as they have been recommending previously and on an ongoing basis — two-factor authentication, apply security patches, close unused ports, cyber hygiene and more. There was one recommendation that was different and applicable to industrial control systems (ICS).
If using industrial control systems or operational technology (OT), conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
I like the idea of creating an ICS-focused set of new and different actions to take in a heightened threat environment. I could also see the case where there could be sector-specific actions that would be tied to the specific physical process. The keys to making it useful are to not make the list too long and not try to cover cyber hygiene/good practice.
Here are some possible entries for an ICS Shields Up List:
Increase isolation by disconnecting systems
There are a number of possibilities in this category:
- Disconnect the connections to the corporate/informational technology (IT) network. If it is periodically required to bring in schedules and recipes, perhaps restrict it to one hour per day.
- Eliminate remote access for convenience. Perhaps increase on-site staffing to eliminate the need for remote access.
- Convert your backup control center to a disconnected, warm standby system.
- Disconnect your safety system from your control system. Or otherwise ensure that it is configured so an attacker with administrative access on your ICS can’t disable the safety system.
Moving all programmable logic controllers/controllers to run mode
You could argue this is a good practice that should be part of cyber hygiene. In the real world, there are many systems that accept the risk of Level 1 being in Program Mode due to the frequency of change or the distance that would need to be covered to turn the physical key.
Eliminating automation/moving to manual
This is taking the CISA Shields Up guidance to the next level. Are there key, high-consequence parts of your operation that could be moved to manual operations and still allow your process to function, albeit less efficiently? Do you want to add a secondary manual component to your process to validate an automation reading prior to critical action.
Store your latest backup offline
Periodically, you should be storing your backup offline or in a write once, non-corruptible system so it is not compromised if your ICS is compromised. If you think the threat has risen and you may need the backup, it might be worthwhile to move the latest backup offline.
Increase your inventory/capacity
When a hurricane is coming, we stock up on water and make sure the gas tanks and batteries are full, with the expectation that we may need to go without for a while. Some sectors, such as manufacturing, could produce more of their product by running more shifts to increase the inventory in case of an outage. Tank farms could accelerate deliveries to fill up. Reservoirs can be lowered. What would you need to do to lower the impact to your customers if your ICS was out for a week?