In December 2015, an operator at a Ukrainian power control center watched as attackers took control of his computer and began a successful shutdown of 30 substations. The attack began months before with a spear phishing campaign targeted at the IT staff. This resulted in malware propagating to the power operations side causing some control centers to still be inoperable two months later.
In 2016, the ICS-CERT organization responded to 290 incidents in the United States, with 59 of these in the energy sector. Of these incidents, 26% were caused by spear phishing like the Ukrainian attack. Spear phishing is the most common form of attack aimed at the industrial control networks and the devices used to run them. These devices, or endpoints, are the greatest vulnerability to your control systems. Being able to block unwanted access and protect from unwanted activity can greatly improve your security posture.
Those of you reading who may be savvy with cyber security, may be saying… endpoint protection is so basic. But sometimes the most obvious routes are those most often overlooked or where the rules become relaxed. It’s time to take a fresh look.
The key is to ensure you have a policy for endpoint security, both in technology as well as process. By adopting a few best practices that protect your control system network from being accessed, your security posture can be greatly improved.
Security hardening of endpoints is the process of reducing the exposure to vulnerabilities by minimizing the attack surface on potential targets. This can be accomplished in various methods, including specialized configurations, disabling services, limiting functions, and closing communications. Eliminating unnecessary features further hardens the system and limits information and tools available to attackers, as well as reducing entry points vulnerable to exploits without impacting the required functionality.
An example of hardening could be disabling the USB ports on control system HMIs. This simple task can eliminate the risk of malware being introduced to the system through these ports, frequently seen when an operator plugs in an infected cell phone or USB device.
Hardening can improve security and allows for effective risk management, but it also establishes the baseline security posture that will facilitate assessment of vulnerabilities and auditing of hardened systems. While hardening does not ensure protection against all security threats, it does help to reduce overall risk inherent in the platform.
The U.S. Department of Homeland Security (DHS) issued a paper titled "Seven Steps to Effectively Defend Industrial Control Systems," which identified the implementation of application whitelisting as the most effective strategy to mitigate potential cyber threats. Application whitelisting runs on HMIs and helps to secure the endpoints from unwanted applications by designating only the specific applications allowed to run on the ICS network.
The difference between traditional anti-virus blacklisting and application whitelisting is that blacklisting only protects from known malware while allowing all others in. Whitelisting allows only approved applications, which means those threats that are bad but have not yet been identified by traditional anti-virus blacklisting are still prevented from reaching the control system.
Application whitelisting is an important tool as we see an increase in smartphone users and applications, which tend to also create an increase in malware risks. In addition, Zero-day threats and Distributed Denial of Service (DDoS) attacks are examples where blacklisting is not effective. They are initially unknown and therefore, not on the blacklist. These targeted, covert attacks are being deployed more frequently now and use techniques specifically designed to evade blacklisting.
Patching your systems, or updating software and signatures, is one of the best things you can do to protect your assets and assure the operating systems and programs on your endpoints have the latest protection. Listed as the second most important strategy by DHS, patching of application and system software is critical to improving and maintaining a high security posture. Loss of operational view can occur when HMIs are compromised, but maintaining a regular rhythm for updating the operating systems as well as the applications can help to prevent access through your endpoints.
Endpoint protection isn’t just about locking down devices and cutting off connection. It’s about having a managed approach that balances operational needs while still making sure security measures are in place. Beyond these practices, companies should take steps to ensure both employees and third-party contractors remain vigilant and follow policies and procedures for protecting endpoints. Training and awareness are key to any successful cyber security program.