I found this article by former global head of industrial security services at Siemens Galina Antova very interesting for a number of reasons.
The initial 'commandments' - details on the specific requirements and inherent challenges of applying security to a rigid OT environment - does the best job I've come across of encapsulating the problems we security practitioners encounter when addressing security in these scenarios. Neatly summarised, the few short points cover the nature of ICS specific threats, and the reasons why they aren't straightforward to address.
The two key aspects for me, in both framing the problem and looking to define a framework to help are:
- Full and total visibility. As the nature of an OT environment is both more static than traditional IT, and also more susceptible to dangerous problems if unratified changes are made, a natural solution is to just see more of the behaviour that is occurring. Full network visibility, including the OT-specific protocols and serial communication, base-lining of connectivity and behaviour, non-intrusive detection methods, and testing.
- Related to the first point is the absolute criticality of the networks we're looking to protect. Active pen-testing can be enough to disrupt these systems if the attempted access is successful. These environments run day-to-day power generation, water treatment, gas and oil production systems, and other things that we all rely upon. It's natural for the custodians of these systems to place availability and reliability over and above hypothetical (if no breach has occurred) security threats.
We can all help with these issues. Greater understanding of the problems and a concerted, joint effort to address them, taking in the concerns of both IT and OT professionals, is a first step.
Let’s explore some of the important requirements for a new technical approach to ICS security: ● You can’t regularly take ICS process/production offline to implement and update security tools ● You can’t run active scanning tools that can crash industrial endpoints or load network traffic on fragile ICS networks ● You have to detect known and unknown threats ● You have to detect ICS-specific threats – there is a small but growing list of threats designed specifically for ICS ● You have to detect vulnerabilities (CVEs) in the control systems – not just the Windows boxes ● You have to uncover network configuration issues that expose industrial systems ● You have to create segmentation inside your ICS network, you need to know which ICS assets are talking to each other beforehand so you don’t break pathways and disrupt operational processes