Garland Technology ensures complete packet visibility by delivering a full platform of network TAP (test access point), inline bypass and packet broker products.
Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.
Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.
The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners
Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.
Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.
Industrial control systems (ICS) are the heart of our world’s critical infrastructure, powering everything we enjoy in our connected society. As organizations continue to update their operational technology (OT) with the latest advancements, they should also be aware of the threats that these cyber-physical systems are exposed to. And it’s not just the risk of an external attack that should have organizations concerned. They also need to be vigilant about the growing insider threat.
When you consider what could happen if something as important as the supply of electricity, drinking water, food or medicine was disrupted, even just regionally, you can see why it’s never been more important to implement strict cybersecurity practices. Here are 6 ICS security best practices you should consider:
A complete ICS asset inventory provides the necessary foundation to apply any security controls or best practices. And we’re not talking just hardware and software (although that’s important, obviously). You also need access to data like where a device is physically located, how important it is to an industrial process, and who to call if issues ever come up. Without knowing these details, you won’t be able to do much with security-related information. We all know by now that traditional IT inventory methods were not designed for ICS and could lead to unintended consequences, including impacting a critical process, Denial of Service, and in a worst-case scenario, bricking a device. Additionally, other non-scanning IT tools may require an agent to be installed that won’t have support for old versions of Windows/Linux and boutique operating systems, which are common in ICS environments.
So, what are your options? One inventory method that has recently gained a lot of traction in the ICS security community is passive network monitoring. There’s nothing wrong with using this method, and it should be used as one piece of the asset management puzzle. The challenge is that this method returns limited information about an asset (especially if it has a legacy operating system) and doesn’t include important things like software, patches, executables, registry entries, or open ports and services. Plus, if a device is not actively communicating over the network, it’s usually missed altogether. Using a mixture of agent, agentless, native ICS protocol polling and passive monitoring methods ensures you don’t miss any critical device information and creates the most complete picture of what’s actually in your systems.
To accomplish complete ICS asset inventory and passive network monitoring, incorporating packet level visibility is a fundamental best practice to maintain a system inventory of all your networked devices, updates and all your industrial control systems (ICS), and the links between them.
Packet level visibility also enables vulnerability management and threat detection strategies, improving tool performance by eliminating blindspots that hide threats and anomalies.
Packet visibility is accomplished in two ways — switch SPAN/Mirror ports and visibility best practice network TAPs. Deploying network TAPs throughout the Industrial Ethernet framework ensures complete packet visibility for security and monitoring solutions, improving uptime, eliminating the packet delivery issues and vulnerabilities that SPAN inevitably introduces.
Many ICS servers and workstations use a set of standard usernames and passwords, and by default, grant administrator privileges. These systems could include things like domain controllers which if compromised could affect ICS integrity. To prevent this from happening, security teams should centralize the monitoring, management and reporting of access, authentication and account management to protect and validate user accounts.
Having a system that monitors account changes and access events that can share that information with IAMs and SIEMs is critical. If security teams catch unusual account activity early, it will spare everybody a lot of headaches later. You should also create and enforce policies that help prevent the abuse of user accounts in the first place, including complex passwords requirements and limited access based on the need to know.
As we’ve talked about previously, critical vulnerabilities are being discovered with increasing frequency. To minimize the window of opportunity for attackers to exploit new weak points, you need a vulnerability-first approach. Not all vulnerabilities have a patch, especially in ICS environments, and it can often be impractical to patch these systems immediately.
Passively identifying new vulnerabilities on demand is a huge advantage for asset owners. You can accomplish this with a tool that takes your ICS device data and compares it to NIST’s CVE database and ICS-CERT advisories to tell you which assets are affected and if there is an available patch. You can then take this information and use it to prioritize your patching efforts (for those assets that can actually be patched). An important caveat to remember here is that your vulnerability management tool is only as good as your asset inventory, so make sure you follow the advice from #1 first.
A misconfigured device can provide an easy entry point into your ICS for an attacker, so make sure you have a baseline of known good configurations for each endpoint that you’re continuously monitoring for changes. Removable media is another attack vector that has been gaining traction recently, so keep a close eye on that, as well. If any kind of change, including from removable media, is detected in an endpoint, ensure you are getting enough contextual data about the suspicious event to act quickly.
Using a network intrusion detection system, which is also sometimes referred to as passive network monitoring, offers an additional layer of threat detection because it identifies communication anomalies using protocols in the network. If you have both endpoint and network monitoring in place, you’ll be able to detect suspicious activity in multiple ways. This can act as a type of fail-safe mechanism so that if you somehow miss an anomaly with one technique, the other will catch it.
First, make sure you have security staff who are not only actively looking at ICS event data, but also have some level of knowledge about and training on how these environments work. Providing cross-training to your SOC teams will help them understand the differences between the IT networks they’ve traditionally monitored and the OT networks that have recently come into the picture, which are far more heterogeneous and complex.
Getting the right data to the right people is so critical for ICS security teams. Having a solution that is specialized enough for the complexity of OT systems, yet also scalable enough to fit into the broader corporate security ecosystem, is certainly a challenge. When considering an ICS cybersecurity solution, make sure it provides the actionable data that SOC teams need, like how important an industrial device is, where it’s located, and who to call at the plant if critical anomalies are detected in that asset. Additionally, you should ensure that this data can be shared in an intuitive way for them via API integrations with corporate SIEMs, CMDBs, and ticketing systems. Finally, in case the worst happens, you should always have a stored backup of known secure configurations for all your ICS devices in a place that can be accessed by both IT security and OT operations teams in an emergency situation.
If you’d like more information about how to apply these ICS security best practices in your environment, we recommend exploring the 20 CIS Controls. This framework prioritizes cybersecurity best practices into digestible implementation groups to help you get security done. Check our 20 CIS Controls Implementation Guide for ICS, which adapts this framework for the unique needs of industrial environments and offers helpful tips from security experts.
Erin is a passionate supporter of the mission to empower critical infrastructure organizations with stronger cybersecurity for their operational technology systems. In her role at Industrial Defender, she guides strategic initiatives to transform the company from an OT security pioneer into a market leader. Prior to joining Industrial Defender, she led marketing for the North American region at another OT security innovator, SecurityMatters, which was acquired by Forescout Technologies in 2018