Industrial Control System (ICS) Cyber Security: Recommended Best Practices
Date: 10 December 2012
This Technical Report is intended for IT professionals and managers within the supervisory control and data acquisition (SCADA) systems and Industrial Control System (ICS) areas of the federal, provincial/territorial and municipal governments; critical infrastructure; and other related industries.
The purpose of this Technical Report is to provide SCADA and ICS IT professionals and managers with a list of technical and administrative industry best practices to help address cyber security challenges faced by owners and operators of industrial facilities using networked control system technologies.
Industrial Control System (ICS) is a general term that encompasses several types of control systems used to automate industrial processes, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC). These systems are used in a variety of critical applications and industries including energy and utilities, transportation, health, manufacturing, food and water.
Recommended cyber security best practices for ICS
Cyber security starts by developing an understanding of the risks an organization faces, and those it may expose its clients and other stakeholders to. Given some of the applications of ICS, these risks can extend beyond financial and business risks and include loss of life and injury. It is therefore imperative that organizations consider their exposure to cyber threats, assess the resulting risks, and implement safeguards accordingly. The following lists of practices provide some mitigation options an organization may consider. They require careful evaluation and testing in the applicable network environment prior to implementation. The list may be used as a checklist for associated ICS cyber security areas.
1. Network Segmentation
The purpose of network segmentation is to partition the system into distinct security zones and implement layers of protection to isolate critical parts of the system using a policy enforcement device.
It is recommended that the following best practices on network segmentation be considered:
- Implement network segmentation separating business networks from control systems networks.
The ISA99 describes six levels of segmentation:
- Level 0 - The Instrumentation Bus network;
- Level 1 - Controller LAN;
- Level 2 - Supervisory HMI LAN;
- Level 3 - Operations DMZ;
- Level 4 - Enterprise LAN;
- Level 5 - Internet DMZ;
- Use a Demilitarized-Zone (DMZ) capable firewall between ICS and IT segments or use paired-firewalls to create a DMZ.
Firewall Configuration & Management:
- Ensure that all physical access to the firewall is tightly controlled;
- Document all data flows that need to cross security zone boundaries including a business justification with risk analysis;
- Implement a default deny all rule;
- Implement egress filters where there is no need for outbound traffic;
- Review firewall configurations regularly to ensure that the business case for the rule or policy is still valid and the security controls are in place;
- Ensure that firewall configuration changes are subject to at least the same change management requirements as any ICS device configuration;
- Monitor the logs and intrusion detection systems (IDS) events to look for anomalous traffic and possible intrusion attempts; and
- Define the role of the ICS firewall in a cyber incident response plan.
2. Remote Access
A variety of technologies are available today which provide “secure” remote access to computer systems such as firewalls, Virtual Private Network (VPN), callback (for dial-up), multi-factor authentication, user access control, and intrusion detection
The following best practices on remote access may be considered:
- Require and enforce through terms of employment and user access control technology the use of corporate-owned laptops for remote access which are subject and maintained according to the organization's security policies;
- Require and enforce contractually and via user access control technology that vendors and contractors with remote access comply with the organization's security policies;
- Change TCP port numbers for well-known remote access protocols from their defaults;
- Configure VPN such that split tunneling is not allowed by technical policy;
- Monitor and log (log user ID, time, and duration of remote access) all remote access sessions;
- Require multi-factor (e.g. two-factor or greater) authentication for any remote access sessions;
- Encrypt all communications over untrusted networks (any network that is not exclusively used by the control system);
- Configure remote access software for maximum security;
- Require the use of strong passwords;
- Restrict remote connections to special machine in the ICS DMZ (e.g. a Jump Host), which then has access to select resources in the control system; and
- Ensure that the IDS inspects all traffic that enters and leaves the VPN tunnel.
Often, ICS are used in remote location where connectivity is limited. For this reasons, ICS often used dial-up connections. Such connections should be secured. The following measures may be considered for this purpose:
- Require the use of strong passwords;
- Configure remote access software for maximum security;
- Implement call-back features where possible;
- Consult your telecomm provider for available safeguards;
- Leverage PBX reporting and alerting features; and
- Regularly inspect in and out call logs.
3. Wireless Communications
Wireless access to the ICS network introduces risks similar to remote access with some additional threat vectors (e.g. unauthorized individual accessing the wireless network from outside the physical security perimeter of the plant). Additionally, the wireless medium is extremely susceptible to denial of service (DoS) attacks. A wireless DoS attack can be detected, but it cannot be prevented it if it is a physical level (RF) attack.
