Computer hackers are coming for everyone and recently have breached industrial and utility’s computer system and encrypted their records. Hackers have gained access to computer systems when an employee clicked on a link in a phishing email that allowed malware to be installed on the employee’s computer. “One click” could take down your entire computer system and that should keep you up at night. The abuse of a valid user account was the number one technique used to breach an Industrial Control System (ICS) in 2020 according to Dragos ICS Cybersecurity Year in Review.
Without question, these incidents underscore the need for industrial companies and municipal utility systems to examine security and what is in place to prevent the risk of a serious data breach. Systems will continue to face new and ever-changing threats in the future.
Data Backup
One of the most important components of cyber security is to backup your data and ensure the backups work. Periodically restore your backups as a test to ensure they are working. One of your backup sets need to be offline, not on the local network, offsite or on a cloud backup service. Ransomeware attacks can encrypt your backup data if it is on the same network that has been hacked. Storage media and hard drives will ultimately fail, so it’s important to spread the risk by using different devices or storage media to place your backups on.
Awareness Training
Implement a regular employee cyber security training program on email phishing scams and general computer security. Employees are the first line of defense for a cyber attack so it is important they can identify what’s real email versus what’s fake email from a sendor. Keep employees engaged. An email awareness slogan may be “Stop, Think, Act” for employees. Stop – when presented with a possible suspicious email or link. Think – analyze the content of the email, hover over the link to see where it is pointing, determine who the real sendor is. Act – if the email fails the “smell test”, delete or report it. If still in doubt, call the sendor and confirm the email was sent from someone you trust.
Network Security Monitoring
Hardware appliances or software applications provide network security monitoring by checking network traffic across the network to spot anomalies. This is an “intrusion detection systems” that create alerts and sends them to the OT staff. “Intrusion prevention systems” prevent potentially malicious network traffic from traveling inside or outside of your network. The “intrusion prevention systems” are complex so it typically requires the role of a network security employee or a managed security service provider. Network traffic and user access log files need to be kept.
Network Segmentation
-
-
-
- Separate your Industrial Control Systems from your regular business network.
- Segmentation within your Industrial Control Systems and define user roles and what specifically each user will have access to do on the system.
- Asset inventory of all control system devices need to be kept and maintained on a regular basis.
HMIs, engineering/operator workstations, gateways, controllers, etc should be prioritized and could cause major impact to production. - Application Whitelisting (AWL)
-
This type of software is complex and labor-intensive for OT staff to implement and maintain, but it does allow for security control over workstations and what is allowed to be installed. If the application isn’t on the “whitelist” of applications, it can’t be installed on the computer.
-
-
- Implement Multi-Factor Authentication (MFA)
- Strong passwords alone are not enough as a secured method to lock down an account. Hackers have been successful with phishing emails to trick people into giving up their username and password through online login page that mimics a legitimate website. The hacker will log into this person’s online email account and send similar phishing emails to the hacked accounts contacts. Using compromised account information, hackers may gain access to a city’s network. By using MFA, it requires two pieces of information to gain access to a system. One is the person’s password and the other a random code that is generated and send via text to the person’s mobile device. The code is also entered by the user to gain access to the system.
- Remote Access
- Block all remote access through Remote Desktop Protocol (RDP) off the open internet. Implement a secure remote access method such as Virtual Private Network (VPN). VPN access authenticates the username and password with MFA (second layer to identify user), just like user’s do when working on the business network segment.
- Define what ICS staff can access using a VPN connection into the ICS systems. Do they need read/write permissions to any PLC including the most critical PLC’s? Do they need to log out of a PLC when they are done so no one else has access to the PLC to edit configurations etc.? Are log files kept to proactively detect changes to the PLC configurations any modifications?
- Secure credential management by ICS staff. This includes accounts shared between IT and OT, default accounts and vendor accounts. How much risk can you afford?
- Security Patches/ICS Patching
- Implement a consistent patching schedule across all ICS devices. Installing hardware and software patches are one of the most important keys to reducing a system breach. Vendors that produce the products you use are continually fixing bugs and know exploits that hackers or malware use to evade your security defenses. Installing updates and patches is recommended to be done on a weekly basis. Choosing the right vendors who recognize their security responsibilities is very important when decisions are made for which vendor you should partner with.
- Disable Macros
- It is recommended to disable all macros from running in Microsoft Office products because of security issues. Hackers can use macros to deliver malicious code in Word or Excel documents that can trigger a security breach. If you receive a Microsoft Office attachment from outside your organization from a non-trusted sendor that prompts you to “enable macros”, it is recommended that you do not enable macros.
- Implement Multi-Factor Authentication (MFA)