Top 20 ICS mitigations during 2023. Part 2

To recall why this top mitigations is necessary to highlight the increase of attacks in industrial environments throughout this year as predicted in the article What to expect from industrial cybersecurity in 2023? This increase in attacks is no longer solely on the industrial environment, but many are looking for the fringe between IT and OT.

A vulnerability in the IT environment can result in a security breach for the industrial environment associated with the corporate part, which is why, as mentioned in the first part of this article, MITRE has developed different mitigations for both the corporate environment and the industrial environment. This combination of mitigations provides users with different possibilities to defend not only and exclusively one of the two environments, but to find a point of protection between both environments.

Next, the remaining twelve mitigations will be defined for the realization of a Top 20 mitigations for industrial environments. These mitigations will be more focused on network architecture, industrial protocols, network configuration and vulnerability scanning.

• 9- Exploit protection: Different technologies must be used to detect and block conditions that may indicate that a software exploit is taking place:
  • Drive-by Compromise: The implementation of protections against exploits must focus on preventing different activities that could lead to a malicious website taking advantage of a vulnerability associated with a piece of equipment or software in the industrial environment.
  • WAF (Web Application Firewalls): They are a type of solution capable of limiting application exposure and preventing exploit traffic from reaching vulnerable applications.

- WAF. Source. -

• Exploit security applications: There are other types of applications such as Windows Defender Exploit Guard (WDEG), which, can be used to mitigate certain aspects of exploits. Control flow integrity checking is another possible mitigation against exploits.
• 10- Filtering network traffic: The use of devices to filter network traffic allows control over the data and users that are communicating. Allowed/denied lists must be configured for network communications and lists of allowed applications must also be implemented. This type of devices are usually firewalls with deep packet inspection capabilities, IDS, IPS or those known as NGFW, Next Generation Firewalls. 
  • Input/output control: Allow/deny lists can be used to block access when excessive I/O connections from a system or device are detected during a specified period of time.
  • Proxy connections: Traffic to anonymous networks marked in a list can be blocked or allowed. It is advisable to have an up-to-date list of malicious networks and connections.

- Proxy server. Source. -

• Identification of variables, labels, and values: Lists of allowed commands must be made depending on the communication protocols between devices, as well as controlling the messages or reports sent through the network. It is of utmost importance that a precise list be drawn up to avoid blocking valid messages.
• 11- Layers of mechanical protection: This mitigation is based on implementing a design using layers of physical and mechanical protection to prevent damage to both devices and industrial plant personnel. 
  • Loss of security: Protective devices must have a minimum of digital components to avoid being exposed to possible attacks. On the industrial side, these protection devices include rupture discs, exhaust valves, interlocks, etc.
• 12- Multifactor authentication: This mitigation refers to the use of two or more elements to authenticate to a system, this includes a username and password, along with a smart token (either physical, through a smart card, or through a token generator through an application). In the industrial environment, the implementation of tokens is complex in low-level devices, which is why these devices have implemented operational control and real-time security requirements.

- Multifactor authentication. Source. -

• 13- Permission lists for industrial communications: These permission lists can be implemented in industrial equipment through host-based files or host files themselves. These would specify which connections are allowed via IP addresses, MAC addresses, ports, protocols, etc.
• 14- Network intrusion prevention: For this mitigation, intrusion detection signatures can be used to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so that it does not disrupt protocols and communications responsible for real-time functions related to control or security.
• 15- Network segmentation: Network design can greatly reduce the chances of an attack on an industrial infrastructure. Physical and logical segmentation can prevent unauthorized access. The use of DMZs to host any Internet-oriented service without connecting to the internal network is a solution that every industrial network should have. IEC 62443 indicates how industrial assets should be grouped into zones and conduicts.

- Zones and conduits. Source -

• 16- Restriction of web content: Just as it is recommended, to restrict the use of certain applications in the industrial environment, it is also advisable to reduce and restrict access to certain websites, block downloads or attachments, block JavaScript, restrict the use of browser extensions etc:
  • User execution: In the case that a user or operator in the industrial environment wants to enter a website or download a file marked as untrusted, threat and downloaded file scanning devices must stop the request in real time. In addition, the downloading of compressed and encrypted files such as .zip or .rar should be restricted.
• 17- SSL/TLS inspection: A very useful mitigation when SSL/TLS communications are taking place in an industrial environment is to capture traffic and inspect sessions for malicious or extraneous traffic. Periodic inspections of the network can detect potential intruders even before they carry out an attack.
  • Traffic to be inspected: All types of traffic should be inspected, from purely industrial frames to HTTPS or DNS traffic.
• 18- Static network configuration: The configuration of the different equipment within the industrial network can reduce, mitigate, or even prevent a possible attack. Static network configuration should be implemented whenever possible.
• 19- Supply chain management: A supply chain management program should be implemented, in which different procedures and policies are defined to ensure that all devices and components from different suppliers are tested and analyzed to determine their reliability.
• 20- Vulnerability scanning: Vulnerability scanning makes it possible to find critical and potentially exploitable points of industrial devices and software, thus enabling manufacturers to introduce patches to eliminate vulnerabilities.

Conclusion

This Top 20 mitigations, provides a basic but comprehensive guide on possible measures to implement them in an industrial environment to reduce the risk of suffering a possible attack. It should be noted that these mitigations do not eliminate the risk of suffering a cyberattack, but they will reduce it to a great extent.

The task of securing our industrial systems must be transversal, not just focused on a single point, covering all possible aspects. To facilitate it, this list provides the most important mitigations that every administrator should consider as a starting point.