I am on several mailing lists and get news about ICS cybersecurity and bulletins. This past week I looked at another vulnerability bulletin characterized as “Exploitable remotely/low skill level to exploit” and that the exploit “could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system”. I looked further down and read about the suggested mitigations. The manufacturers more general instructions (they are reproduced below in this blog) for “best security practices for industry” raised an eyebrow.
Although I would add patch management and some other activities the list seems ok as a basic list of recommended practices. What concerned me is that the instructions seem to assume that there is a dedicated person or section designated as responsible for implementing and overseeing the application of these best practices. I have visited some sites in the past where there is no SOC or any kind of person with the responsibility for ensuring that “control system devices and or systems are not connected to the Internet”. This kind of policy will not be implemented by pasting it on a wall for staff to read. There needs to be a mechanism in place that includes people assigned to implement and monitor the application of the recommended practices.
It is not enough to just be aware of an established best practices. They must become an organic part of the operation and maintenance of the system. Someone must be assigned (I suspect in some places there is no one) to read these bulletins and then submit them to a process that will review, digest and apply where appropriate.
Any such list of best practices should include an additional bullet point or footnote clearly stating that implementation requires assigning responsibility and allocating resources for maximum impact on the safety, reliability and performance of the operation.
There must be someone there who is patrolling the perimeter and reporting on its status.
Below is a post of manufacturer’s information on a vulnerability discovered in their product from October 2019
[Manufacturer X] ”recommends the following best cybersecurity practices for industry:
- Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
- Physical controls should be in place so no unauthorized person has access to the ICS and safety controllers, peripheral equipment, or the ICS and safety networks.
- All controllers should reside in locked cabinets and never be left in “Program” mode.
- All programming software should be kept in locked cabinets and should never be connected to any network other than the network for devices intended.
- All methods of mobile data exchange with the isolated network, such as CDs, USB drives, etc., should be scanned before use in the terminals or any node connected to these networks.
- Laptops that have connected to any other network besides the intended network should never be allowed to connect to the safety or control networks without proper sanitation.
- Minimize network exposure for all control system devices and/or systems and ensure they are not accessible from the Internet.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.“