Top 20 ICS mitigations during 2023. Part 1

Posted date 21/12/2023
Autor
INCIBE (INCIBE)
Top 20 ICS mitigations during 2023. Part 1

MITRE has developed different mitigations for both corporate and industrial environments. This combination of mitigations provides users with different possibilities to defend not only and exclusively one of the two environments, but to find a point of protection between the two environments.

It should be noted that a mitigation represents a security concept along with types of technologies that can be used to prevent any technique or sub-technique (contained in the MITRE matrices) from being successfully executed and potentially affecting either the IT environment or the OT environment.
 

logo MITRE ATT&CK

- MITRE ATT&CK mitigations. Source. - 

In the following, different mitigations will be defined for the industrial environment, although certain mitigations may also be applicable to the IT environment. In addition, some specific mitigations from the MITRE list to reduce the impact on the IT environment can be applied to the OT environment and their corresponding mitigation techniques.

  • Access management: The different access management technologies allow the application of authorization restrictions. In the industrial environment, access to field devices is not sufficiently restricted, as they do not have the capabilities to support identification and authentication in many cases. The introduction of a gateway or access management device in the network would mitigate this problem by introducing the capability to the devices to integrate an authentication service through user verification. Different techniques that can be applied to implement mitigation are listed below:
    • Mode of operation: Authentication control must be in place before any logic, program or device status can be changed. Centralized authentication techniques can help to easily manage the large number of accounts on field devices.
    • Default credentials: Remove accounts with default credentials and enable only user accounts with security requirements.
    • Modification of alarm configurations: Any changes to the device related to security measures must be authenticated and authorized. Access management technologies should always be included for this type of configuration modification as it may affect not only the integrity of the device, but also the safety of the operators.
    • Firmware update: Any changes to the device firmware must be authorized and validated before being introduced to the device. In addition, access to the device or device logic must be controlled by access software.
    • Remote access: Access management technologies can help enforce authentication on critical remote services; examples include, but are not limited to device management services (e.g. telnet and SSH), data access servers (e.g. HTTP and historical) and HMI sessions (e.g. RDP and VNC).
Secure remote access management

- Secure remote access management. Source. -

  • 2- Policies for the use of user accounts: Settings related to the use of the account, such as locking the account after a number of login attempts, hours of use, etc.
    • External remote services: The configuration of functions related to the use of accounts is of vital importance for remote access. Blocking after a specific number of attempts has to be implemented, together with specific security requirements in terms of password parameterization. In addition, the implementation of time slots and a regular control of the authorized users and the equipment to which they have access should be added.
    • Access to internal services: Access to internal services in the industrial environment should be limited to users with roles and responsibilities that require access to these services from an external environment or from internal networks.
    • Password policy: After those requirements, a specific password policy must be added, defining a minimum number of characters, the use of special characters, in short, defining minimum parameters for the secure construction of the password. To this can be added the obligation to change the password every certain period of time or that it is not possible to repeat the password after a change.
  • 3- Compliance with the authorization: The device or system should restrict read, manipulation or execution privileges only to authenticated users who require access based on approved security policies. RBAC (role-based access control) controls can help reduce the burden of assigning permissions.
  • 4 - Boot integrity: The use of secure methods for booting systems in an industrial environment should be mandatory along with the verification of the integrity of the operating system and software loading mechanisms.
    • BIOS/EFI/Firmware Integrity: Checking the integrity of the BIOS, EFI or existing firmware will determine whether it is vulnerable to modification. Different technologies are available to check the integrity of the system and ensure that it has not been modified or can be modified.
  • 5- Code signature: The binary and application integrity of industrial devices must be strengthened through the verification of digital signatures to prevent the execution of unauthorized or malicious code.
    • Masking: Signed binaries should be requested.
    • Software modification: Code signatures should be used to verify that the integrity of the software installed on the industrial asset has not been modified.
    • File infection: Control the code signature of any project file stored at rest to prevent unauthorized tampering. Ensure that the signature keys are not easily accessible on the same system.
    • Execution by users: Control by system users of unsigned executables such as installers or scripts must be performed.
  • 6- Authenticity of communications: Communication within untrusted networks should be disallowed. Secure network protocols must be implemented to allow authentication between users to verify the message sent. Different methods exist, some of them are authentication by message (MAC) codes or by the digital signatures mentioned above.
Authenticity of communications

- Authenticity of communications. Source. -

  • 7- Preventing data loss: The implementation of data loss prevention technologies can be used to identify potential exfiltration’s. Different security measures should be configured to prevent the transfer of information via corporate resources, such as email, the web or physical media such as USBs.
    • Data encryption: One technique that should be implemented as a mitigation is data encryption, both at rest and during communication between devices. The use of industry-standard encryption techniques allows sensitive or restricted access data to be secure from unauthorized access.
    • Packet interception, also known as sniffing, is a technique used by attackers to steal packets during communication between two devices. Therefore, authentication techniques and protocols, encryption techniques and cryptographic protocols such as SSL/TLS must be implemented in the industrial environment. This should apply to both wired and wireless communications.
  • 8- Disabling or removing functions or programs: Another possible basic mitigation is the removal of unnecessary or vulnerable software restrictions. Vulnerability management with regard to software in the industrial environment is of vital importance to keep track of potential security vulnerabilities.
    • Vulnerability management: A vulnerability management plan will enable those responsible for the industrial environment to be able to respond quickly and effectively to vulnerability disclosures. 
    • TCP ports: It is recommended to make changes to the default TCP communication ports. The use of these default ports makes it easier for the attacker to obtain information about the program, service or the industrial device itself.

Conclusión

Throughout this first part of the blog dedicated to the 'Top 20 mitigations in ICS', it has been included mitigations to reduce the risk of failures in user management and access controls, as well as to avoid problems related to firmware integrity and communication encryption. It should be noted that these mitigations do not imply a total risk reduction but that their implementation can lead to a high-risk reduction. 

The 'second part of the top 20' will be published next week and will explain 12 new mitigations focusing on network architecture, network configuration and vulnerability scanning among others.