The following best practices for secure wireless communications may be considered:
- Create a Wireless LAN (WLAN) security policy;
- Separate and segment the WLAN from the wired LAN using a firewall or similar security device;
- Require authenticated access to the WLAN for all users and devices;
- Protect WLAN traffic by implementing strong encryption (e.g. 802.11i /WPA2, do not use WEP);
- Restrict traffic (applications, protocols and source/destination communication pairs) between the WLAN and the wired network;
- Limit the transmit power and antenna gain to the appropriate service area;
- Scan periodically for unauthorized wireless access points;
- Do not rely on default security configurations of WLAN access points and adapters;
- Disable SSID beacon transmissions;
- Use SSID naming conventions that are not easily guessed. Employ static IP addressing of devices on the WLAN instead of dynamic;
- Ensure that ARP broadcasts from the wired network do not propagate to the WLAN;
- Strictly prohibit the connection of any wireless equipment directly on to the ICS network not approved for use; and
- Disable Wi-Fi Protected Setup (WPS) and verify periodically that it is disabled.
4. Patch Management
Patch management is an important component of an overall control system security strategy. In many cases, the only effective mitigation for a newly discovered vulnerability is to install a vendor released software patch or update. The difficulty with patch management is that one cannot automatically deploy new patches into the ICS environment without risking disruption of operations. Careful maintenance window scheduling, testing and associated policies and practices are required to balance system reliability with security.
The following best practices for patch management may be considered:
- Understand the vulnerabilities that exist in the ICS, the exposure of the vulnerable components, and the relevant controls available;
- Use risk analysis to determine that the benefit of correcting the vulnerability outweighs the risk of deploying the new configuration, patch or update;
- Establish a working knowledge of all systems patch levels (applications, operating system and third party software);
- Push down patches to machines on a priority basis and consider temporarily limiting exposure of unpatched systems through access control and policies;
- Evaluate patches and updates in a test environment in order to assess the risks of deployment. Alternatively, use “Early Adopter” machines to test patches;
- Patch “Business Critical” machines after early adopters have been stable for a set period of time and approval for the patch has been received from the ICS vendor; and
- Use a dedicated patch manager and an anti-virus server which is located in the ICS DMZ.
5. Access Policies and Controls
Access control is a very wide ranging topic that covers all aspects of controlling access to a network, device or service, including physical and electronic access.
The following best practices for access policies and controls may be considered:
- Define the security roles and responsibilities of all individuals in the organization;
- Develop an access control policy that establishes appropriate logical and physical rules and rights for each user or group of users;
- Employ multiple authentication methods for critical ICS;
- Require ushered access (also called ‘shadowing') when high-risk tasks are performed (for example, industrial operations that have health, safety and environmental (HSE) consequences or critical business risks);
- Segregate data with high sensitivity and/or business consequence from other internal information so that existing access controls can restrict access to that information;
- In a Microsoft Windows environment make use of domain controllers to manage access control to ICS resources;
- Establish separate ICS domains for each production area;
- Do not allow trust relationships between IT domains and ICS domains;
- Use Organizational Units (OUs) to further partition resources into logical or functional units; and
- Enforce password policy and change default passwords.
6. Secure the Host (System Hardening)
Hardening the components of the system means locking down the functionality of the various components in the system to prevent unauthorized access or changes, remove unnecessary functions or features, and patch any known vulnerabilities.
The following best practices for securing the host may be considered:
- Lock down functionality of system components. For example, apply strict control over portable media (e.g. USB devices) via technical or policy instruments. Disable auto-run feature for all portable media;
- Remove unnecessary functions or features;
- Patch or work around any known vulnerabilities;
- Enable host security logs and DNS logging;
- Work with ICS manufacturer for recommendations and tools;
- Enforce password policy and change default passwords; and
- Where embedded systems are involved, update the firmware.
7. Intrusion Detection
All systems require some method of monitoring system activity and identifying potentially malicious events on the network. Without this ability to monitor a system, minor security issues will remain undetected until they become critical security incidents.
The following best practices for intrusion detection may be considered:
- Make use of ICS/SCADA specific IDS tools and packages;
- Deploy IDS behind ICS firewalls with ICS specific signatures;
- Make use of log files as intrusion detection tools;
- Security Information & Event Management (SIEM) tools can give a centralized view of logs that could reveal security issues;
- Configure IDS to send alerts to the appropriate personnel; and
- Consider deploying an internal “honeypot” to quickly identify and eradicate suspicious network activity.
8. Physical and Environmental Security
Physical access to critical ICS assets should be limited to only those who require access to perform their job and only using approved or authorized equipment. In addition to physical access control, critical equipment such as ICS needs to be appropriately hardened and protected from environmental hazards.
