Industrial Control System (ICS) Cyber Security: Recommended Best Practices

Number: TR12-002
Date: 10 December 2012

Audience

This Technical Report is intended for IT professionals and managers within the supervisory control and data acquisition (SCADA) systems and Industrial Control System (ICS) areas of the federal, provincial/territorial and municipal governments; critical infrastructure; and other related industries.

Purpose

The purpose of this Technical Report is to provide SCADA and ICS IT professionals and managers with a list of technical and administrative industry best practices to help address cyber security challenges faced by owners and operators of industrial facilities using networked control system technologies.

Definitions

Industrial Control System (ICS) is a general term that encompasses several types of control systems used to automate industrial processes, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC).  These systems are used in a variety of critical applications and industries including energy and utilities, transportation, health, manufacturing, food and water.

Recommended cyber security best practices for ICS

Cyber security starts by developing an understanding of the risks an organization faces, and those it may expose its clients and other stakeholders to.  Given some of the applications of ICS, these risks can extend beyond financial and business risks and include loss of life and injury. It is therefore imperative that organizations consider their exposure to cyber threats, assess the resulting risks, and implement safeguards accordingly.  The following lists of practices provide some mitigation options an organization may consider. They require careful evaluation and testing in the applicable network environment prior to implementation. The list may be used as a checklist for associated ICS cyber security areas.

1. Network Segmentation

The purpose of network segmentation is to partition the system into distinct security zones and implement layers of protection to isolate critical parts of the system using a policy enforcement device.

It is recommended that the following best practices on network segmentation be considered:   

Firewall Configuration & Management:

2. Remote Access

A variety of technologies are available today which provide “secure” remote access to computer systems such as firewalls, Virtual Private Network (VPN), callback (for dial-up), multi-factor authentication, user access control, and intrusion detection

The following best practices on remote access may be considered:

Often, ICS are used in remote location where connectivity is limited. For this reasons, ICS often used dial-up connections. Such connections should be secured. The following measures may be considered for this purpose:

3. Wireless Communications

Wireless access to the ICS network introduces risks similar to remote access with some additional threat vectors (e.g. unauthorized individual accessing the wireless network from outside the physical security perimeter of the plant).  Additionally, the wireless medium is extremely susceptible to denial of service (DoS) attacks.  A wireless DoS attack can be detected, but it cannot be prevented it if it is a physical level (RF) attack.

The following best practices for secure wireless communications may be considered:

4. Patch Management

Patch management is an important component of an overall control system security strategy.  In many cases, the only effective mitigation for a newly discovered vulnerability is to install a vendor released software patch or update.  The difficulty with patch management is that one cannot automatically deploy new patches into the ICS environment without risking disruption of operations.  Careful maintenance window scheduling, testing and associated policies and practices are required to balance system reliability with security.

The following best practices for patch management may be considered:

5. Access Policies and Controls

Access control is a very wide ranging topic that covers all aspects of controlling access to a network, device or service, including physical and electronic access. 

The following best practices for access policies and controls may be considered:

6. Secure the Host (System Hardening)

Hardening the components of the system means locking down the functionality of the various components in the system to prevent unauthorized access or changes, remove unnecessary functions or features, and patch any known vulnerabilities.

The following best practices for securing the host may be considered:

7. Intrusion Detection

All systems require some method of monitoring system activity and identifying potentially malicious events on the network. Without this ability to monitor a system, minor security issues will remain undetected until they become critical security incidents.

The following best practices for intrusion detection may be considered:

8. Physical and Environmental Security

Physical access to critical ICS assets should be limited to only those who require access to perform their job and only using approved or authorized equipment.  In addition to physical access control, critical equipment such as ICS needs to be appropriately hardened and protected from environmental hazards. 

The following best practices regarding the physical and environmental protection of ICS assets may be considered:

9. Malware Protection and Detection

In general, the benefits of running anti-virus software on ICS hosts far outweigh the risk that the anti-virus software will have a negative impact on the system.

The following best practices to detect and protect against malware may be considered:

10. Awareness

ICS security training and awareness of personnel is an essential tool for reducing cyber security risks.  It is critical that any ICS security program have a training and awareness program so that employees understand their role and what is expected of them.  Knowledgeable and vigilant staff is one of the most important lines of defense in securing a system.

The following best for security training and awareness may be considered:

11. Periodic Assessments and Audits

Numerous factors affect the security of a system throughout its life cycle.  Therefore, it is important to periodically test and verify that the system is still configured for optimal security.

The following best practices for security assessments/audits may be considered:

12. Change Control and Configuration Management

Change management policy and procedures are used to control modifications to hardware, firmware, software, and documentation to ensure the ICS is protected against improper modifications prior to, during, and after commissioning. The following best practices for ICS configuration management may be considered:

13. Incident Planning and Response

A comprehensive cyber incident response plan should include both proactive measures and reactive measures.  Proactive measures are those that can help prevent incidents or better allow the organization to respond when one occurs, whereas reactive measures can help detect and manage an incident once it occurs. 

The following best practices for an incident response plan may be considered:

Recommendations

CCIRC recommends that organizations review cyber security best practices such as those included herein and provided in references and integrate associated cyber security principles and measures within their ICS lifecycle management processes, technologies and third-party support contracts. This should include periodic reviews and a process for addressing significant changes and resulting risk exposure in the network environment.

Reporting

Critical infrastructure operators and provincial/territorial/municipal governments potentially affected by cyber incidents are encouraged to contact CCIRC at: cyber-incidents@ps-sp.gc.ca.

References

  1. NIST SP-800-82 Guide to Industrial Control Systems Security
    http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
  2. ICS-CERT, ICS-TIP-12-146-01A—Targeted Cyber Intrusion Detection and Mitigation Strategies
    http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf
  3. CCIRC, TR08-004 Disabling Autorun Feature in Windows
    http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2008/tr08-004-eng.aspx
  4. CCIRC, TR11-002 Mitigation Guidelines for Advanced Persistent Threats
    http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-002-eng.aspx
  5. ICS-CERT, Incident Response Summary Report 2009 – 2011
    http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Incident_Response_Summary_Report_09_11.pdf
  6. US-CERT, Control Systems Security Program (CSSP)
    http://www.us-cert.gov/control_systems/
  7. US-CERT, Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies
    http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf   
  8. CPNI, CPNI Viewpoint: Securing the move to IP-based SCADA/PLC networks
    http://www.cpni.gov.uk/Documents/Publications/2011/2011034-scada-securing_the_move_to_ipbased_scada_plc_networks_gpg.pdf
  9. International Society of Automation (ISA), ISA99, Industrial Automation and Control Systems Security
    http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821
  10. Communications Security Establishment Canada (CSEC), The Harmonized TRA Methodology
    https://www.cse-cst.gc.ca/en/publication/tra-1

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: