Report Blog Entry
CREDITS: The following notes were from a lecture originally created by Schweitzer Engineering Laboratories This is all for study purposes only. THESE WERE PUBLISHED WITH PERMISSION AS WELL.
Hello Helloooooo~~~ We're back at it again, here we go! Part 3 of 5~ If you have NOT already, please be sure to check parts 1 and 2, part 1 gives you the basics of what these blogs cover and part 2 covers the Identify ICS function! Part 1 Part 2
The lecture was rushed through by the hosts so some of my notes will BE WAYYYY MORE MESSY! I'll edit it once we get the full slideshow!!
Physical security perimeter: The physical six-wall border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which critical cuber assets are housed and for which access is controlled. this perimeter can be used for physically protecting assets
Physical security includes walls, locks, gates (traditional), CCTV, and motion sensors (technology-enhanced)
Logical security
The Three A's of access control
Authentication- identify and verify the user
Authorization- granting rights to authenticated users
Accountability- Record link between action and actor.
Access control through credential management and role-based permissions solutions.
Lightweight Directory Access Protocol is the most common modern protocol for centralized authentication.
Protocols and Application
Kerebos- Network authentication protocol that provides cryptographic key-based authentication services.
RADIUS- Remote Authentication Dial In User Service
Microsoft Active Directory.
Securing Users and Privileges
Role-based access control provides access to authorized users based on their assigned roles, Integrate principles of least privilege, segregation of roles.
Remote Access
Components of secure OT remote access
Virtual Private Network (VPN)- site-to-site (IPSec) or Remote Access (OpenVPN)
Multifactor Authentication (MFA)
Something you know, something you have, something you are. Implementation in OT environment requires careful examination of risk and impact on system functionality/availability.
Jump Server in Demilitarized Zone (DMZ)
Enforces controlled access between two different security zones.
Network Integrity
Physical Segmentation
Subnet access control by gateway firewalls.
Separation of networks reduces attack surface by adding layer of security beyond perimeter.
Logical Segmentation
User and resource groups based on least-privilege
VLAN Segment traffic
IEC 61850
Generic Object-Oriented Substation Event (GOOSE model)
Designed to be a standard, rapid method for communicating data across electrical networks
Uses either multicast (publisher-subscriber model) or broadcast traffic transmission.
VLANs are ideal for segregating this traffic
Network Integrity
NIST's Zero-Trust Architecture
Moving away from wide-area perimeter security
Asset-based micro-segmentation
Per-session individual access
Dynamic security policies
Example - ICS Testbed
LDAP integration for access control
OPNsense on SEL-3355, SEL-3530-4, SEL-3620
Proxy access to IEDs via AcSELerator TEAM and Active Directory.
Separation of duties through groups.
3620_Engineer vs 3620_Administrator
Remote access via OpenVPN
Awareness and Training
People Are Important
A critical part of a control systems security rests in the hand of its users.
Cybersecurity is everyone's responsibility.
Role Based Training
Training should occur:
Regularly as defined in policy
Regularly as defined in policy
Before authorizing access to the system, information, or performing assigned duties
When required by system changes
Keep training up to date
Incorporate lessons learned from internal or external incidents or breaches.
Data Security
Definitions
Data at rest: State of information when it is not in process or transit.
Data in transit: Transferring between locations
Communications Channel Rules
Use encrypted channels outside of physical security perimeters.
Authenticate all channels where possible
Decrypt channels inside PSP for intrusion detection and monitoring systems.
Never send credentials in the clear
Maintaining Integrity
Use integrity verification tools to detect unauthorized changes to the software, firmware, and hardware
Take Necessary actions when unauthorized changes to the software, firmware, and information are detected
Asset Lifecycle
Important considerations related to asset management
Spare assets
Age of assets
Asset disposal/sunsetting
Managing an asset includes managing that assets data
Information Protection Processes and Procedures
Subcategories
Protection in governance
Prevalence of data in most activities means that the data protection related policies and procedures are important:
Definitions:
Baselines: Hardware, software, and relevant documentation for an information system at a given point in time.
System Hardening- Collection of tools, techniques, and best practices to reduce vulnerability in technology.
Maintenance
Subcategories
Controlled maintenance
Schedule, document, and review records and maintenance
Appropriate approval and monitoring is obtained:
Before and during on-site maintenance of assets
Prior to removal of system or system components for off-site maintenance
Sanitize equipment to remove the information from associated media prior to removal from organizational facilities.
Check all potentially impacted controls to verify that controls are still functioning properly following maintenance actions.
OT Device Maintenance
Firmware- software embedded in a piece of hardware, firmware updated to support OT device maintenance
Infrequent but crucial - planned during outages
Test and verify functionality
Development/test vs production environments
Protective Technology
Subcategories
Access Control and Monitoring
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access and control policies
Leverage hardware capabilities for least functionality
Generate and audit system logs
Resiliency mechanisms
Redundancy can mitigate single device or interface failure
CARP (Common Address Redundancy Protocol)
HA (High Availability)
Dual-connected switches with IEDs in fail over
Fail safe modes- Fail Open, Fail close,fail over
Comments
Displaying 0 of 0 comments ( View all | Add Comment )