ICS Cybersecurity Training
ICS cybersecurity training discusses the approaches to evaluate cybersecurity in Industrial Control System (ICS) in order to reduce the risk and enhance the security of ICS components which are widely used in critical infrastructures.
Industrial control systems are increasingly under attack by different types of malicious sources and vulnerabilities. Traditional Information Technology (IT) has well defined the methodology to secure the system from cyber-attacks. However, the story is different for industrial control systems as they have some constraints that add complexity to the environment. These complexities can be mentioned as:
- all key parts of the system should be always in operating condition, despite the fact that many ICS components are too old and they rely on unsecure protocols and architectures
- ICS requires to support some non-standard interfaces and protocols
- In some cases, ICS will maintain the equipment which no longer has vendor’s support
Having all the complexities, ICS should be kept secure. This tutorial will help you to understand the systematic approach to secure the ICS from cybersecurity threats.
Understanding Threats
The first step in securing ICS from potential cybersecurity threats is to identify different types of threats and vulnerabilities in critical infrastructures. To do so, control system assessment program can help operators to identify potential threats in the ICS and plan to harden ICS against these types of cyber threats. Assessment steps can be summarized as:
- Identifying potential threats in ICS network
- Understand cybersecurity threats and vulnerabilities
- Establish a baseline security posture
- Apply risk management techniques to ICS
First approach is to identify the potential threats in ICS network. To do so, you should firstly understand different types of threats in ICS:
- Vulnerabilities inherent in ICS product
- Vulnerabilities cause during installation, configuration or maintenance of ICS
- Poor design configuration caused to cyber-attacks
After identifying a specific type of threat, ICS security assessment is then applied by software development recommendations, network configuration and maintenance requirements.
Vulnerability Categories in ICS
There are a variety of different vulnerability categories identified in ICS product assessment. Improper input validation has the highest percentage of risk among other vulnerabilities. Next vulnerability is the poor access controls and authentication weakness. A list of common vulnerabilities in ICS can be found in the following list:
- Improper Input Validation
- Permissions, Privileges, and Access Controls
- Improper Authentications
- Insufficient Verification of Data Authenticity
- Indicator of Poor Code Quality
- Security Configuration and Maintenance
- Credentials Management
In the following, different types of attacks in each category will be classified:
Improper Input Validation
- Buffer Overflow
- Operation System Command Injection
- SQL Injection
- Cross-site Scripting
- Path Traversal
Permission, Privileges and Access Control
- Improper Access Control
- Incorrect Default Permission
- Man in the middle
Insufficient Verification of Data Authenticity
- Cross-site Request Forgery
- Missing support for Integrity Check
- Downloading Code without Integrity Check
ISC Software Security configuration and Maintenance
- Poor Patch Management
- Third Party Applications
- Security Configuration Issues
- Undeveloped Security Functions
- Information Exposure
Credential Management
- Plaintext Storage of Password
- Unprotected Transport of Credentials
- Hard Coded Credentials
- Weak Password Policies
ICS Security Assessment
ICS assessment provides industries with a strong tool to identify vulnerabilities. This assessment should include realistic assessment case studies in order to prevent adverse consequences resulting from system’s failure.
The primary goal of assessment is to improve the security of ICS infrastructure by identifying threats and providing recommendations to improve the security. ICS is ideally assessed in two phases:
- Baseline system assessment; to identify vulnerabilities and threats
- Using baseline assessment results in order to implement mitigation strategies
Assessment is normally conducted with cybersecurity evaluation tools by designing architecture review and network architecture validation and verifications.
ICS uses the National Institute of Standards and Technology (NIST) as a structural method in order to analyze vulnerabilities. Special NIST publications such as NIST-SP 53 and NIST-SP 82 guide ICS to implement a cybersecurity approach to tailor security in ICS.
ICS Incident Response
After identifying threats, and assessing vulnerabilities, next step is to develop an incident response capability for ICS. Incident response in IT organizations are well defined, however, when it comes to industrial control systems, more actions should be taken care of. ICS traditionally consisted of standalone systems, but they have been replaced by newer infrastructure in a timely manner. This upgrade has opened the access from internet to these infrastructures and exposed them to vulnerabilities that bothered IT for many years. Therefore, a quick response and incident management plan is needed for ICS. Incident response in ICS can be categorized into the following key elements:
- Detection of Incidents
- Containments
- Remediation
- Recovery and Restoration
- Post Incident Analysis/Forensics
- Post Incident Planning
- Incident Prevention Plan
To apply incident response policies to ICS, NIST has series of publications and special guidance addressing cybersecurity in general and incident response in particular. These publications can be listed as:
- NIST SP 800-40, Patch and Vulnerability Management
- NIST SP 800-61, Computer Security Incident Handling
- NIST SP 800-83, Malware Incident Response
- NIST SP 800-86, Integrating Forensic Techniques for Incident Response
- NIST SP 800-92, Computer Security Log Management
In other words, to accomplish incident response, operational capabilities for defense of control system environment against cyber threats should consider the following steps:
- Respond and Analyze ICS Related Incidents
- Conduct Vulnerability and Malware Analysis
- Provide Onsite Support for Incident Response
- Provide Onsite Support for Forensic Analysis
- Provide Situational Awareness in the Form of Actionable Intelligence
- Coordination of the Responsible Disclosure of Vulnerabilities
- Coordination of Vulnerability Information and Threat Analysis through Products
Application of Incident Reponses for ICS:
Incident response can be defined for different types of sectors. These sectors can be categorized as:
- Cross-Sector
- Dams
- Water
- Energy
Reported Incidents for ICS:
Example of different incidents happened in previous years can be classified into:
- Cross-Sector
- Water
- Chemical
- Government Facilities
- Energy
- Nuclear
- Critical Infrastructures
- Dams
Among which energy has the most reported incidents. Regardless of what type of sector your organization is, you need to take the incident response plan for your ICS very serious.
How Can You Learn More?
Check out the hands-on training courses we offer, listed below, to see what serves you best:
Industrial Control System and SCADA Cybersecurity Training
ICS Cybersecurity Training