The following best practices regarding the physical and environmental protection of ICS assets may be considered:
- Protect computer equipment not in control rooms such as routers or firewalls by placing them in a locked environment;
- Use an equipment tracking system to determine where equipment is located and who has responsibility for it;
- Disable all unused data ports (e.g. switch ports or USB ports) at the lowest possible operating system level, preferably BIOS;
- Additionally, unused ports should have dummy connectors plugged in which require a tool for removal;
- Plug all data ports that are required for temporary or portable equipment access with dummy connectors which require a tool for removal when the data ports are not in use;
- Do not allow external or unmanaged hosts to connect to ICS network segments;
- Do not access untrusted removable media; and
- Do not connect removable media to untrusted networks or hosts.
9. Malware Protection and Detection
In general, the benefits of running anti-virus software on ICS hosts far outweigh the risk that the anti-virus software will have a negative impact on the system.
The following best practices to detect and protect against malware may be considered:
- Deploy and manage anti-virus software on Windows-based ICS hosts. Regularly update virus definition files (e.g. daily, weekly, biweekly);
- Stagger updates so that computers are not updated simultaneously (e.g. update non-critical systems first or systems with vendor approved update schemes and manual scheduled updates for more difficult systems); and
- Null routing and DNS “sinkholes” are often used to quickly identify misconfigured or infected hosts who may be trying to “call home”.
ICS security training and awareness of personnel is an essential tool for reducing cyber security risks. It is critical that any ICS security program have a training and awareness program so that employees understand their role and what is expected of them. Knowledgeable and vigilant staff is one of the most important lines of defense in securing a system.
The following best for security training and awareness may be considered:
- Develop and communicate an organizational policy for control system security;
- Conduct control system security training and awareness; and
- Monitor the appropriate vulnerability lists, vendor update lists and Computer Emergency Response Team (CERT) security alerts for threats to ICS and the resources protecting it.
11. Periodic Assessments and Audits
Numerous factors affect the security of a system throughout its life cycle. Therefore, it is important to periodically test and verify that the system is still configured for optimal security.
The following best practices for security assessments/audits may be considered:
- Periodically test and verify that the system is still configured for optimal security;
- Make use of security auditing tools; and
- Only perform vulnerability scanning and penetration testing when the system is offline (e.g. during shutdowns or turnarounds).
12. Change Control and Configuration Management
Change management policy and procedures are used to control modifications to hardware, firmware, software, and documentation to ensure the ICS is protected against improper modifications prior to, during, and after commissioning. The following best practices for ICS configuration management may be considered:
- Restrict access to configuration settings, and security settings of ICS products;
- Ensure that all ICS modifications meet the same security requirements as the risk assessment and mitigation plans;
- Perform risk assessment on all changes to the ICS network that could affect security; and
- Maintain ICS network configuration documentation.
13. Incident Planning and Response
A comprehensive cyber incident response plan should include both proactive measures and reactive measures. Proactive measures are those that can help prevent incidents or better allow the organization to respond when one occurs, whereas reactive measures can help detect and manage an incident once it occurs.
The following best practices for an incident response plan may be considered:
- Define the mandate, goals and objectives of the security incident response team;
- Establish a Cyber Security Incident Response Team with appropriate tools training and resources. Typically this team will be responsible for monitoring events and mitigating cyber incidents.
- Define and implement means for identifying an incident and assessing their severity;
- Define escalation procedures describing who should be notified in the case of an incident, by what means and within what time frame. This should include the individuals and groups inside the organization (such as operations units, managers and security personnel) as well as external organizations (such as law enforcement and National Computer Security Incident Response Team (NCSIRT); and
- Define procedures for containment, eradication, recovery, data collection/protection and incident follow up and review.
CCIRC recommends that organizations review cyber security best practices such as those included herein and provided in references and integrate associated cyber security principles and measures within their ICS lifecycle management processes, technologies and third-party support contracts. This should include periodic reviews and a process for addressing significant changes and resulting risk exposure in the network environment.
Critical infrastructure operators and provincial/territorial/municipal governments potentially affected by cyber incidents are encouraged to contact CCIRC at: firstname.lastname@example.org.
- NIST SP-800-82 Guide to Industrial Control Systems Security
- ICS-CERT, ICS-TIP-12-146-01A—Targeted Cyber Intrusion Detection and Mitigation Strategies
- CCIRC, TR08-004 Disabling Autorun Feature in Windows
- CCIRC, TR11-002 Mitigation Guidelines for Advanced Persistent Threats
- ICS-CERT, Incident Response Summary Report 2009 – 2011
- US-CERT, Control Systems Security Program (CSSP)
- US-CERT, Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies
- CPNI, CPNI Viewpoint: Securing the move to IP-based SCADA/PLC networks
- International Society of Automation (ISA), ISA99, Industrial Automation and Control Systems Security
- Communications Security Establishment Canada (CSEC), The Harmonized TRA Methodology
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: