The hardening of equipment is a common practice in cybersecurity, which aims at the correct implementation of the different cybersecurity systems in the devices.
In the industrial world, availability has always been prioritized, so communications have been mainly focused on data integrity and real time sending of data, differing completely to the IT (Information Technology) world. The levels of communication that we can find in the industrial network would be the following:
- Information level: this is the top level of a plant and here you can find the devices that gather information and manage automation systems, such as SCADA devices.
- Control level: this level contains the PLC (Programmable Logic Controller) and the automatic automation systems. The maximum latency is a fraction of a second.
- Automation pyramid. Font -
- Field level: this level contains the devices, such as sensors and actuators, I/O modules, etc. Information is transmitted cyclically and is characterized by a short bus cycle. It varies from a tenth of a microsecond to hundreds of milliseconds.
- MES level: planning or integration level, where the production execution systems (MES) are located. This level makes it possible to organize, control and monitor processes in factories, achieving maximum efficiency and cost reduction.
- ERP level: the last level of the pyramid, corresponding to integrated enterprise resource planning (ERP) systems. This level controls all business management processes, but is not specialized in the production management of factories.
For communications between these devices, different protocols are used, such as the following:
- Modbus RTU.
- Ethernet TCP/IP.
- Modbus TCP/IP.
Each protocol provides different characteristics based on the communication. In some cases, the use of any of these communication protocols, without other security measures, can lead to a vulnerability in the communication. This is why securing communications using industrial protocols is as important as the bastioning of the equipment itself.
How to create a baseline according to my industrial environment?
Initially, it is necessary to have a broad knowledge of our system and what possible failures can be found within it. To do this, a risk assessment, a classification and then the development of a mitigation plan will have to be carried out.
The problem encountered in this case is that, depending on the time it may take to implement the mitigation plan, the solutions devised may become obsolete.
The implementation of a cybersecurity standard will provide a basis for the minimum requirements for a secure industrial environment, without going into specific cases or specific suppliers. Below are the standards that refer to the security implementations mentioned above:
- ISA/IEC 62443.
- NIST SP 800-82.
- FERC (Federal Energy Regulatory Comission)
- NERC (North American Electric Reliability Corporation).
Here are four steps to use to bastion our systems, software, hardware and physical.
- This plan should help inventory what hardware and software is authorized and what is not, focusing on critical business assets for protection. Secure and 'harden' industrial network configurations, endpoints and control systems; continuously assess vulnerabilities, remediate them; and control the use of administrator privileges. To do this, the first five points of the 'CIS Critical Security Controls' can be used.
- All network and web connections to control systems should be secured, if necessary. This creates problems that often overshadow the potential benefits. Therefore, this connectivity should be minimized and eliminated whenever possible. Also, wireless and remote access should be secured, giving as few connection authorizations as possible.
- Strong authentication helps protect systems against digital attacks. Therefore, measures for strong authentication should be incorporated into OT (Operational Technology) environments. This should not only include complex and unique passwords, but also require security components such as two-factor authentication (2FA).
- Understand that the weakest point of an infrastructure will always be the human being. Workers must be made to understand the risk of the actions they can take. Social engineering is something that, even if you have a solid defense base, will always be the main point of attack.
Bastioning in industrial environments
Bastioning is a critical process, which should be performed in the first instance when purchasing a new device, since the default configurations that they bring can often be obtained from the manuals and within these we can find activated features and default credentials in our network.
If the devices are already installed in the system, it will be advisable to go one by one looking for possible vulnerabilities or unwanted features, as for example could be the case of a PLC with web service that is never accessed and also has default credentials.
Different types of bastioning can be found:
- Server bastioning: safeguarding the integrity and protection of data, ports, components, functions and permissions that a server has, using advanced hardware, firmware and software measures.
- Modification of logs, configuration of services... Keeping everything up to date.
- Network bastioning: ensuring security in the basic communication infrastructure composed of multiple servers and computer systems operating within the network.
- Implementation of security policies, hardening and clear delimitation of user privileges.
- Bastioning of software applications: upgrade or implementation of additional security measures to protect standard as well as installed third-party applications.
- Implementation of firewalls, use of anti-virus applications, patching of applications.
- Operating system bastioning: application of patches and advanced security measures to secure a server's operating system.
- Updating operating system, configuration of user privileges within the system, etc.
Conclusions and best practices
To conclude this article, it should be noted that the hardware and software bases that are configured and installed in the system are as important as the bases of social engineering that have been taught to employees, since the chain is broken by the weakest link, and that is human beings.
The following are some best practices for bastioning OT equipment:
- Control remote access for OT systems: this way, you will have exhaustive control over the users who have access to the systems remotely.
- Security control of Modem systems: use of secure passwords, both in the connection and in the web portal. MAC filtering in the most restrictive way possible, etc.
- Follow a good practice guide for implementing a firewall in SCADA and process control networks: periodic configuration review, proper firewall management and monitoring processes.
- Develop a cybersecurity incident plan for OT: identify existing system failures and make a long-term plan to address them and review compliance with agreed measures.
- Create a forensic analysis plan for OT: create a guide with the steps to follow in the event of an incident and the evidence to be obtained, along with its safekeeping.
- Updating antivirus signatures and functionalities: scheduling a weekly update search from a centralized server for subsequent distribution after testing in a controlled environment.
- Industrial cybersecurity training for employees: hire specialized personnel for the development of courses and execution of exercises putting into practice the knowledge acquired.
- Improve the cybersecurity of OT systems with defense-in-depth strategies: use different security elements, DMZ, firewalls, data diode, etc.
- Disabling USB ports: given the different families of malware known in the industrial world and the capacity of malicious software to spread via external USB devices, it is advisable to disable them or create a whitelist against their use.
- Implementation of firewalls: place firewalls at the necessary points in the network where access control is desired.
- Intrusion prevention and detection systems: combine both elements, IPS and IDS, for greater protection, configuring them in such a way that they do not give a large number of false positives.