Security hygiene in OT environment
Practicing good security hygiene provides networks and assets a fighting chance against hackers, and thus should be performed regularly, eventually becoming a routine, like brushing your teeth daily. The cheapest and most efficient way to start implementing security hygiene is to harden existing assets. A few guidelines of what steps should be performed are listed below.
Like in the IT environment, security hygiene in the Operational Technology (OT) environment is crucial.
There are many benefits to security hygiene such as reducing the attack surface for cyber security attacks, limiting data leakage, protecting sensitive data from theft and from being shared outside its intended location.
It is important to note that ensuring cyber hygiene is performed not only as the responsibility of security managers, analysts, and technicians, but is rather a shared responsibility. Operational departments should also be involved in this process. Most of the hardening measures should be configured during initial equipment deployment and periodically reviewed.
The cheapest and most efficient way to start implementing security hygiene is to harden existing assets. A few guidelines of what steps should be performed are listed below:
- replace the default passwords, use a strong password policy and don’t share accounts;
- update and maintain the firmware/OS version to the latest security patch provided by the vendor;
- replace default configuration – avoiding usage with factory default configs;
- use encrypted administration protocols whenever possible – avoid VNC, Telnet, HTTP and other plaintext protocols;
- disable of unused services – further reducing the attack surface for various open ports is always recommended;
- enable event logging – to record various operational or security events. This can be further improved by gathering them centrally in a syslog/SIEM server;
- sync date-time using NTP across devices – this is required for both operational events as well as security;
- set-up a centralized and secured back-up storage location where the latest configuration exports can be kept;
- install anti-virus and endpoint protection solutions where technically possible;
- integrate with an AAA (Authentication, Authorization & Accounting) system where technically possible for easier user/password management.
The next security measure should be to implement network segmentation.
Since a large part of PLCs, RTUs or other processes control devices are very limited in security controls, this method will further protect asset and their related networks.
Network segmentation allows isolating specific groups of assets for security / operational reasons. By using this technique, organizations can create separate networks for different purposes, using firewalls and routers.
Upon implementing network segmentation, the following can be achieved:
- separate internal network from the public Internet;
- control the data flows based on various criteria;
- enable different levels of access control based on user groups defined by their roles and responsibilities;
- prevent unauthorized users from accessing sensitive data.
Network segmentation in OT environment, should consider the following ideas:
- determine the level of segmentation required – network segmentation should be a balance between operability and security and managing the devices can become cumbersome;
- apply strict controls on the Internet border – firewall rules should only allow required data flows with clearly defined destinations and sources;
- periodically test configured rules – firewall rules auditing as well as internal and external penetration tests should be performed to make sure everything is configured correctly.
Practicing good security hygiene provides networks and assets a fighting chance against hackers, and thus should be performed regularly eventually becoming a routine, like brushing your teeth daily.
PHOENIX Project is developed exactly for this scope, to cyber-fortify the European EPES infrastructure by enabling and coordinating advanced, adaptive, and cooperative detection of large scale, cyber-human security and privacy incidents and attacks
Using coordinate European EPES cyber incident discovery, response and recovery and Incidents’ Information Sharing platform (I2SP) it acts at pan-European level as a decentralized, trusted-by-design near real-time cybersecurity information awareness platform, coordinating the information exchange among authorized EPES stakeholders, utilities, CSIRTs, ISACs, CERTs, NRAs, and the strategic NIS cooperation group.
Author: Cătălin Săcalian – Cyber Security Vulnerability Management SOC/CSIRT – Delgaz Grid